JWT Missing Secret Or Public Key Verification

Add an experimental CodeQL query.
2026-04-29 18:55:14 +02:00 · 2020-06-20 16:54:41 +02:00
parent cafbe14dc8
commit b0aaca0e1c
3 changed files with 20 additions and 0 deletions
--- a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
+++ b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
--- a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql
@@ -0,0 +1,19 @@
+/**
+ * @name JWT Missing Secret Or Public Key Verification
+ * @description The software does not verify the JWT token with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/jwt-missing-secret-or-public-key-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow
+
+from CallNode call
+where
+  call = moduleMember("jsonwebtoken", "verify").getACall() and
+  call.getArgument(1).analyze().getABooleanValue() = false
+select call
--- a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll
+++ b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll
@@ -0,0 +1 @@
+