hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

update the remote flow based query thanks to @erik-krogh, update tests and separate the local and remote query tests

Browse Source
This commit is contained in:
am0o0
2024-06-07 06:01:49 +02:00
parent 12df7dee17
commit b9e3b3310e
15 changed files with 326 additions and 436 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
View File

@@ -14,24 +14,27 @@ import javascript
import DataFlow::PathGraph
import JWT
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "jsonwebtoken without any signature verification" }
class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
sink = unverifiedDecode()
or
sink = verifiedDecode()
}
override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
}
from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where
cfg.hasFlowPath(source, sink) and
sink.getNode() = unverifiedDecode() and
not exists(Configuration cfg2 |
cfg2.hasFlowPath(source, any(DataFlow::SinkPathNode n | n.getNode() = verifiedDecode()))
not exists(ConfigurationVerifiedDecode cfg2 |
cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
)
select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
"without signature verification"

38
javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationDoesNotWork.ql
View File

@@ -1,38 +0,0 @@
/**
* @name This query is for seeing if we can have two taint config within on query file
* @description The application does not verify the JWT payload with a cryptographic secret or public key.
* @kind path-problem
* @problem.severity error
* @security-severity 8.0
* @precision high
* @id js/decode-jwt-without-verification-does-not-work
* @tags security
* external/cwe/cwe-347
*/
import javascript
import DataFlow::PathGraph
import JWT
class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
}
class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
}
from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where
cfg.hasFlowPath(source, sink) and
not exists(ConfigurationVerifiedDecode cfg2 | cfg2.hasFlowPath(source, _))
select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
"without signature verification"

279
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.expected
View File

@@ -1,279 +0,0 @@
nodes
| JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
| JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:60:11:60:28 | UserToken |
| JsonWebToken.js:60:23:60:28 | aJwt() |
| JsonWebToken.js:60:23:60:28 | aJwt() |
| JsonWebToken.js:63:28:63:36 | UserToken |
| JsonWebToken.js:63:28:63:36 | UserToken |
| JsonWebToken.js:67:11:67:28 | UserToken |
| JsonWebToken.js:67:23:67:28 | aJwt() |
| JsonWebToken.js:67:23:67:28 | aJwt() |
| JsonWebToken.js:70:28:70:36 | UserToken |
| JsonWebToken.js:70:28:70:36 | UserToken |
| JsonWebToken.js:71:28:71:36 | UserToken |
| JsonWebToken.js:71:28:71:36 | UserToken |
| JsonWebToken.js:75:11:75:28 | UserToken |
| JsonWebToken.js:75:23:75:28 | aJwt() |
| JsonWebToken.js:75:23:75:28 | aJwt() |
| JsonWebToken.js:78:28:78:36 | UserToken |
| JsonWebToken.js:78:28:78:36 | UserToken |
| JsonWebToken.js:82:11:82:28 | UserToken |
| JsonWebToken.js:82:23:82:28 | aJwt() |
| JsonWebToken.js:82:23:82:28 | aJwt() |
| JsonWebToken.js:85:28:85:36 | UserToken |
| JsonWebToken.js:85:28:85:36 | UserToken |
| JsonWebToken.js:86:28:86:36 | UserToken |
| JsonWebToken.js:86:28:86:36 | UserToken |
| JsonWebToken.js:90:11:90:28 | UserToken |
| JsonWebToken.js:90:23:90:28 | aJwt() |
| JsonWebToken.js:90:23:90:28 | aJwt() |
| JsonWebToken.js:93:28:93:36 | UserToken |
| JsonWebToken.js:93:28:93:36 | UserToken |
| JsonWebToken.js:94:28:94:36 | UserToken |
| JsonWebToken.js:94:28:94:36 | UserToken |
| jose.js:14:11:14:47 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization |
| jose.js:14:23:14:47 | req.hea ... ization |
| jose.js:16:20:16:28 | UserToken |
| jose.js:16:20:16:28 | UserToken |
| jose.js:21:11:21:47 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization |
| jose.js:21:23:21:47 | req.hea ... ization |
| jose.js:23:26:23:34 | UserToken |
| jose.js:23:26:23:34 | UserToken |
| jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:29:20:29:28 | UserToken |
| jose.js:29:20:29:28 | UserToken |
| jose.js:30:26:30:34 | UserToken |
| jose.js:30:26:30:34 | UserToken |
| jose.js:42:11:42:28 | UserToken |
| jose.js:42:23:42:28 | aJwt() |
| jose.js:42:23:42:28 | aJwt() |
| jose.js:45:20:45:28 | UserToken |
| jose.js:45:20:45:28 | UserToken |
| jose.js:49:11:49:28 | UserToken |
| jose.js:49:23:49:28 | aJwt() |
| jose.js:49:23:49:28 | aJwt() |
| jose.js:52:20:52:28 | UserToken |
| jose.js:52:20:52:28 | UserToken |
| jose.js:53:26:53:34 | UserToken |
| jose.js:53:26:53:34 | UserToken |
| jose.js:57:11:57:28 | UserToken |
| jose.js:57:23:57:28 | aJwt() |
| jose.js:57:23:57:28 | aJwt() |
| jose.js:60:26:60:34 | UserToken |
| jose.js:60:26:60:34 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization |
| jwtDecode.js:14:23:14:47 | req.hea ... ization |
| jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:30:11:30:28 | UserToken |
| jwtDecode.js:30:23:30:28 | aJwt() |
| jwtDecode.js:30:23:30:28 | aJwt() |
| jwtDecode.js:34:16:34:24 | UserToken |
| jwtDecode.js:34:16:34:24 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization |
| jwtSimple.js:13:23:13:47 | req.hea ... ization |
| jwtSimple.js:16:23:16:31 | UserToken |
| jwtSimple.js:16:23:16:31 | UserToken |
| jwtSimple.js:20:11:20:47 | UserToken |
| jwtSimple.js:20:23:20:47 | req.hea ... ization |
| jwtSimple.js:20:23:20:47 | req.hea ... ization |
| jwtSimple.js:23:23:23:31 | UserToken |
| jwtSimple.js:23:23:23:31 | UserToken |
| jwtSimple.js:24:23:24:31 | UserToken |
| jwtSimple.js:24:23:24:31 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization |
| jwtSimple.js:28:23:28:47 | req.hea ... ization |
| jwtSimple.js:31:23:31:31 | UserToken |
| jwtSimple.js:31:23:31:31 | UserToken |
| jwtSimple.js:32:23:32:31 | UserToken |
| jwtSimple.js:32:23:32:31 | UserToken |
| jwtSimple.js:44:11:44:28 | UserToken |
| jwtSimple.js:44:23:44:28 | aJwt() |
| jwtSimple.js:44:23:44:28 | aJwt() |
| jwtSimple.js:47:23:47:31 | UserToken |
| jwtSimple.js:47:23:47:31 | UserToken |
| jwtSimple.js:51:11:51:28 | UserToken |
| jwtSimple.js:51:23:51:28 | aJwt() |
| jwtSimple.js:51:23:51:28 | aJwt() |
| jwtSimple.js:54:23:54:31 | UserToken |
| jwtSimple.js:54:23:54:31 | UserToken |
| jwtSimple.js:55:23:55:31 | UserToken |
| jwtSimple.js:55:23:55:31 | UserToken |
| jwtSimple.js:59:11:59:28 | UserToken |
| jwtSimple.js:59:23:59:28 | aJwt() |
| jwtSimple.js:59:23:59:28 | aJwt() |
| jwtSimple.js:62:23:62:31 | UserToken |
| jwtSimple.js:62:23:62:31 | UserToken |
| jwtSimple.js:63:23:63:31 | UserToken |
| jwtSimple.js:63:23:63:31 | UserToken |
edges
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:60:11:60:28 | UserToken | JsonWebToken.js:63:28:63:36 | UserToken |
| JsonWebToken.js:60:11:60:28 | UserToken | JsonWebToken.js:63:28:63:36 | UserToken |
| JsonWebToken.js:60:23:60:28 | aJwt() | JsonWebToken.js:60:11:60:28 | UserToken |
| JsonWebToken.js:60:23:60:28 | aJwt() | JsonWebToken.js:60:11:60:28 | UserToken |
| JsonWebToken.js:67:11:67:28 | UserToken | JsonWebToken.js:70:28:70:36 | UserToken |
| JsonWebToken.js:67:11:67:28 | UserToken | JsonWebToken.js:70:28:70:36 | UserToken |
| JsonWebToken.js:67:11:67:28 | UserToken | JsonWebToken.js:71:28:71:36 | UserToken |
| JsonWebToken.js:67:11:67:28 | UserToken | JsonWebToken.js:71:28:71:36 | UserToken |
| JsonWebToken.js:67:23:67:28 | aJwt() | JsonWebToken.js:67:11:67:28 | UserToken |
| JsonWebToken.js:67:23:67:28 | aJwt() | JsonWebToken.js:67:11:67:28 | UserToken |
| JsonWebToken.js:75:11:75:28 | UserToken | JsonWebToken.js:78:28:78:36 | UserToken |
| JsonWebToken.js:75:11:75:28 | UserToken | JsonWebToken.js:78:28:78:36 | UserToken |
| JsonWebToken.js:75:23:75:28 | aJwt() | JsonWebToken.js:75:11:75:28 | UserToken |
| JsonWebToken.js:75:23:75:28 | aJwt() | JsonWebToken.js:75:11:75:28 | UserToken |
| JsonWebToken.js:82:11:82:28 | UserToken | JsonWebToken.js:85:28:85:36 | UserToken |
| JsonWebToken.js:82:11:82:28 | UserToken | JsonWebToken.js:85:28:85:36 | UserToken |
| JsonWebToken.js:82:11:82:28 | UserToken | JsonWebToken.js:86:28:86:36 | UserToken |
| JsonWebToken.js:82:11:82:28 | UserToken | JsonWebToken.js:86:28:86:36 | UserToken |
| JsonWebToken.js:82:23:82:28 | aJwt() | JsonWebToken.js:82:11:82:28 | UserToken |
| JsonWebToken.js:82:23:82:28 | aJwt() | JsonWebToken.js:82:11:82:28 | UserToken |
| JsonWebToken.js:90:11:90:28 | UserToken | JsonWebToken.js:93:28:93:36 | UserToken |
| JsonWebToken.js:90:11:90:28 | UserToken | JsonWebToken.js:93:28:93:36 | UserToken |
| JsonWebToken.js:90:11:90:28 | UserToken | JsonWebToken.js:94:28:94:36 | UserToken |
| JsonWebToken.js:90:11:90:28 | UserToken | JsonWebToken.js:94:28:94:36 | UserToken |
| JsonWebToken.js:90:23:90:28 | aJwt() | JsonWebToken.js:90:11:90:28 | UserToken |
| JsonWebToken.js:90:23:90:28 | aJwt() | JsonWebToken.js:90:11:90:28 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:42:11:42:28 | UserToken | jose.js:45:20:45:28 | UserToken |
| jose.js:42:11:42:28 | UserToken | jose.js:45:20:45:28 | UserToken |
| jose.js:42:23:42:28 | aJwt() | jose.js:42:11:42:28 | UserToken |
| jose.js:42:23:42:28 | aJwt() | jose.js:42:11:42:28 | UserToken |
| jose.js:49:11:49:28 | UserToken | jose.js:52:20:52:28 | UserToken |
| jose.js:49:11:49:28 | UserToken | jose.js:52:20:52:28 | UserToken |
| jose.js:49:11:49:28 | UserToken | jose.js:53:26:53:34 | UserToken |
| jose.js:49:11:49:28 | UserToken | jose.js:53:26:53:34 | UserToken |
| jose.js:49:23:49:28 | aJwt() | jose.js:49:11:49:28 | UserToken |
| jose.js:49:23:49:28 | aJwt() | jose.js:49:11:49:28 | UserToken |
| jose.js:57:11:57:28 | UserToken | jose.js:60:26:60:34 | UserToken |
| jose.js:57:11:57:28 | UserToken | jose.js:60:26:60:34 | UserToken |
| jose.js:57:23:57:28 | aJwt() | jose.js:57:11:57:28 | UserToken |
| jose.js:57:23:57:28 | aJwt() | jose.js:57:11:57:28 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:30:11:30:28 | UserToken | jwtDecode.js:34:16:34:24 | UserToken |
| jwtDecode.js:30:11:30:28 | UserToken | jwtDecode.js:34:16:34:24 | UserToken |
| jwtDecode.js:30:23:30:28 | aJwt() | jwtDecode.js:30:11:30:28 | UserToken |
| jwtDecode.js:30:23:30:28 | aJwt() | jwtDecode.js:30:11:30:28 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:16:23:16:31 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:16:23:16:31 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:20:11:20:47 | UserToken | jwtSimple.js:23:23:23:31 | UserToken |
| jwtSimple.js:20:11:20:47 | UserToken | jwtSimple.js:23:23:23:31 | UserToken |
| jwtSimple.js:20:11:20:47 | UserToken | jwtSimple.js:24:23:24:31 | UserToken |
| jwtSimple.js:20:11:20:47 | UserToken | jwtSimple.js:24:23:24:31 | UserToken |
| jwtSimple.js:20:23:20:47 | req.hea ... ization | jwtSimple.js:20:11:20:47 | UserToken |
| jwtSimple.js:20:23:20:47 | req.hea ... ization | jwtSimple.js:20:11:20:47 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken | jwtSimple.js:31:23:31:31 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken | jwtSimple.js:31:23:31:31 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken | jwtSimple.js:32:23:32:31 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken | jwtSimple.js:32:23:32:31 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization | jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization | jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:44:11:44:28 | UserToken | jwtSimple.js:47:23:47:31 | UserToken |
| jwtSimple.js:44:11:44:28 | UserToken | jwtSimple.js:47:23:47:31 | UserToken |
| jwtSimple.js:44:23:44:28 | aJwt() | jwtSimple.js:44:11:44:28 | UserToken |
| jwtSimple.js:44:23:44:28 | aJwt() | jwtSimple.js:44:11:44:28 | UserToken |
| jwtSimple.js:51:11:51:28 | UserToken | jwtSimple.js:54:23:54:31 | UserToken |
| jwtSimple.js:51:11:51:28 | UserToken | jwtSimple.js:54:23:54:31 | UserToken |
| jwtSimple.js:51:11:51:28 | UserToken | jwtSimple.js:55:23:55:31 | UserToken |
| jwtSimple.js:51:11:51:28 | UserToken | jwtSimple.js:55:23:55:31 | UserToken |
| jwtSimple.js:51:23:51:28 | aJwt() | jwtSimple.js:51:11:51:28 | UserToken |
| jwtSimple.js:51:23:51:28 | aJwt() | jwtSimple.js:51:11:51:28 | UserToken |
| jwtSimple.js:59:11:59:28 | UserToken | jwtSimple.js:62:23:62:31 | UserToken |
| jwtSimple.js:59:11:59:28 | UserToken | jwtSimple.js:62:23:62:31 | UserToken |
| jwtSimple.js:59:11:59:28 | UserToken | jwtSimple.js:63:23:63:31 | UserToken |
| jwtSimple.js:59:11:59:28 | UserToken | jwtSimple.js:63:23:63:31 | UserToken |
| jwtSimple.js:59:23:59:28 | aJwt() | jwtSimple.js:59:11:59:28 | UserToken |
| jwtSimple.js:59:23:59:28 | aJwt() | jwtSimple.js:59:11:59:28 | UserToken |
#select
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification |
| JsonWebToken.js:60:23:60:28 | aJwt() | JsonWebToken.js:60:23:60:28 | aJwt() | JsonWebToken.js:63:28:63:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:63:28:63:36 | UserToken | without signature verification |
| JsonWebToken.js:67:23:67:28 | aJwt() | JsonWebToken.js:67:23:67:28 | aJwt() | JsonWebToken.js:70:28:70:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:70:28:70:36 | UserToken | without signature verification |
| JsonWebToken.js:67:23:67:28 | aJwt() | JsonWebToken.js:67:23:67:28 | aJwt() | JsonWebToken.js:71:28:71:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:71:28:71:36 | UserToken | without signature verification |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:23:14:47 | req.hea ... ization | jose.js:16:20:16:28 | UserToken | Decoding JWT $@. | jose.js:16:20:16:28 | UserToken | without signature verification |
| jose.js:42:23:42:28 | aJwt() | jose.js:42:23:42:28 | aJwt() | jose.js:45:20:45:28 | UserToken | Decoding JWT $@. | jose.js:45:20:45:28 | UserToken | without signature verification |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:18:16:18:24 | UserToken | Decoding JWT $@. | jwtDecode.js:18:16:18:24 | UserToken | without signature verification |
| jwtDecode.js:30:23:30:28 | aJwt() | jwtDecode.js:30:23:30:28 | aJwt() | jwtDecode.js:34:16:34:24 | UserToken | Decoding JWT $@. | jwtDecode.js:34:16:34:24 | UserToken | without signature verification |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:16:23:16:31 | UserToken | Decoding JWT $@. | jwtSimple.js:16:23:16:31 | UserToken | without signature verification |
| jwtSimple.js:44:23:44:28 | aJwt() | jwtSimple.js:44:23:44:28 | aJwt() | jwtSimple.js:47:23:47:31 | UserToken | Decoding JWT $@. | jwtSimple.js:47:23:47:31 | UserToken | without signature verification |

53
javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js Normal file
View File

@@ -0,0 +1,53 @@
const express = require('express')
const app = express()
const jwtJsonwebtoken = require('jsonwebtoken');
const jwt_decode = require('jwt-decode');
const jwt_simple = require('jwt-simple');
const jose = require('jose')
const port = 3000
function getSecret() {
return "A Safe generated random key"
}
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken) // NOT OK
})();
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken) // NOT OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
})();
(function () {
const UserToken = aJwt()
// GOOD: with signature verification
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
})();

141
javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected Normal file
View File

@@ -0,0 +1,141 @@
nodes
| JsonWebToken.js:18:11:18:28 | UserToken |
| JsonWebToken.js:18:23:18:28 | aJwt() |
| JsonWebToken.js:18:23:18:28 | aJwt() |
| JsonWebToken.js:21:28:21:36 | UserToken |
| JsonWebToken.js:21:28:21:36 | UserToken |
| JsonWebToken.js:25:11:25:28 | UserToken |
| JsonWebToken.js:25:23:25:28 | aJwt() |
| JsonWebToken.js:25:23:25:28 | aJwt() |
| JsonWebToken.js:28:28:28:36 | UserToken |
| JsonWebToken.js:28:28:28:36 | UserToken |
| JsonWebToken.js:29:28:29:36 | UserToken |
| JsonWebToken.js:29:28:29:36 | UserToken |
| JsonWebToken.js:33:11:33:28 | UserToken |
| JsonWebToken.js:33:23:33:28 | aJwt() |
| JsonWebToken.js:33:23:33:28 | aJwt() |
| JsonWebToken.js:36:28:36:36 | UserToken |
| JsonWebToken.js:36:28:36:36 | UserToken |
| JsonWebToken.js:40:11:40:28 | UserToken |
| JsonWebToken.js:40:23:40:28 | aJwt() |
| JsonWebToken.js:40:23:40:28 | aJwt() |
| JsonWebToken.js:43:28:43:36 | UserToken |
| JsonWebToken.js:43:28:43:36 | UserToken |
| JsonWebToken.js:44:28:44:36 | UserToken |
| JsonWebToken.js:44:28:44:36 | UserToken |
| JsonWebToken.js:48:11:48:28 | UserToken |
| JsonWebToken.js:48:23:48:28 | aJwt() |
| JsonWebToken.js:48:23:48:28 | aJwt() |
| JsonWebToken.js:51:28:51:36 | UserToken |
| JsonWebToken.js:51:28:51:36 | UserToken |
| JsonWebToken.js:52:28:52:36 | UserToken |
| JsonWebToken.js:52:28:52:36 | UserToken |
| jose.js:18:11:18:28 | UserToken |
| jose.js:18:23:18:28 | aJwt() |
| jose.js:18:23:18:28 | aJwt() |
| jose.js:21:20:21:28 | UserToken |
| jose.js:21:20:21:28 | UserToken |
| jose.js:25:11:25:28 | UserToken |
| jose.js:25:23:25:28 | aJwt() |
| jose.js:25:23:25:28 | aJwt() |
| jose.js:28:20:28:28 | UserToken |
| jose.js:28:20:28:28 | UserToken |
| jose.js:29:26:29:34 | UserToken |
| jose.js:29:26:29:34 | UserToken |
| jose.js:33:11:33:28 | UserToken |
| jose.js:33:23:33:28 | aJwt() |
| jose.js:33:23:33:28 | aJwt() |
| jose.js:36:26:36:34 | UserToken |
| jose.js:36:26:36:34 | UserToken |
| jwtDecode.js:18:11:18:28 | UserToken |
| jwtDecode.js:18:23:18:28 | aJwt() |
| jwtDecode.js:18:23:18:28 | aJwt() |
| jwtDecode.js:22:16:22:24 | UserToken |
| jwtDecode.js:22:16:22:24 | UserToken |
| jwtSimple.js:18:11:18:28 | UserToken |
| jwtSimple.js:18:23:18:28 | aJwt() |
| jwtSimple.js:18:23:18:28 | aJwt() |
| jwtSimple.js:21:23:21:31 | UserToken |
| jwtSimple.js:21:23:21:31 | UserToken |
| jwtSimple.js:25:11:25:28 | UserToken |
| jwtSimple.js:25:23:25:28 | aJwt() |
| jwtSimple.js:25:23:25:28 | aJwt() |
| jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:29:23:29:31 | UserToken |
| jwtSimple.js:29:23:29:31 | UserToken |
| jwtSimple.js:33:11:33:28 | UserToken |
| jwtSimple.js:33:23:33:28 | aJwt() |
| jwtSimple.js:33:23:33:28 | aJwt() |
| jwtSimple.js:36:23:36:31 | UserToken |
| jwtSimple.js:36:23:36:31 | UserToken |
| jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:37:23:37:31 | UserToken |
edges
| JsonWebToken.js:18:11:18:28 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
| JsonWebToken.js:18:11:18:28 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
| JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:18:11:18:28 | UserToken |
| JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:18:11:18:28 | UserToken |
| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:29:28:29:36 | UserToken |
| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:29:28:29:36 | UserToken |
| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:11:25:28 | UserToken |
| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:11:25:28 | UserToken |
| JsonWebToken.js:33:11:33:28 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
| JsonWebToken.js:33:11:33:28 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
| JsonWebToken.js:33:23:33:28 | aJwt() | JsonWebToken.js:33:11:33:28 | UserToken |
| JsonWebToken.js:33:23:33:28 | aJwt() | JsonWebToken.js:33:11:33:28 | UserToken |
| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
| JsonWebToken.js:40:23:40:28 | aJwt() | JsonWebToken.js:40:11:40:28 | UserToken |
| JsonWebToken.js:40:23:40:28 | aJwt() | JsonWebToken.js:40:11:40:28 | UserToken |
| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:51:28:51:36 | UserToken |
| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:51:28:51:36 | UserToken |
| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:52:28:52:36 | UserToken |
| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:52:28:52:36 | UserToken |
| JsonWebToken.js:48:23:48:28 | aJwt() | JsonWebToken.js:48:11:48:28 | UserToken |
| JsonWebToken.js:48:23:48:28 | aJwt() | JsonWebToken.js:48:11:48:28 | UserToken |
| jose.js:18:11:18:28 | UserToken | jose.js:21:20:21:28 | UserToken |
| jose.js:18:11:18:28 | UserToken | jose.js:21:20:21:28 | UserToken |
| jose.js:18:23:18:28 | aJwt() | jose.js:18:11:18:28 | UserToken |
| jose.js:18:23:18:28 | aJwt() | jose.js:18:11:18:28 | UserToken |
| jose.js:25:11:25:28 | UserToken | jose.js:28:20:28:28 | UserToken |
| jose.js:25:11:25:28 | UserToken | jose.js:28:20:28:28 | UserToken |
| jose.js:25:11:25:28 | UserToken | jose.js:29:26:29:34 | UserToken |
| jose.js:25:11:25:28 | UserToken | jose.js:29:26:29:34 | UserToken |
| jose.js:25:23:25:28 | aJwt() | jose.js:25:11:25:28 | UserToken |
| jose.js:25:23:25:28 | aJwt() | jose.js:25:11:25:28 | UserToken |
| jose.js:33:11:33:28 | UserToken | jose.js:36:26:36:34 | UserToken |
| jose.js:33:11:33:28 | UserToken | jose.js:36:26:36:34 | UserToken |
| jose.js:33:23:33:28 | aJwt() | jose.js:33:11:33:28 | UserToken |
| jose.js:33:23:33:28 | aJwt() | jose.js:33:11:33:28 | UserToken |
| jwtDecode.js:18:11:18:28 | UserToken | jwtDecode.js:22:16:22:24 | UserToken |
| jwtDecode.js:18:11:18:28 | UserToken | jwtDecode.js:22:16:22:24 | UserToken |
| jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:18:11:18:28 | UserToken |
| jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:18:11:18:28 | UserToken |
| jwtSimple.js:18:11:18:28 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
| jwtSimple.js:18:11:18:28 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
| jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:18:11:18:28 | UserToken |
| jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:18:11:18:28 | UserToken |
| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
| jwtSimple.js:25:23:25:28 | aJwt() | jwtSimple.js:25:11:25:28 | UserToken |
| jwtSimple.js:25:23:25:28 | aJwt() | jwtSimple.js:25:11:25:28 | UserToken |
| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:36:23:36:31 | UserToken |
| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:36:23:36:31 | UserToken |
| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:33:23:33:28 | aJwt() | jwtSimple.js:33:11:33:28 | UserToken |
| jwtSimple.js:33:23:33:28 | aJwt() | jwtSimple.js:33:11:33:28 | UserToken |
#select
| JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification |
| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:28:28:28:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:28:28:28:36 | UserToken | without signature verification |
| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:29:28:29:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:29:28:29:36 | UserToken | without signature verification |
| jose.js:18:23:18:28 | aJwt() | jose.js:18:23:18:28 | aJwt() | jose.js:21:20:21:28 | UserToken | Decoding JWT $@. | jose.js:21:20:21:28 | UserToken | without signature verification |
| jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:22:16:22:24 | UserToken | Decoding JWT $@. | jwtDecode.js:22:16:22:24 | UserToken | without signature verification |
| jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:21:23:21:31 | UserToken | Decoding JWT $@. | jwtSimple.js:21:23:21:31 | UserToken | without signature verification |

0
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.qlref → javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref
View File

37
javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js Normal file
View File

@@ -0,0 +1,37 @@
const express = require('express')
const app = express()
const jwtJsonwebtoken = require('jsonwebtoken');
const jwt_decode = require('jwt-decode');
const jwt_simple = require('jwt-simple');
const jose = require('jose')
const port = 3000
function getSecret() {
return "A Safe generated random key"
}
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// no signature verification
jose.decodeJwt(UserToken) // NOT OK
})();
(async function () {
const UserToken = aJwt()
// first without signature verification then with signature verification for same UserToken
jose.decodeJwt(UserToken) // OK
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})();
(async function () {
const UserToken = aJwt()
// with signature verification
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})();

23
javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js Normal file
View File

@@ -0,0 +1,23 @@
const express = require('express')
const app = express()
const jwtJsonwebtoken = require('jsonwebtoken');
const jwt_decode = require('jwt-decode');
const jwt_simple = require('jwt-simple');
const jose = require('jose')
const port = 3000
function getSecret() {
return "A Safe generated random key"
}
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// jwt-decode
// no signature verification
jwt_decode(UserToken) // NOT OK
})();

38
javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js Normal file
View File

@@ -0,0 +1,38 @@
const express = require('express')
const app = express()
const jwtJsonwebtoken = require('jsonwebtoken');
const jwt_decode = require('jwt-decode');
const jwt_simple = require('jwt-simple');
const jose = require('jose')
const port = 3000
function getSecret() {
return "A Safe generated random key"
}
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
})();
(function () {
const UserToken = aJwt()
// GOOD: all with with signature verification
jwt_simple.decode(UserToken, getSecret(), false); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwt_simple.decode(UserToken, getSecret(), true); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})();

43
javascript/ql/test/experimental/Security/CWE-347/JsonWebToken.js → javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js
View File

@@ -50,46 +50,3 @@ app.get('/jwtJsonwebtoken5', (req, res) => {
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken) // NOT OK
})();
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken) // NOT OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
})();
(function () {
const UserToken = aJwt()
// GOOD: with signature verification
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
})();

20
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerification.expected → javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected
View File

@@ -17,6 +17,9 @@ nodes
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:38:28:38:36 | UserToken |
@@ -24,6 +27,9 @@ nodes
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:46:28:46:36 | UserToken |
@@ -41,6 +47,9 @@ nodes
| jose.js:23:26:23:34 | UserToken |
| jose.js:23:26:23:34 | UserToken |
| jose.js:27:11:27:47 | UserToken |
| jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:29:20:29:28 | UserToken |
@@ -65,6 +74,9 @@ nodes
| jwtSimple.js:24:23:24:31 | UserToken |
| jwtSimple.js:24:23:24:31 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization |
| jwtSimple.js:28:23:28:47 | req.hea ... ization |
| jwtSimple.js:28:23:28:47 | req.hea ... ization |
| jwtSimple.js:28:23:28:47 | req.hea ... ization |
| jwtSimple.js:31:23:31:31 | UserToken |
@@ -92,12 +104,16 @@ edges
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
@@ -112,6 +128,8 @@ edges
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
@@ -132,6 +150,8 @@ edges
| jwtSimple.js:28:11:28:47 | UserToken | jwtSimple.js:32:23:32:31 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization | jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization | jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization | jwtSimple.js:28:11:28:47 | UserToken |
| jwtSimple.js:28:23:28:47 | req.hea ... ization | jwtSimple.js:28:11:28:47 | UserToken |
#select
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |

0
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerification.qlref → javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref
View File

26
javascript/ql/test/experimental/Security/CWE-347/jose.js → javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js
View File

@@ -33,29 +33,3 @@ app.get('/jose3', async (req, res) => {
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// no signature verification
jose.decodeJwt(UserToken) // NOT OK
})();
(async function () {
const UserToken = aJwt()
// first without signature verification then with signature verification for same UserToken
jose.decodeJwt(UserToken) // OK
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})();
(async function () {
const UserToken = aJwt()
// with signature verification
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})();

12
javascript/ql/test/experimental/Security/CWE-347/jwtDecode.js → javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js
View File

@@ -21,15 +21,3 @@ app.get('/jwtDecode', (req, res) => {
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// jwt-decode
// no signature verification
jwt_decode(UserToken) // NOT OK
})();

27
javascript/ql/test/experimental/Security/CWE-347/jwtSimple.js → javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js
View File

@@ -35,30 +35,3 @@ app.get('/jwtSimple3', (req, res) => {
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
})();
(function () {
const UserToken = aJwt()
// GOOD: all with with signature verification
jwt_simple.decode(UserToken, getSecret(), false); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwt_simple.decode(UserToken, getSecret(), true); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})();