mirror of
https://github.com/github/codeql.git
synced 2026-04-29 02:35:15 +02:00
Use InlineExpectationsTest for tests
This commit is contained in:
Tony Torralba
@@ -1,8 +0,0 @@
|
||||
| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:18:16:18:66 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:22:16:22:73 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:26:16:26:75 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:18:16:18:66 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:22:16:22:73 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:26:16:26:75 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:127:9:129:33 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:127:9:128:58 | setSigningKey(...) | here |
|
||||
| MissingJWTSignatureCheck.java:133:9:140:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:133:9:134:58 | setSigningKey(...) | here |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
|
||||
@@ -1,5 +1,3 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2
|
||||
|
||||
import io.jsonwebtoken.Jwts;
|
||||
import io.jsonwebtoken.JwtParser;
|
||||
import io.jsonwebtoken.Jwt;
|
||||
@@ -9,10 +7,7 @@ import io.jsonwebtoken.JwtParserBuilder;
|
||||
import io.jsonwebtoken.JwtHandlerAdapter;
|
||||
import io.jsonwebtoken.impl.DefaultJwtParser;
|
||||
|
||||
public class MissingJWTSignatureCheck {
|
||||
|
||||
|
||||
// SIGNED
|
||||
public class MissingJWTSignatureCheckTest {
|
||||
|
||||
private JwtParser getASignedParser() {
|
||||
return Jwts.parser().setSigningKey("someBase64EncodedKey");
|
||||
@@ -46,10 +41,6 @@ public class MissingJWTSignatureCheck {
|
||||
goodJwtHandler(parser3, "");
|
||||
}
|
||||
|
||||
// SIGNED END
|
||||
|
||||
// UNSIGNED
|
||||
|
||||
private JwtParser getAnUnsignedParser() {
|
||||
return Jwts.parser();
|
||||
}
|
||||
@@ -84,81 +75,63 @@ public class MissingJWTSignatureCheck {
|
||||
|
||||
private void signParserAfterParseCall() {
|
||||
JwtParser parser = getAnUnsignedParser();
|
||||
parser.parse(""); // Should not be detected
|
||||
parser.parse(""); // Safe
|
||||
parser.setSigningKey("someBase64EncodedKey");
|
||||
}
|
||||
|
||||
// UNSIGNED END
|
||||
|
||||
// INDIRECT
|
||||
|
||||
private void badJwtOnParserBuilder(JwtParser parser, String token) {
|
||||
parser.parse(token); // BAD: Does not verify the signature
|
||||
parser.parse(token); // $hasMissingJwtSignatureCheck
|
||||
}
|
||||
|
||||
private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
|
||||
parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // BAD: The handler is called on an unverified JWT
|
||||
@Override
|
||||
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
|
||||
return jwt;
|
||||
}
|
||||
});
|
||||
parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck
|
||||
@Override
|
||||
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
|
||||
return jwt;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
private void goodJwtOnParserBuilder(JwtParser parser, String token) {
|
||||
parser.parseClaimsJws(token) // GOOD: Verify the signature
|
||||
.getBody();
|
||||
parser.parseClaimsJws(token) // Safe
|
||||
.getBody();
|
||||
}
|
||||
|
||||
private void goodJwtHandler(JwtParser parser, String token) {
|
||||
parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
|
||||
@Override
|
||||
public Jws<String> onPlaintextJws(Jws<String> jws) {
|
||||
return jws;
|
||||
}
|
||||
});
|
||||
parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // Safe
|
||||
@Override
|
||||
public Jws<String> onPlaintextJws(Jws<String> jws) {
|
||||
return jws;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// INDIRECT END
|
||||
|
||||
// DIRECT
|
||||
|
||||
private void badJwtOnParserBuilder(String token) {
|
||||
Jwts.parserBuilder()
|
||||
.setSigningKey("someBase64EncodedKey").build()
|
||||
.parse(token); // BAD: Does not verify the signature
|
||||
Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
|
||||
}
|
||||
|
||||
private void badJwtHandlerOnParser(String token) {
|
||||
Jwts.parser()
|
||||
.setSigningKey("someBase64EncodedKey")
|
||||
.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // BAD: The handler is called on an unverified JWT
|
||||
@Override
|
||||
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
|
||||
return jwt;
|
||||
}
|
||||
});
|
||||
Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
|
||||
new JwtHandlerAdapter<Jwt<Header, String>>() {
|
||||
@Override
|
||||
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
|
||||
return jwt;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
private void goodJwtOnParser(String token) {
|
||||
Jwts.parser()
|
||||
.setSigningKey("someBase64EncodedKey")
|
||||
.parseClaimsJws(token) // GOOD: Verify the signature
|
||||
.getBody();
|
||||
Jwts.parser().setSigningKey("someBase64EncodedKey").parseClaimsJws(token) // Safe
|
||||
.getBody();
|
||||
}
|
||||
|
||||
private void goodJwtHandlerOnParserBuilder(String token) {
|
||||
Jwts.parserBuilder()
|
||||
.setSigningKey("someBase64EncodedKey").build()
|
||||
.parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
|
||||
@Override
|
||||
public Jws<String> onPlaintextJws(Jws<String> jws) {
|
||||
return jws;
|
||||
}
|
||||
});
|
||||
Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token, // Safe
|
||||
new JwtHandlerAdapter<Jws<String>>() {
|
||||
@Override
|
||||
public Jws<String> onPlaintextJws(Jws<String> jws) {
|
||||
return jws;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// DIRECT END
|
||||
|
||||
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
import java
|
||||
import semmle.code.java.security.JWT
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest {
|
||||
HasMissingJwtSignatureCheckTest() { this = "HasMissingJwtSignatureCheckTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasMissingJwtSignatureCheck" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasMissingJwtSignatureCheck" and
|
||||
exists(JwtParserWithInsecureParseSink sink, JwtParserWithSigningKeyExpr parserExpr |
|
||||
sink.asExpr() = parserExpr and
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
1
java/ql/test/query-tests/security/CWE-347/options
Normal file
1
java/ql/test/query-tests/security/CWE-347/options
Normal file
@@ -0,0 +1 @@
|
||||
semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2
|
||||
Reference in New Issue
Block a user