hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Fix alert message

Browse Source 
The signing key that is being set, is _not_ what is being parsed.
A _JWT_ is being parsed, that will then be verified using the set key.
(Or in our case not, because we're looking for security problems :P)
This commit is contained in:
intrigus-lgtm
2023-09-04 01:54:06 +02:00
parent b291ee361a
commit b6417ca212
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
View File

@@ -16,5 +16,5 @@ import MissingJwtSignatureCheckFlow::PathGraph
from MissingJwtSignatureCheckFlow::PathNode source, MissingJwtSignatureCheckFlow::PathNode sink
where MissingJwtSignatureCheckFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.",
select sink.getNode(), source, sink, "This sets a $@, but the signature is not verified.",
source.getNode(), "JWT signing key"