update the remote flow based query thanks to @erik-krogh, update tests and separate the local and remote query tests

2026-04-26 09:15:12 +02:00 · 2024-06-07 06:01:49 +02:00
parent 12df7dee17
commit b9e3b3310e
15 changed files with 326 additions and 436 deletions
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -14,24 +14,27 @@ import javascript
 import DataFlow::PathGraph
 import JWT

-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "jsonwebtoken without any signature verification" }
+class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
+  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSink(DataFlow::Node sink) {
-    sink = unverifiedDecode()
-    or
-    sink = verifiedDecode()
-  }
+  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
 }

-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
+  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+}
+
+from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where
  cfg.hasFlowPath(source, sink) and
-  sink.getNode() = unverifiedDecode() and
-  not exists(Configuration cfg2 |
-    cfg2.hasFlowPath(source, any(DataFlow::SinkPathNode n | n.getNode() = verifiedDecode()))
+  not exists(ConfigurationVerifiedDecode cfg2 |
+    cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
  )
 select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
  "without signature verification"
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationDoesNotWork.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationDoesNotWork.ql
@@ -1,38 +0,0 @@
-/**
- * @name This query is for seeing if we can have two taint config within on query file
- * @description The application does not verify the JWT payload with a cryptographic secret or public key.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 8.0
- * @precision high
- * @id js/decode-jwt-without-verification-does-not-work
- * @tags security
- *       external/cwe/cwe-347
- */
-
-import javascript
-import DataFlow::PathGraph
-import JWT
-
-class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
-  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
-}
-
-class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
-  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
-}
-
-from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where
-  cfg.hasFlowPath(source, sink) and
-  not exists(ConfigurationVerifiedDecode cfg2 | cfg2.hasFlowPath(source, _))
-select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
-  "without signature verification"