Make verifiesSignature() a predicate

2025-12-20 18:56:32 +01:00 · 2021-07-01 17:51:56 +02:00
parent 4079e5352e
commit a1f48db60b
3 changed files with 15 additions and 19 deletions
--- a/python/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql
+++ b/python/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql
@@ -13,5 +13,5 @@ import python
 import experimental.semmle.python.Concepts

 from JWTDecoding jwtDecoding
-where jwtDecoding.verifiesSignature() = false
-select jwtDecoding, "does not verify the JWT payload with a cryptographic secret or public key."
+where not jwtDecoding.verifiesSignature()
+select jwtDecoding.getPayload(), "is not verified with a cryptographic secret or public key."
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -247,7 +247,7 @@ module JWTDecoding {
    /**
     * Checks if the signature gets verified while decoding.
     */
-    abstract boolean verifiesSignature();
+    abstract predicate verifiesSignature();
  }
 }

@@ -290,5 +290,5 @@ class JWTDecoding extends DataFlow::Node {
  /**
   * Checks if the signature gets verified while decoding.
   */
-  boolean verifiesSignature() { result = range.verifiesSignature() }
+  predicate verifiesSignature() { range.verifiesSignature() }
 }
--- a/python/ql/src/experimental/semmle/python/frameworks/JWT.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/JWT.qll
@@ -72,23 +72,19 @@ private module JWT {
      result in [this.getArg(3), this.getArgByName("options")]
    }

-    override boolean verifiesSignature() {
+    override predicate verifiesSignature() {
      // jwt.decode(token, "key", "HS256")
-      not exists(this.getArgByName("verify")) and not exists(this.getOptions()) and result = true
+      not exists(this.getArgByName("verify")) and not exists(this.getOptions())
      or
-      (
-        // not -> jwt.decode(token, verify=False)
-        isFalse(this.getArgByName("verify"))
-        or
-        // not -> jwt.decode(token, key, options={"verify_signature": False})
-        exists(KeyValuePair optionsDict, NameConstant falseName |
-          falseName.getId() = "False" and
-          optionsDict = this.getArgByName("options").asExpr().(Dict).getItems().getAnItem() and
-          optionsDict.getKey().(Str_).getS().matches("%verify%") and
-          falseName = optionsDict.getValue()
-        )
-      ) and
-      result = false
+      // jwt.decode(token, verify=False)
+      not isFalse(this.getArgByName("verify")) and
+      // not -> jwt.decode(token, key, options={"verify_signature": False})
+      not exists(KeyValuePair optionsDict, NameConstant falseName |
+        falseName.getId() = "False" and
+        optionsDict = this.getArgByName("options").asExpr().(Dict).getItems().getAnItem() and
+        optionsDict.getKey().(Str_).getS().matches("%verify%") and
+        falseName = optionsDict.getValue()
+      )
    }
  }
 }