hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Golang : Add query to detect JWT signing vulnerabilities

Browse Source 
Supersedes github/codeql-go#705
This commit is contained in:
Porcupiney Hairs
2022-05-31 01:53:04 +05:30
parent a661a0cc7e
commit bd1ddc177e
20 changed files with 2379 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
go/ql/src/experimental/CWE-321/HardcodedKeys.qhelp Normal file
View File

@@ -0,0 +1,50 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
A JSON Web Token (JWT) is used for authenticating and managing users in an application.
</p>
<p>
Using a hard-coded secret key for signing JWT tokens in open source projects
can leave the application using the token vulnerable to authentication bypasses.
</p>
<p>
A JWT token is safe for enforcing authentication and access control as long as it can't be forged by a malicious actor. However, when a project exposes this secret publicly, these seemingly unforgeable tokens can now be easily forged.
Since the authentication as well as access control is typically enforced through these JWT tokens, an attacker armed with the secret can create a valid authentication token for any user and may even gain access to other privileged parts of the application.
</p>
</overview>
<recommendation>
<p>
Generating a crytograhically secure secret key during application initialization and using this generated key for future JWT signing requests can prevent this vulnerability.
</p>
</recommendation>
<example>
<p>
The following code uses a hard-coded string as a secret for signing the tokens. In this case, an attacker can very easily forge a token by using the hard-coded secret.
</p>
<sample src="HardcodedKeysBad.go" />
</example>
<example>
<p>
In the following case, the application uses a programatically generated string as a secret for signing the tokens. In this case, since the secret can't be predicted, the code is secure. A function like `GenerateCryptoString` can be run to generate a secure secret key at the time of application installation/initialization. This generated key can then be used for all future signing requests.
</p>
<sample src="HardcodedKeysGood.go" />
</example>
<references>
<li>
CVE-2022-0664:
<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-0664">Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1. </a>
</li>
</references>
</qhelp>

18
go/ql/src/experimental/CWE-321/HardcodedKeys.ql Normal file
View File

@@ -0,0 +1,18 @@
/**
* @name Use of a hardcoded key for signing JWT
* @description Using a fixed hardcoded key for signing JWT's can allow an attacker to compromise security.
* @kind path-problem
* @problem.severity error
* @id go/hardcoded-key
* @tags security
* external/cwe/cwe-321
*/
import go
import HardcodedKeysLib
import DataFlow::PathGraph
from HardcodedKeys::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ is used to sign a JWT token.", source.getNode(),
"Hardcoded String"

9
go/ql/src/experimental/CWE-321/HardcodedKeysBad.go Normal file
View File

@@ -0,0 +1,9 @@
mySigningKey := []byte("AllYourBase")
claims := &jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)),
Issuer: "test",
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
ss, err := token.SignedString(mySigningKey)

23
go/ql/src/experimental/CWE-321/HardcodedKeysGood.go Normal file
View File

@@ -0,0 +1,23 @@
func GenerateCryptoString(n int) (string, error) {
const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
ret := make([]byte, n)
for i := range ret {
num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars))))
if err != nil {
return "", err
}
ret[i] = chars[num.Int64()]
}
return string(ret), nil
}
mySigningKey := GenerateCryptoString(64)
claims := &jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)),
Issuer: "test",
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
ss, err := token.SignedString(mySigningKey)

271
go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll Normal file
View File

@@ -0,0 +1,271 @@
/**
* Provides default sources, sinks and sanitizers for reasoning about
* JWT token signing vulnerabilities as well as extension points
* for adding your own.
*/
import go
import StringOps
import DataFlow::PathGraph
/**
* Provides default sources, sinks and sanitizers for reasoning about
* JWT token signing vulnerabilities as well as extension points
* for adding your own.
*/
module HardcodedKeys {
/**
* A data flow source for JWT token signing vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for JWT token signing vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for JWT token signing vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* A sanitizer guard for JWT token signing vulnerabilities.
*/
abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
private predicate isTestCode(Expr e) {
e.getFile().getAbsolutePath().toLowerCase().matches("%test%") and
not e.getFile().getAbsolutePath().toLowerCase().matches("%ql/test%")
}
private predicate isDemoCode(Expr e) {
e.getFile().getAbsolutePath().toLowerCase().matches(["%mock%", "%demo%", "%example%"])
}
/**
* A hardcoded string literal as a source for JWT token signing vulnerabilities.
*/
class HardcodedStringSource extends Source {
HardcodedStringSource() {
this.asExpr() instanceof StringLit and
not (isTestCode(this.asExpr()) or isDemoCode(this.asExpr()))
}
}
/**
* An expression used to sign JWT tokens as a sink for JWT token signing vulnerabilities.
*/
private class GolangJwtSign extends Sink {
GolangJwtSign() {
exists(string pkg |
pkg =
[
"github.com/golang-jwt/jwt/v4", "github.com/dgrijalva/jwt-go",
"github.com/form3tech-oss/jwt-go", "github.com/ory/fosite/token/jwt"
]
|
(
exists(DataFlow::MethodCallNode m |
// Models the `SignedString` method
// `func (t *Token) SignedString(key interface{}) (string, error)`
m.getTarget().hasQualifiedName(pkg, "Token", "SignedString")
|
this = m.getArgument(0)
)
or
exists(DataFlow::MethodCallNode m |
// Model the `Sign` method of the `SigningMethod` interface
// type SigningMethod interface {
// Verify(signingString, signature string, key interface{}) error
// Sign(signingString string, key interface{}) (string, error)
// Alg() string
// }
m.getTarget().hasQualifiedName(pkg, "SigningMethod", "Sign")
|
this = m.getArgument(1)
)
)
)
}
}
private class GinJwtSign extends Sink {
GinJwtSign() {
exists(Field f |
// https://pkg.go.dev/github.com/appleboy/gin-jwt/v2#GinJWTMiddleware
f.hasQualifiedName("github.com/appleboy/gin-jwt/v2", "GinJWTMiddleware", "Key") and
f.getAWrite().getRhs() = this
)
}
}
private class SquareJoseKey extends Sink {
SquareJoseKey() {
exists(Field f, string pkg |
// type Recipient struct {
// Algorithm KeyAlgorithm
// Key interface{}
// KeyID string
// PBES2Count int
// PBES2Salt []byte
// }
// type SigningKey struct {
// Algorithm SignatureAlgorithm
// Key interface{}
// }
f.hasQualifiedName(pkg, ["Recipient", "SigningKey"], "Key") and
f.getAWrite().getRhs() = this
|
pkg = ["github.com/square/go-jose/v3", "gopkg.in/square/go-jose.v2"]
)
}
}
private class CrystalHqJwtSigner extends Sink {
CrystalHqJwtSigner() {
exists(DataFlow::CallNode m |
// `func NewSignerHS(alg Algorithm, key []byte) (Signer, error)`
m.getTarget().hasQualifiedName("github.com/cristalhq/jwt/v3", "NewSignerHS")
|
this = m.getArgument(1)
)
}
}
private class GoKitJwt extends Sink {
GoKitJwt() {
exists(DataFlow::CallNode m |
// `func NewSigner(kid string, key []byte, method jwt.SigningMethod, claims jwt.Claims) endpoint.Middleware`
m.getTarget().hasQualifiedName("github.com/go-kit/kit/auth/jwt", "NewSigner")
|
this = m.getArgument(1)
)
}
}
private class LestrratJwk extends Sink {
LestrratJwk() {
exists(DataFlow::CallNode m, string pkg |
pkg.matches([
"github.com/lestrrat-go/jwx", "github.com/lestrrat/go-jwx/jwk",
"github.com/lestrrat-go/jwx%/jwk"
]) and
// `func New(key interface{}) (Key, error)`
m.getTarget().hasQualifiedName(pkg, "New")
|
this = m.getArgument(0)
)
}
}
/**
* Mark any comparision expression where any operand is tainted as a
* sanitizer for all instances of the taint
*/
private class CompareExprSanitizer extends Sanitizer {
CompareExprSanitizer() {
exists(BinaryExpr c |
c.getAnOperand().getGlobalValueNumber() = this.asExpr().getGlobalValueNumber()
)
}
}
/** Mark an empty string returned with an error as a sanitizer */
class EmptyErrorSanitizer extends Sanitizer {
EmptyErrorSanitizer() {
exists(ReturnStmt r, DataFlow::CallNode c |
c.getTarget().hasQualifiedName("errors", "New") and
r.getNumChild() > 1 and
r.getAChild() = c.getAResult().getASuccessor*().asExpr() and
r.getAChild() = this.asExpr()
)
}
}
/** Mark any formatting string call as a sanitizer */
class FormattingSanitizer extends Sanitizer {
FormattingSanitizer() { exists(Formatting::StringFormatCall s | s.getAResult() = this) }
}
/**
* Mark any taint arising from a read on a tainted slice with a random index as a
* sanitizer for all instances of the taint
*/
private class RandSliceSanitizer extends Sanitizer {
RandSliceSanitizer() {
exists(DataFlow::CallNode randint, string name, DataFlow::ElementReadNode r |
(
randint.getTarget().hasQualifiedName("math/rand", name) or
randint.getTarget().(Method).hasQualifiedName("math/rand", "Rand", name)
) and
name =
[
"ExpFloat64", "Float32", "Float64", "Int", "Int31", "Int31n", "Int63", "Int63n", "Intn",
"NormFloat64", "Uint32", "Uint64"
] and
r.reads(this, randint.getAResult().getASuccessor*())
)
or
// Sanitize flows like this:
// func GenerateCryptoString(n int) (string, error) {
// const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
// ret := make([]byte, n)
// for i := range ret {
// num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars))))
// if err != nil {
// return "", err
// }
// ret[i] = chars[num.Int64()]
// }
// return string(ret), nil
// }
exists(
DataFlow::CallNode randint, DataFlow::MethodCallNode bigint, DataFlow::ElementReadNode r
|
randint.getTarget().hasQualifiedName("crypto/rand", "Int") and
bigint.getTarget().hasQualifiedName("math/big", "Int", "Int64") and
bigint.getReceiver() = randint.getResult(0).getASuccessor*() and
r.reads(this, bigint.getAResult().getASuccessor*())
)
or
// Sanitize flows like :
// func GenerateRandomString(size int) string {
// var bytes = make([]byte, size)
// rand.Read(bytes)
// for i, x := range bytes {
// bytes[i] = characters[x%byte(len(characters))]
// }
// return string(bytes)
// }
exists(DataFlow::CallNode randread, DataFlow::Node rand, DataFlow::ElementReadNode r |
randread.getTarget().hasQualifiedName("crypto/rand", "Read") and
TaintTracking::localTaint(randread.getArgument(0).getAPredecessor*().getASuccessor*(), rand) and
(
exists(ModExpr e | e.getAnOperand() = rand.asExpr() |
r.reads(this, e.getGlobalValueNumber().getANode())
)
or
r.reads(this.getAPredecessor*(), rand)
)
)
}
}
/**
* A configuration depicting taint flow for studying JWT token signing vulnerabilities.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Hard-coded JWT Signing Key" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof SanitizerGuard
}
}
}

68
go/ql/test/experimental/CWE-321/HardcodedKeys.expected Normal file
View File

@@ -0,0 +1,68 @@
edges
| HardcodedKeysBad.go:11:18:11:38 | type conversion : string | HardcodedKeysBad.go:19:28:19:39 | mySigningKey |
| HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" : string | HardcodedKeysBad.go:11:18:11:38 | type conversion : string |
| main.go:25:18:25:31 | type conversion : string | main.go:34:28:34:39 | mySigningKey |
| main.go:25:25:25:30 | "key1" : string | main.go:25:18:25:31 | type conversion : string |
| main.go:42:23:42:28 | "key2" : string | main.go:42:16:42:29 | type conversion |
| main.go:60:9:60:22 | type conversion : string | main.go:61:44:61:46 | key |
| main.go:60:16:60:21 | `key3` : string | main.go:60:9:60:22 | type conversion : string |
| main.go:65:9:65:22 | type conversion : string | main.go:66:66:66:68 | key |
| main.go:65:16:65:21 | "key4" : string | main.go:65:9:65:22 | type conversion : string |
| main.go:69:10:69:23 | type conversion : string | main.go:74:15:74:18 | key2 |
| main.go:69:17:69:22 | "key5" : string | main.go:69:10:69:23 | type conversion : string |
| main.go:80:9:80:22 | type conversion : string | main.go:84:41:84:43 | key |
| main.go:80:16:80:21 | "key6" : string | main.go:80:9:80:22 | type conversion : string |
| main.go:89:10:89:23 | type conversion : string | main.go:91:66:91:69 | key2 |
| main.go:89:17:89:22 | "key7" : string | main.go:89:10:89:23 | type conversion : string |
| main.go:97:9:97:22 | type conversion : string | main.go:103:30:103:32 | key |
| main.go:97:16:97:21 | "key8" : string | main.go:97:9:97:22 | type conversion : string |
| main.go:107:15:107:28 | type conversion : string | main.go:108:16:108:24 | sharedKey |
| main.go:107:22:107:27 | "key9" : string | main.go:107:15:107:28 | type conversion : string |
| main.go:111:23:111:37 | type conversion : string | main.go:114:16:114:30 | sharedKeyglobal |
| main.go:111:30:111:36 | "key10" : string | main.go:111:23:111:37 | type conversion : string |
nodes
| HardcodedKeysBad.go:11:18:11:38 | type conversion : string | semmle.label | type conversion : string |
| HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" : string | semmle.label | "AllYourBase" : string |
| HardcodedKeysBad.go:19:28:19:39 | mySigningKey | semmle.label | mySigningKey |
| main.go:25:18:25:31 | type conversion : string | semmle.label | type conversion : string |
| main.go:25:25:25:30 | "key1" : string | semmle.label | "key1" : string |
| main.go:34:28:34:39 | mySigningKey | semmle.label | mySigningKey |
| main.go:42:16:42:29 | type conversion | semmle.label | type conversion |
| main.go:42:23:42:28 | "key2" : string | semmle.label | "key2" : string |
| main.go:60:9:60:22 | type conversion : string | semmle.label | type conversion : string |
| main.go:60:16:60:21 | `key3` : string | semmle.label | `key3` : string |
| main.go:61:44:61:46 | key | semmle.label | key |
| main.go:65:9:65:22 | type conversion : string | semmle.label | type conversion : string |
| main.go:65:16:65:21 | "key4" : string | semmle.label | "key4" : string |
| main.go:66:66:66:68 | key | semmle.label | key |
| main.go:69:10:69:23 | type conversion : string | semmle.label | type conversion : string |
| main.go:69:17:69:22 | "key5" : string | semmle.label | "key5" : string |
| main.go:74:15:74:18 | key2 | semmle.label | key2 |
| main.go:80:9:80:22 | type conversion : string | semmle.label | type conversion : string |
| main.go:80:16:80:21 | "key6" : string | semmle.label | "key6" : string |
| main.go:84:41:84:43 | key | semmle.label | key |
| main.go:89:10:89:23 | type conversion : string | semmle.label | type conversion : string |
| main.go:89:17:89:22 | "key7" : string | semmle.label | "key7" : string |
| main.go:91:66:91:69 | key2 | semmle.label | key2 |
| main.go:97:9:97:22 | type conversion : string | semmle.label | type conversion : string |
| main.go:97:16:97:21 | "key8" : string | semmle.label | "key8" : string |
| main.go:103:30:103:32 | key | semmle.label | key |
| main.go:107:15:107:28 | type conversion : string | semmle.label | type conversion : string |
| main.go:107:22:107:27 | "key9" : string | semmle.label | "key9" : string |
| main.go:108:16:108:24 | sharedKey | semmle.label | sharedKey |
| main.go:111:23:111:37 | type conversion : string | semmle.label | type conversion : string |
| main.go:111:30:111:36 | "key10" : string | semmle.label | "key10" : string |
| main.go:114:16:114:30 | sharedKeyglobal | semmle.label | sharedKeyglobal |
subpaths
#select
| HardcodedKeysBad.go:19:28:19:39 | mySigningKey | HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" : string | HardcodedKeysBad.go:19:28:19:39 | mySigningKey | $@ is used to sign a JWT token. | HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" | Hardcoded String |
| main.go:34:28:34:39 | mySigningKey | main.go:25:25:25:30 | "key1" : string | main.go:34:28:34:39 | mySigningKey | $@ is used to sign a JWT token. | main.go:25:25:25:30 | "key1" | Hardcoded String |
| main.go:42:16:42:29 | type conversion | main.go:42:23:42:28 | "key2" : string | main.go:42:16:42:29 | type conversion | $@ is used to sign a JWT token. | main.go:42:23:42:28 | "key2" | Hardcoded String |
| main.go:61:44:61:46 | key | main.go:60:16:60:21 | `key3` : string | main.go:61:44:61:46 | key | $@ is used to sign a JWT token. | main.go:60:16:60:21 | `key3` | Hardcoded String |
| main.go:66:66:66:68 | key | main.go:65:16:65:21 | "key4" : string | main.go:66:66:66:68 | key | $@ is used to sign a JWT token. | main.go:65:16:65:21 | "key4" | Hardcoded String |
| main.go:74:15:74:18 | key2 | main.go:69:17:69:22 | "key5" : string | main.go:74:15:74:18 | key2 | $@ is used to sign a JWT token. | main.go:69:17:69:22 | "key5" | Hardcoded String |
| main.go:84:41:84:43 | key | main.go:80:16:80:21 | "key6" : string | main.go:84:41:84:43 | key | $@ is used to sign a JWT token. | main.go:80:16:80:21 | "key6" | Hardcoded String |
| main.go:91:66:91:69 | key2 | main.go:89:17:89:22 | "key7" : string | main.go:91:66:91:69 | key2 | $@ is used to sign a JWT token. | main.go:89:17:89:22 | "key7" | Hardcoded String |
| main.go:103:30:103:32 | key | main.go:97:16:97:21 | "key8" : string | main.go:103:30:103:32 | key | $@ is used to sign a JWT token. | main.go:97:16:97:21 | "key8" | Hardcoded String |
| main.go:108:16:108:24 | sharedKey | main.go:107:22:107:27 | "key9" : string | main.go:108:16:108:24 | sharedKey | $@ is used to sign a JWT token. | main.go:107:22:107:27 | "key9" | Hardcoded String |
| main.go:114:16:114:30 | sharedKeyglobal | main.go:111:30:111:36 | "key10" : string | main.go:114:16:114:30 | sharedKeyglobal | $@ is used to sign a JWT token. | main.go:111:30:111:36 | "key10" | Hardcoded String |

1
go/ql/test/experimental/CWE-321/HardcodedKeys.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/CWE-321/HardcodedKeys.ql

20
go/ql/test/experimental/CWE-321/HardcodedKeysBad.go Normal file
View File

@@ -0,0 +1,20 @@
package main
import (
"time"
jwt "github.com/golang-jwt/jwt/v4"
)
func bad() (interface{}, error) {
mySigningKey := []byte("AllYourBase")
claims := &jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)),
Issuer: "test",
}
token := jwt.NewWithClaims(nil, claims)
return token.SignedString(mySigningKey)
}

38
go/ql/test/experimental/CWE-321/HardcodedKeysGood.go Normal file
View File

@@ -0,0 +1,38 @@
package main
import (
crand "crypto/rand"
"fmt"
"math/big"
"time"
jwt "github.com/golang-jwt/jwt/v4"
)
func GenerateCryptoString(n int) (string, error) {
const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
ret := make([]byte, n)
for i := range ret {
num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars))))
if err != nil {
return "", err
}
ret[i] = chars[num.Int64()]
}
return string(ret), nil
}
func good() (interface{}, error) {
mySigningKey, err := GenerateCryptoString(64)
if mySigningKey == "" {
_ = fmt.Errorf("Error : %s", err)
}
claims := &jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)),
Issuer: "test",
}
token := jwt.NewWithClaims(nil, claims)
return token.SignedString(mySigningKey)
}

41
go/ql/test/experimental/CWE-321/go.mod Normal file
View File

@@ -0,0 +1,41 @@
module main
go 1.18
require (
github.com/appleboy/gin-jwt/v2 v2.8.0
github.com/cristalhq/jwt/v3 v3.1.0
github.com/go-kit/kit v0.12.0
github.com/golang-jwt/jwt/v4 v4.4.1
github.com/lestrrat/go-jwx v0.9.1
github.com/square/go-jose/v3 v3.0.0-20200630053402-0a67ce9b0693
gopkg.in/square/go-jose.v2 v2.6.0
)
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/gin-contrib/sse v0.1.0 // indirect
github.com/gin-gonic/gin v1.7.7 // indirect
github.com/go-kit/log v0.2.0 // indirect
github.com/go-logfmt/logfmt v0.5.1 // indirect
github.com/go-playground/locales v0.13.0 // indirect
github.com/go-playground/universal-translator v0.17.0 // indirect
github.com/go-playground/validator/v10 v10.4.1 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/leodido/go-urn v1.2.0 // indirect
github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/ugorji/go/codec v1.1.7 // indirect
golang.org/x/crypto v0.0.0-20210915214749-c084706c2272 // indirect
golang.org/x/net v0.0.0-20210917221730-978cfadd31cf // indirect
golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 // indirect
golang.org/x/text v0.3.7 // indirect
google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4 // indirect
google.golang.org/grpc v1.40.0 // indirect
google.golang.org/protobuf v1.27.1 // indirect
gopkg.in/yaml.v2 v2.2.8 // indirect
)

127
go/ql/test/experimental/CWE-321/main.go Normal file
View File

@@ -0,0 +1,127 @@
package main
//go:generate depstubber -vendor github.com/appleboy/gin-jwt/v2 GinJWTMiddleware New
//go:generate depstubber -vendor github.com/golang-jwt/jwt/v4 MapClaims,RegisteredClaims,SigningMethodRSA,SigningMethodHMAC,Token NewNumericDate,NewWithClaims
//go:generate depstubber -vendor github.com/gin-gonic/gin Context New
//go:generate depstubber -vendor github.com/go-kit/kit/auth/jwt "" NewSigner
//go:generate depstubber -vendor github.com/lestrrat/go-jwx/jwk "" New
//go:generate depstubber -vendor github.com/square/go-jose/v3 Recipient NewEncrypter,NewSigner
//go:generate depstubber -vendor gopkg.in/square/go-jose.v2 Recipient NewEncrypter,NewSigner
////go:generate depstubber -vendor github.com/cristalhq/jwt/v3 Signer NewSignerHS,HS256
import (
"time"
jwt "github.com/appleboy/gin-jwt/v2"
cristal "github.com/cristalhq/jwt/v3"
gokit "github.com/go-kit/kit/auth/jwt"
gjwt "github.com/golang-jwt/jwt/v4"
le "github.com/lestrrat/go-jwx/jwk"
jose_v3 "github.com/square/go-jose/v3"
jose_v2 "gopkg.in/square/go-jose.v2"
)
func gjwtt() (interface{}, error) {
mySigningKey := []byte("key1")
// Create the Claims
claims := &gjwt.RegisteredClaims{
ExpiresAt: gjwt.NewNumericDate(time.Unix(1516239022, 0)),
Issuer: "test",
}
token := gjwt.NewWithClaims(nil, claims)
return token.SignedString(mySigningKey) // BAD
}
func gin_jwt() (interface{}, error) {
var identityKey = "id"
// authMiddleware, err :=
return jwt.New(&jwt.GinJWTMiddleware{
Realm: "test zone",
Key: []byte("key2"), // BAD
Timeout: time.Hour,
MaxRefresh: time.Hour,
IdentityKey: identityKey,
PayloadFunc: func(data interface{}) jwt.MapClaims {
return nil
},
IdentityHandler: nil,
Authenticator: nil,
Authorizator: nil,
Unauthorized: nil,
TokenLookup: "header: Authorization, query: token, cookie: jwt",
TokenHeadName: "Bearer",
TimeFunc: time.Now,
})
}
func cristalhq() (interface{}, error) {
key := []byte(`key3`)
return cristal.NewSignerHS(cristal.HS256, key) // BAD
}
func josev3() (interface{}, error) {
key := []byte("key4")
return jose_v3.NewSigner(jose_v3.SigningKey{Algorithm: "", Key: key}, nil) // BAD
}
func josev3_2() (interface{}, error) {
key2 := []byte("key5")
return jose_v3.NewEncrypter(
"",
jose_v3.Recipient{
Algorithm: "",
Key: key2, // BAD
},
nil)
}
func josev2() (interface{}, error) {
key := []byte("key6")
return jose_v2.NewEncrypter(
"",
jose_v2.Recipient{Algorithm: "", Key: key}, // BAD
nil,
)
}
func jose_v2_2() (interface{}, error) {
key2 := []byte("key7")
return jose_v2.NewSigner(jose_v2.SigningKey{Algorithm: "", Key: key2}, nil) // BAD
}
func go_kit() interface{} {
var (
kid = "kid"
key = []byte("key8")
mapClaims = gjwt.MapClaims{"user": "go-kit"}
)
// e := func(ctx context.Context, i interface{}) (interface{}, error) { return ctx, nil }
return gokit.NewSigner(kid, key, nil, mapClaims) // BAD
}
func lejwt() (interface{}, error) {
sharedKey := []byte("key9")
return le.New(sharedKey) // BAD
}
var sharedKeyglobal = []byte("key10")
func lejwt2() (interface{}, error) {
return le.New(sharedKeyglobal) // BAD
}
func BarrierGuardTest() (interface{}, error) {
sharedKey := ""
if sharedKey != "" {
return le.New([]byte(sharedKey)) // GOOD
}
return "", nil
}
func main() {
return
}

93
go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go generated vendored Normal file
View File

@@ -0,0 +1,93 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/appleboy/gin-jwt/v2, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/appleboy/gin-jwt/v2 (exports: GinJWTMiddleware; functions: New)
// Package gin is a stub of github.com/appleboy/gin-jwt/v2, generated by depstubber.
package gin
import (
http "net/http"
time "time"
)
type GinJWTMiddleware struct {
Realm string
SigningAlgorithm string
Key []byte
KeyFunc func(interface{}) (interface{}, error)
Timeout time.Duration
MaxRefresh time.Duration
Authenticator func(interface{}) (interface{}, error)
Authorizator func(interface{}, interface{}) bool
PayloadFunc func(interface{}) MapClaims
Unauthorized func(interface{}, int, string)
LoginResponse func(interface{}, int, string, time.Time)
LogoutResponse func(interface{}, int)
RefreshResponse func(interface{}, int, string, time.Time)
IdentityHandler func(interface{}) interface{}
IdentityKey string
TokenLookup string
TokenHeadName string
TimeFunc func() time.Time
HTTPStatusMessageFunc func(error, interface{}) string
PrivKeyFile string
PrivKeyBytes []byte
PubKeyFile string
PrivateKeyPassphrase string
PubKeyBytes []byte
SendCookie bool
CookieMaxAge time.Duration
SecureCookie bool
CookieHTTPOnly bool
CookieDomain string
SendAuthorization bool
DisabledAbort bool
CookieName string
CookieSameSite http.SameSite
}
func (_ *GinJWTMiddleware) CheckIfTokenExpire(_ interface{}) (interface{}, error) {
return nil, nil
}
func (_ *GinJWTMiddleware) GetClaimsFromJWT(_ interface{}) (MapClaims, error) {
return nil, nil
}
func (_ *GinJWTMiddleware) LoginHandler(_ interface{}) {}
func (_ *GinJWTMiddleware) LogoutHandler(_ interface{}) {}
func (_ *GinJWTMiddleware) MiddlewareFunc() interface{} {
return nil
}
func (_ *GinJWTMiddleware) MiddlewareInit() error {
return nil
}
func (_ *GinJWTMiddleware) ParseToken(_ interface{}) (interface{}, error) {
return nil, nil
}
func (_ *GinJWTMiddleware) ParseTokenString(_ string) (interface{}, error) {
return nil, nil
}
func (_ *GinJWTMiddleware) RefreshHandler(_ interface{}) {}
func (_ *GinJWTMiddleware) RefreshToken(_ interface{}) (string, time.Time, error) {
return "", time.Time{}, nil
}
func (_ *GinJWTMiddleware) TokenGenerator(_ interface{}) (string, time.Time, error) {
return "", time.Time{}, nil
}
type MapClaims map[string]interface{}
func New(_ *GinJWTMiddleware) (*GinJWTMiddleware, error) {
return nil, nil
}

26
go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go generated vendored Normal file
View File

@@ -0,0 +1,26 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/cristalhq/jwt/v3, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/cristalhq/jwt/v3 (exports: Signer; functions: NewSignerHS,HS256)
// Package jwt is a stub of github.com/cristalhq/jwt/v3, generated by depstubber.
package jwt
type Algorithm string
func (_ Algorithm) String() string {
return ""
}
var HS256 Algorithm = ""
func NewSignerHS(_ Algorithm, _ []byte) (Signer, error) {
return nil, nil
}
type Signer interface {
Algorithm() Algorithm
Sign(_ []byte) ([]byte, error)
SignSize() int
}

681
go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go generated vendored Normal file
View File

@@ -0,0 +1,681 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/gin-gonic/gin (exports: Context; functions: New)
// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber.
package gin
import (
bufio "bufio"
template "html/template"
io "io"
multipart "mime/multipart"
net "net"
http "net/http"
time "time"
)
type Context struct {
Request *http.Request
Writer ResponseWriter
Params Params
Keys map[string]interface{}
Errors interface{}
Accepted []string
}
func (_ *Context) Abort() {}
func (_ *Context) AbortWithError(_ int, _ error) *Error {
return nil
}
func (_ *Context) AbortWithStatus(_ int) {}
func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {}
func (_ *Context) AsciiJSON(_ int, _ interface{}) {}
func (_ *Context) Bind(_ interface{}) error {
return nil
}
func (_ *Context) BindHeader(_ interface{}) error {
return nil
}
func (_ *Context) BindJSON(_ interface{}) error {
return nil
}
func (_ *Context) BindQuery(_ interface{}) error {
return nil
}
func (_ *Context) BindUri(_ interface{}) error {
return nil
}
func (_ *Context) BindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) BindXML(_ interface{}) error {
return nil
}
func (_ *Context) BindYAML(_ interface{}) error {
return nil
}
func (_ *Context) ClientIP() string {
return ""
}
func (_ *Context) ContentType() string {
return ""
}
func (_ *Context) Cookie(_ string) (string, error) {
return "", nil
}
func (_ *Context) Copy() *Context {
return nil
}
func (_ *Context) Data(_ int, _ string, _ []byte) {}
func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {}
func (_ *Context) Deadline() (time.Time, bool) {
return time.Time{}, false
}
func (_ *Context) DefaultPostForm(_ string, _ string) string {
return ""
}
func (_ *Context) DefaultQuery(_ string, _ string) string {
return ""
}
func (_ *Context) Done() <-chan struct{} {
return nil
}
func (_ *Context) Err() error {
return nil
}
func (_ *Context) Error(_ error) *Error {
return nil
}
func (_ *Context) File(_ string) {}
func (_ *Context) FileAttachment(_ string, _ string) {}
func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {}
func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) {
return nil, nil
}
func (_ *Context) FullPath() string {
return ""
}
func (_ *Context) Get(_ string) (interface{}, bool) {
return nil, false
}
func (_ *Context) GetBool(_ string) bool {
return false
}
func (_ *Context) GetDuration(_ string) time.Duration {
return 0
}
func (_ *Context) GetFloat64(_ string) float64 {
return 0
}
func (_ *Context) GetHeader(_ string) string {
return ""
}
func (_ *Context) GetInt(_ string) int {
return 0
}
func (_ *Context) GetInt64(_ string) int64 {
return 0
}
func (_ *Context) GetPostForm(_ string) (string, bool) {
return "", false
}
func (_ *Context) GetPostFormArray(_ string) ([]string, bool) {
return nil, false
}
func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) {
return nil, false
}
func (_ *Context) GetQuery(_ string) (string, bool) {
return "", false
}
func (_ *Context) GetQueryArray(_ string) ([]string, bool) {
return nil, false
}
func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) {
return nil, false
}
func (_ *Context) GetRawData() ([]byte, error) {
return nil, nil
}
func (_ *Context) GetString(_ string) string {
return ""
}
func (_ *Context) GetStringMap(_ string) map[string]interface{} {
return nil
}
func (_ *Context) GetStringMapString(_ string) map[string]string {
return nil
}
func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string {
return nil
}
func (_ *Context) GetStringSlice(_ string) []string {
return nil
}
func (_ *Context) GetTime(_ string) time.Time {
return time.Time{}
}
func (_ *Context) GetUint(_ string) uint {
return 0
}
func (_ *Context) GetUint64(_ string) uint64 {
return 0
}
func (_ *Context) HTML(_ int, _ string, _ interface{}) {}
func (_ *Context) Handler() HandlerFunc {
return nil
}
func (_ *Context) HandlerName() string {
return ""
}
func (_ *Context) HandlerNames() []string {
return nil
}
func (_ *Context) Header(_ string, _ string) {}
func (_ *Context) IndentedJSON(_ int, _ interface{}) {}
func (_ *Context) IsAborted() bool {
return false
}
func (_ *Context) IsWebsocket() bool {
return false
}
func (_ *Context) JSON(_ int, _ interface{}) {}
func (_ *Context) JSONP(_ int, _ interface{}) {}
func (_ *Context) MultipartForm() (*multipart.Form, error) {
return nil, nil
}
func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) MustGet(_ string) interface{} {
return nil
}
func (_ *Context) Negotiate(_ int, _ Negotiate) {}
func (_ *Context) NegotiateFormat(_ ...string) string {
return ""
}
func (_ *Context) Next() {}
func (_ *Context) Param(_ string) string {
return ""
}
func (_ *Context) PostForm(_ string) string {
return ""
}
func (_ *Context) PostFormArray(_ string) []string {
return nil
}
func (_ *Context) PostFormMap(_ string) map[string]string {
return nil
}
func (_ *Context) ProtoBuf(_ int, _ interface{}) {}
func (_ *Context) PureJSON(_ int, _ interface{}) {}
func (_ *Context) Query(_ string) string {
return ""
}
func (_ *Context) QueryArray(_ string) []string {
return nil
}
func (_ *Context) QueryMap(_ string) map[string]string {
return nil
}
func (_ *Context) Redirect(_ int, _ string) {}
func (_ *Context) RemoteIP() (net.IP, bool) {
return nil, false
}
func (_ *Context) Render(_ int, _ interface{}) {}
func (_ *Context) SSEvent(_ string, _ interface{}) {}
func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error {
return nil
}
func (_ *Context) SecureJSON(_ int, _ interface{}) {}
func (_ *Context) Set(_ string, _ interface{}) {}
func (_ *Context) SetAccepted(_ ...string) {}
func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {}
func (_ *Context) SetSameSite(_ http.SameSite) {}
func (_ *Context) ShouldBind(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) ShouldBindHeader(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindJSON(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindQuery(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindUri(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) ShouldBindXML(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindYAML(_ interface{}) error {
return nil
}
func (_ *Context) Status(_ int) {}
func (_ *Context) Stream(_ func(io.Writer) bool) bool {
return false
}
func (_ *Context) String(_ int, _ string, _ ...interface{}) {}
func (_ *Context) Value(_ interface{}) interface{} {
return nil
}
func (_ *Context) XML(_ int, _ interface{}) {}
func (_ *Context) YAML(_ int, _ interface{}) {}
type Engine struct {
RouterGroup RouterGroup
RedirectTrailingSlash bool
RedirectFixedPath bool
HandleMethodNotAllowed bool
ForwardedByClientIP bool
AppEngine bool
UseRawPath bool
UnescapePathValues bool
RemoveExtraSlash bool
RemoteIPHeaders []string
TrustedPlatform string
MaxMultipartMemory int64
HTMLRender interface{}
FuncMap template.FuncMap
}
func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) BasePath() string {
return ""
}
func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) Delims(_ string, _ string) *Engine {
return nil
}
func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup {
return nil
}
func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) HandleContext(_ *Context) {}
func (_ *Engine) LoadHTMLFiles(_ ...string) {}
func (_ *Engine) LoadHTMLGlob(_ string) {}
func (_ *Engine) NoMethod(_ ...HandlerFunc) {}
func (_ *Engine) NoRoute(_ ...HandlerFunc) {}
func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *Engine) Routes() RoutesInfo {
return nil
}
func (_ *Engine) Run(_ ...string) error {
return nil
}
func (_ *Engine) RunFd(_ int) error {
return nil
}
func (_ *Engine) RunListener(_ net.Listener) error {
return nil
}
func (_ *Engine) RunTLS(_ string, _ string, _ string) error {
return nil
}
func (_ *Engine) RunUnix(_ string) error {
return nil
}
func (_ *Engine) SecureJsonPrefix(_ string) *Engine {
return nil
}
func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
func (_ *Engine) SetFuncMap(_ template.FuncMap) {}
func (_ *Engine) SetHTMLTemplate(_ *template.Template) {}
func (_ *Engine) SetTrustedProxies(_ []string) error {
return nil
}
func (_ *Engine) Static(_ string, _ string) IRoutes {
return nil
}
func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes {
return nil
}
func (_ *Engine) StaticFile(_ string, _ string) IRoutes {
return nil
}
func (_ *Engine) Use(_ ...HandlerFunc) IRoutes {
return nil
}
type Error struct {
Err error
Type ErrorType
Meta interface{}
}
func (_ Error) Error() string {
return ""
}
func (_ *Error) IsType(_ ErrorType) bool {
return false
}
func (_ *Error) JSON() interface{} {
return nil
}
func (_ *Error) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *Error) SetMeta(_ interface{}) *Error {
return nil
}
func (_ *Error) SetType(_ ErrorType) *Error {
return nil
}
func (_ *Error) Unwrap() error {
return nil
}
type ErrorType uint64
type HandlerFunc func(*Context)
type HandlersChain []HandlerFunc
func (_ HandlersChain) Last() HandlerFunc {
return nil
}
type IRoutes interface {
Any(_ string, _ ...HandlerFunc) IRoutes
DELETE(_ string, _ ...HandlerFunc) IRoutes
GET(_ string, _ ...HandlerFunc) IRoutes
HEAD(_ string, _ ...HandlerFunc) IRoutes
Handle(_ string, _ string, _ ...HandlerFunc) IRoutes
OPTIONS(_ string, _ ...HandlerFunc) IRoutes
PATCH(_ string, _ ...HandlerFunc) IRoutes
POST(_ string, _ ...HandlerFunc) IRoutes
PUT(_ string, _ ...HandlerFunc) IRoutes
Static(_ string, _ string) IRoutes
StaticFS(_ string, _ http.FileSystem) IRoutes
StaticFile(_ string, _ string) IRoutes
Use(_ ...HandlerFunc) IRoutes
}
type Negotiate struct {
Offered []string
HTMLName string
HTMLData interface{}
JSONData interface{}
XMLData interface{}
YAMLData interface{}
Data interface{}
}
func New() *Engine {
return nil
}
type Param struct {
Key string
Value string
}
type Params []Param
func (_ Params) ByName(_ string) string {
return ""
}
func (_ Params) Get(_ string) (string, bool) {
return "", false
}
type ResponseWriter interface {
CloseNotify() <-chan bool
Flush()
Header() http.Header
Hijack() (net.Conn, *bufio.ReadWriter, error)
Pusher() http.Pusher
Size() int
Status() int
Write(_ []byte) (int, error)
WriteHeader(_ int)
WriteHeaderNow()
WriteString(_ string) (int, error)
Written() bool
}
type RouteInfo struct {
Method string
Path string
Handler string
HandlerFunc HandlerFunc
}
type RouterGroup struct {
Handlers HandlersChain
}
func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) BasePath() string {
return ""
}
func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup {
return nil
}
func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes {
return nil
}
func (_ *RouterGroup) Static(_ string, _ string) IRoutes {
return nil
}
func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes {
return nil
}
func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes {
return nil
}
func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes {
return nil
}
type RoutesInfo []RouteInfo

12
go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go generated vendored Normal file
View File

@@ -0,0 +1,12 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/go-kit/kit/auth/jwt, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/go-kit/kit/auth/jwt (exports: ; functions: NewSigner)
// Package jwt is a stub of github.com/go-kit/kit/auth/jwt, generated by depstubber.
package jwt
func NewSigner(_ string, _ []byte, _ interface{}, _ interface{}) interface{} {
return nil
}

328
go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/stub.go generated vendored Normal file
View File

@@ -0,0 +1,328 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt/v4, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v4 (exports: MapClaims,RegisteredClaims,SigningMethodRSA,SigningMethodHMAC,Token; functions: NewNumericDate,NewWithClaims)
// Package jwt is a stub of github.com/golang-jwt/jwt/v4, generated by depstubber.
package jwt
import (
crypto "crypto"
time "time"
)
type ClaimStrings []string
func (_ ClaimStrings) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *ClaimStrings) UnmarshalJSON(_ []byte) error {
return nil
}
type Claims interface {
Valid() error
}
type MapClaims map[string]interface{}
func (_ MapClaims) Valid() error {
return nil
}
func (_ MapClaims) VerifyAudience(_ string, _ bool) bool {
return false
}
func (_ MapClaims) VerifyExpiresAt(_ int64, _ bool) bool {
return false
}
func (_ MapClaims) VerifyIssuedAt(_ int64, _ bool) bool {
return false
}
func (_ MapClaims) VerifyIssuer(_ string, _ bool) bool {
return false
}
func (_ MapClaims) VerifyNotBefore(_ int64, _ bool) bool {
return false
}
func NewNumericDate(_ time.Time) *NumericDate {
return nil
}
func NewWithClaims(_ SigningMethod, _ Claims) *Token {
return nil
}
type NumericDate struct {
Time time.Time
}
func (_ NumericDate) Add(_ time.Duration) time.Time {
return time.Time{}
}
func (_ NumericDate) AddDate(_ int, _ int, _ int) time.Time {
return time.Time{}
}
func (_ NumericDate) After(_ time.Time) bool {
return false
}
func (_ NumericDate) AppendFormat(_ []byte, _ string) []byte {
return nil
}
func (_ NumericDate) Before(_ time.Time) bool {
return false
}
func (_ NumericDate) Clock() (int, int, int) {
return 0, 0, 0
}
func (_ NumericDate) Date() (int, time.Month, int) {
return 0, 0, 0
}
func (_ NumericDate) Day() int {
return 0
}
func (_ NumericDate) Equal(_ time.Time) bool {
return false
}
func (_ NumericDate) Format(_ string) string {
return ""
}
func (_ NumericDate) GoString() string {
return ""
}
func (_ NumericDate) GobEncode() ([]byte, error) {
return nil, nil
}
func (_ NumericDate) Hour() int {
return 0
}
func (_ NumericDate) ISOWeek() (int, int) {
return 0, 0
}
func (_ NumericDate) In(_ *time.Location) time.Time {
return time.Time{}
}
func (_ NumericDate) IsDST() bool {
return false
}
func (_ NumericDate) IsZero() bool {
return false
}
func (_ NumericDate) Local() time.Time {
return time.Time{}
}
func (_ NumericDate) Location() *time.Location {
return nil
}
func (_ NumericDate) MarshalBinary() ([]byte, error) {
return nil, nil
}
func (_ NumericDate) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ NumericDate) MarshalText() ([]byte, error) {
return nil, nil
}
func (_ NumericDate) Minute() int {
return 0
}
func (_ NumericDate) Month() time.Month {
return 0
}
func (_ NumericDate) Nanosecond() int {
return 0
}
func (_ NumericDate) Round(_ time.Duration) time.Time {
return time.Time{}
}
func (_ NumericDate) Second() int {
return 0
}
func (_ NumericDate) String() string {
return ""
}
func (_ NumericDate) Sub(_ time.Time) time.Duration {
return 0
}
func (_ NumericDate) Truncate(_ time.Duration) time.Time {
return time.Time{}
}
func (_ NumericDate) UTC() time.Time {
return time.Time{}
}
func (_ NumericDate) Unix() int64 {
return 0
}
func (_ NumericDate) UnixMicro() int64 {
return 0
}
func (_ NumericDate) UnixMilli() int64 {
return 0
}
func (_ NumericDate) UnixNano() int64 {
return 0
}
func (_ NumericDate) Weekday() time.Weekday {
return 0
}
func (_ NumericDate) Year() int {
return 0
}
func (_ NumericDate) YearDay() int {
return 0
}
func (_ NumericDate) Zone() (string, int) {
return "", 0
}
func (_ *NumericDate) GobDecode(_ []byte) error {
return nil
}
func (_ *NumericDate) UnmarshalBinary(_ []byte) error {
return nil
}
func (_ *NumericDate) UnmarshalJSON(_ []byte) error {
return nil
}
func (_ *NumericDate) UnmarshalText(_ []byte) error {
return nil
}
type RegisteredClaims struct {
Issuer string
Subject string
Audience ClaimStrings
ExpiresAt *NumericDate
NotBefore *NumericDate
IssuedAt *NumericDate
ID string
}
func (_ RegisteredClaims) Valid() error {
return nil
}
func (_ *RegisteredClaims) VerifyAudience(_ string, _ bool) bool {
return false
}
func (_ *RegisteredClaims) VerifyExpiresAt(_ time.Time, _ bool) bool {
return false
}
func (_ *RegisteredClaims) VerifyIssuedAt(_ time.Time, _ bool) bool {
return false
}
func (_ *RegisteredClaims) VerifyIssuer(_ string, _ bool) bool {
return false
}
func (_ *RegisteredClaims) VerifyNotBefore(_ time.Time, _ bool) bool {
return false
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) (string, error)
Verify(_ string, _ string, _ interface{}) error
}
type SigningMethodHMAC struct {
Name string
Hash crypto.Hash
}
func (_ *SigningMethodHMAC) Alg() string {
return ""
}
func (_ *SigningMethodHMAC) Sign(_ string, _ interface{}) (string, error) {
return "", nil
}
func (_ *SigningMethodHMAC) Verify(_ string, _ string, _ interface{}) error {
return nil
}
type SigningMethodRSA struct {
Name string
Hash crypto.Hash
}
func (_ *SigningMethodRSA) Alg() string {
return ""
}
func (_ *SigningMethodRSA) Sign(_ string, _ interface{}) (string, error) {
return "", nil
}
func (_ *SigningMethodRSA) Verify(_ string, _ string, _ interface{}) error {
return nil
}
type Token struct {
Raw string
Method SigningMethod
Header map[string]interface{}
Claims Claims
Signature string
Valid bool
}
func (_ *Token) SignedString(_ interface{}) (string, error) {
return "", nil
}
func (_ *Token) SigningString() (string, error) {
return "", nil
}

39
go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/stub.go generated vendored Normal file
View File

@@ -0,0 +1,39 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/lestrrat/go-jwx/jwk, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/lestrrat/go-jwx/jwk (exports: ; functions: New)
// Package jwk is a stub of github.com/lestrrat/go-jwx/jwk, generated by depstubber.
package jwk
import (
crypto "crypto"
x509 "crypto/x509"
)
type Key interface {
Algorithm() string
ExtractMap(_ map[string]interface{}) error
Get(_ string) (interface{}, bool)
KeyID() string
KeyOps() []KeyOperation
KeyType() interface{}
KeyUsage() string
Materialize() (interface{}, error)
PopulateMap(_ map[string]interface{}) error
Remove(_ string)
Set(_ string, _ interface{}) error
Thumbprint(_ crypto.Hash) ([]byte, error)
Walk(_ func(string, interface{}) error) error
X509CertChain() []*x509.Certificate
X509CertThumbprint() string
X509CertThumbprintS256() string
X509URL() string
}
type KeyOperation string
func New(_ interface{}) (Key, error) {
return nil, nil
}

219
go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/stub.go generated vendored Normal file
View File

@@ -0,0 +1,219 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/square/go-jose/v3, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/square/go-jose/v3 (exports: Recipient; functions: NewEncrypter,NewSigner)
// Package go_pkg is a stub of github.com/square/go-jose/v3, generated by depstubber.
package go_pkg
import (
crypto "crypto"
x509 "crypto/x509"
url "net/url"
)
type CompressionAlgorithm string
type ContentEncryption string
type ContentType string
type Encrypter interface {
Encrypt(_ []byte) (*JSONWebEncryption, error)
EncryptWithAuthData(_ []byte, _ []byte) (*JSONWebEncryption, error)
Options() EncrypterOptions
}
type EncrypterOptions struct {
Compression CompressionAlgorithm
ExtraHeaders map[HeaderKey]interface{}
}
func (_ *EncrypterOptions) WithContentType(_ ContentType) *EncrypterOptions {
return nil
}
func (_ *EncrypterOptions) WithHeader(_ HeaderKey, _ interface{}) *EncrypterOptions {
return nil
}
func (_ *EncrypterOptions) WithType(_ ContentType) *EncrypterOptions {
return nil
}
type Header struct {
KeyID string
JSONWebKey *JSONWebKey
Algorithm string
Nonce string
ExtraHeaders map[HeaderKey]interface{}
}
func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) {
return nil, nil
}
type HeaderKey string
type JSONWebEncryption struct {
Header Header
}
func (_ JSONWebEncryption) CompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebEncryption) Decrypt(_ interface{}) ([]byte, error) {
return nil, nil
}
func (_ JSONWebEncryption) DecryptMulti(_ interface{}) (int, Header, []byte, error) {
return 0, Header{}, nil, nil
}
func (_ JSONWebEncryption) FullSerialize() string {
return ""
}
func (_ JSONWebEncryption) GetAuthData() []byte {
return nil
}
type JSONWebKey struct {
Key interface{}
KeyID string
Algorithm string
Use string
Certificates []*x509.Certificate
CertificatesURL *url.URL
CertificateThumbprintSHA1 []byte
CertificateThumbprintSHA256 []byte
}
func (_ JSONWebKey) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) IsPublic() bool {
return false
}
func (_ *JSONWebKey) Public() JSONWebKey {
return JSONWebKey{}
}
func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error {
return nil
}
func (_ *JSONWebKey) Valid() bool {
return false
}
type JSONWebSignature struct {
Signatures []Signature
}
func (_ JSONWebSignature) CompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error {
return nil
}
func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) {
return 0, Signature{}, nil
}
func (_ JSONWebSignature) FullSerialize() string {
return ""
}
func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
return nil
}
func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) {
return nil, nil
}
func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) {
return 0, Signature{}, nil, nil
}
type KeyAlgorithm string
func NewEncrypter(_ ContentEncryption, _ Recipient, _ *EncrypterOptions) (Encrypter, error) {
return nil, nil
}
func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) {
return nil, nil
}
type NonceSource interface {
Nonce() (string, error)
}
type Recipient struct {
Algorithm KeyAlgorithm
Key interface{}
KeyID string
PBES2Count int
PBES2Salt []byte
}
type Signature struct {
Header Header
Protected Header
Unprotected Header
Signature []byte
}
type SignatureAlgorithm string
type Signer interface {
Options() SignerOptions
Sign(_ []byte) (*JSONWebSignature, error)
}
type SignerOptions struct {
NonceSource NonceSource
EmbedJWK bool
ExtraHeaders map[HeaderKey]interface{}
}
func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions {
return nil
}
type SigningKey struct {
Algorithm SignatureAlgorithm
Key interface{}
}

219
go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/stub.go generated vendored Normal file
View File

@@ -0,0 +1,219 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for gopkg.in/square/go-jose.v2, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: gopkg.in/square/go-jose.v2 (exports: Recipient; functions: NewEncrypter,NewSigner)
// Package go_pkg is a stub of gopkg.in/square/go-jose.v2, generated by depstubber.
package go_pkg
import (
crypto "crypto"
x509 "crypto/x509"
url "net/url"
)
type CompressionAlgorithm string
type ContentEncryption string
type ContentType string
type Encrypter interface {
Encrypt(_ []byte) (*JSONWebEncryption, error)
EncryptWithAuthData(_ []byte, _ []byte) (*JSONWebEncryption, error)
Options() EncrypterOptions
}
type EncrypterOptions struct {
Compression CompressionAlgorithm
ExtraHeaders map[HeaderKey]interface{}
}
func (_ *EncrypterOptions) WithContentType(_ ContentType) *EncrypterOptions {
return nil
}
func (_ *EncrypterOptions) WithHeader(_ HeaderKey, _ interface{}) *EncrypterOptions {
return nil
}
func (_ *EncrypterOptions) WithType(_ ContentType) *EncrypterOptions {
return nil
}
type Header struct {
KeyID string
JSONWebKey *JSONWebKey
Algorithm string
Nonce string
ExtraHeaders map[HeaderKey]interface{}
}
func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) {
return nil, nil
}
type HeaderKey string
type JSONWebEncryption struct {
Header Header
}
func (_ JSONWebEncryption) CompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebEncryption) Decrypt(_ interface{}) ([]byte, error) {
return nil, nil
}
func (_ JSONWebEncryption) DecryptMulti(_ interface{}) (int, Header, []byte, error) {
return 0, Header{}, nil, nil
}
func (_ JSONWebEncryption) FullSerialize() string {
return ""
}
func (_ JSONWebEncryption) GetAuthData() []byte {
return nil
}
type JSONWebKey struct {
Key interface{}
KeyID string
Algorithm string
Use string
Certificates []*x509.Certificate
CertificatesURL *url.URL
CertificateThumbprintSHA1 []byte
CertificateThumbprintSHA256 []byte
}
func (_ JSONWebKey) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) IsPublic() bool {
return false
}
func (_ *JSONWebKey) Public() JSONWebKey {
return JSONWebKey{}
}
func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error {
return nil
}
func (_ *JSONWebKey) Valid() bool {
return false
}
type JSONWebSignature struct {
Signatures []Signature
}
func (_ JSONWebSignature) CompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error {
return nil
}
func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) {
return 0, Signature{}, nil
}
func (_ JSONWebSignature) FullSerialize() string {
return ""
}
func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
return nil
}
func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) {
return nil, nil
}
func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) {
return 0, Signature{}, nil, nil
}
type KeyAlgorithm string
func NewEncrypter(_ ContentEncryption, _ Recipient, _ *EncrypterOptions) (Encrypter, error) {
return nil, nil
}
func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) {
return nil, nil
}
type NonceSource interface {
Nonce() (string, error)
}
type Recipient struct {
Algorithm KeyAlgorithm
Key interface{}
KeyID string
PBES2Count int
PBES2Salt []byte
}
type Signature struct {
Header Header
Protected Header
Unprotected Header
Signature []byte
}
type SignatureAlgorithm string
type Signer interface {
Options() SignerOptions
Sign(_ []byte) (*JSONWebSignature, error)
}
type SignerOptions struct {
NonceSource NonceSource
EmbedJWK bool
ExtraHeaders map[HeaderKey]interface{}
}
func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions {
return nil
}
type SigningKey struct {
Algorithm SignatureAlgorithm
Key interface{}
}

96
go/ql/test/experimental/CWE-321/vendor/modules.txt vendored Normal file
View File

@@ -0,0 +1,96 @@
# github.com/appleboy/gin-jwt/v2 v2.8.0
## explicit
github.com/appleboy/gin-jwt/v2
# github.com/cristalhq/jwt/v3 v3.1.0
## explicit
github.com/cristalhq/jwt/v3
# github.com/gin-gonic/gin v1.7.7
## explicit
github.com/gin-gonic/gin
# github.com/go-kit/kit v0.12.0
## explicit
github.com/go-kit/kit
# github.com/golang-jwt/jwt/v4 v4.4.1
## explicit
github.com/golang-jwt/jwt/v4
# github.com/lestrrat/go-jwx v0.9.1
## explicit
github.com/lestrrat/go-jwx
# github.com/square/go-jose/v3 v3.0.0-20200630053402-0a67ce9b0693
## explicit
github.com/square/go-jose/v3
# gopkg.in/square/go-jose.v2 v2.6.0
## explicit
gopkg.in/square/go-jose.v2
# github.com/davecgh/go-spew v1.1.1
## explicit
github.com/davecgh/go-spew
# github.com/gin-contrib/sse v0.1.0
## explicit
github.com/gin-contrib/sse
# github.com/go-kit/log v0.2.0
## explicit
github.com/go-kit/log
# github.com/go-logfmt/logfmt v0.5.1
## explicit
github.com/go-logfmt/logfmt
# github.com/go-playground/locales v0.13.0
## explicit
github.com/go-playground/locales
# github.com/go-playground/universal-translator v0.17.0
## explicit
github.com/go-playground/universal-translator
# github.com/go-playground/validator/v10 v10.4.1
## explicit
github.com/go-playground/validator/v10
# github.com/golang/protobuf v1.5.2
## explicit
github.com/golang/protobuf
# github.com/json-iterator/go v1.1.12
## explicit
github.com/json-iterator/go
# github.com/leodido/go-urn v1.2.0
## explicit
github.com/leodido/go-urn
# github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8
## explicit
github.com/lestrrat/go-pdebug
# github.com/mattn/go-isatty v0.0.14
## explicit
github.com/mattn/go-isatty
# github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
## explicit
github.com/modern-go/concurrent
# github.com/modern-go/reflect2 v1.0.2
## explicit
github.com/modern-go/reflect2
# github.com/pkg/errors v0.9.1
## explicit
github.com/pkg/errors
# github.com/ugorji/go/codec v1.1.7
## explicit
github.com/ugorji/go/codec
# golang.org/x/crypto v0.0.0-20210915214749-c084706c2272
## explicit
golang.org/x/crypto
# golang.org/x/net v0.0.0-20210917221730-978cfadd31cf
## explicit
golang.org/x/net
# golang.org/x/sys v0.0.0-20210917161153-d61c044b1678
## explicit
golang.org/x/sys
# golang.org/x/text v0.3.7
## explicit
golang.org/x/text
# google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4
## explicit
google.golang.org/genproto
# google.golang.org/grpc v1.40.0
## explicit
google.golang.org/grpc
# google.golang.org/protobuf v1.27.1
## explicit
google.golang.org/protobuf
# gopkg.in/yaml.v2 v2.2.8
## explicit
gopkg.in/yaml.v2