delete CWE-321

2026-04-24 00:05:14 +02:00 · 2023-11-02 16:27:31 +01:00
parent faa483a282
commit a9c8bc082f
3 changed files with 0 additions and 131 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-321-noVerification/NoVerification.js
+++ b/javascript/ql/test/query-tests/Security/CWE-321-noVerification/NoVerification.js
@@ -1,92 +0,0 @@
-const express = require('express')
-const app = express()
-const jwtJsonwebtoken = require('jsonwebtoken');
-const { getSecret } = require('./Config.js');
-const jwt_decode = require('jwt-decode');
-const jwt_simple = require('jwt-simple');
-const jose = require('jose')
-const port = 3000
-
-async function startSymmetric(token) {
-    const { payload, protectedHeader } = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
-    return {
-        payload, protectedHeader
-    }
-}
-
-app.get('/jose', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jose
-    // BAD: no signature verification
-    jose.decodeJwt(UserToken)
-    // GOOD: with signature verification
-    startSymmetric(UserToken).then(result => console.log(result))
-
-
-})
-
-
-app.get('/jwtDecode', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-decode
-    // BAD: no signature verification
-    jwt_decode(UserToken)
-})
-
-app.get('/jwtSimple', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-simple
-    // jwt.decode(token, key, noVerify, algorithm)
-    // BAD: no signature verification
-    jwt_simple.decode(UserToken, getSecret(), true);
-})
-
-app.get('/jwtSimple2', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-simple
-    // jwt.decode(token, key, noVerify, algorithm)
-    // GOOD: with signature verification
-    jwt_simple.decode(UserToken, getSecret(), false);
-    jwt_simple.decode(UserToken, getSecret());
-})
-
-app.get('/jwtSimple3', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-simple
-    // jwt.decode(token, key, noVerify, algorithm)
-    // GOOD: first decode without signature verification and then verify the signature later
-    jwt_simple.decode(UserToken, getSecret(), true);
-    jwt_simple.decode(UserToken, getSecret());
-})
-
-app.get('/jwtJsonwebtoken', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // BAD: no signature verification
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, false, { algorithms: ["HS256", "none"] })
-})
-
-app.get('/jwtJsonwebtoken2', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // GOOD: with signature verification
-    jwtJsonwebtoken.verify(UserToken, getSecret())
-})
-
-app.get('/jwtJsonwebtoken3', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // GOOD: first decode without signature verification and then verify the signature later
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, getSecret())
-})
-
-app.listen(port, () => {
-    console.log(`Example app listening on port ${port}`)
-})
--- a/javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.expected
@@ -1,38 +0,0 @@
-nodes
-| NoVerification.js:68:11:68:47 | UserToken |
-| NoVerification.js:68:23:68:47 | req.hea ... ization |
-| NoVerification.js:68:23:68:47 | req.hea ... ization |
-| NoVerification.js:71:28:71:36 | UserToken |
-| NoVerification.js:71:28:71:36 | UserToken |
-| NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken |
-| NoVerification.js:76:23:76:47 | req.hea ... ization |
-| NoVerification.js:76:23:76:47 | req.hea ... ization |
-| NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:83:11:83:47 | UserToken |
-| NoVerification.js:83:23:83:47 | req.hea ... ization |
-| NoVerification.js:83:23:83:47 | req.hea ... ization |
-| NoVerification.js:86:28:86:36 | UserToken |
-| NoVerification.js:86:28:86:36 | UserToken |
-| NoVerification.js:87:28:87:36 | UserToken |
-| NoVerification.js:87:28:87:36 | UserToken |
-edges
-| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:71:28:71:36 | UserToken |
-| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:71:28:71:36 | UserToken |
-| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:68:23:68:47 | req.hea ... ization | NoVerification.js:68:11:68:47 | UserToken |
-| NoVerification.js:68:23:68:47 | req.hea ... ization | NoVerification.js:68:11:68:47 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
-| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
-| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:86:28:86:36 | UserToken |
-| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:86:28:86:36 | UserToken |
-| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:87:28:87:36 | UserToken |
-| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:87:28:87:36 | UserToken |
-| NoVerification.js:83:23:83:47 | req.hea ... ization | NoVerification.js:83:11:83:47 | UserToken |
-| NoVerification.js:83:23:83:47 | req.hea ... ization | NoVerification.js:83:11:83:47 | UserToken |
-#select
--- a/javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.qlref
@@ -1 +0,0 @@
-Security/CWE-321-noVerification/JsonWebToken.ql
				`@@ -1 +0,0 @@`
				`Security/CWE-321-noVerification/JsonWebToken.ql`