hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

add go generate support, upgrade JWT.qll

Browse Source
This commit is contained in:
amammad
2023-09-27 20:17:31 +10:00
parent da864bf7f7
commit c78f390128
36 changed files with 434 additions and 2389 deletions
Download Patch File Download Diff File Expand all files Collapse all files

288
go/ql/lib/semmle/go/security/JWT.qll
View File

@@ -1,40 +1,98 @@
import go
/**
* A class that contains the following function and method:
*
* func (p *Parser) Parse(tokenString string, keyFunc Keyfunc)
*
* func Parse(tokenString string, keyFunc Keyfunc)
* A abstract class which responsible for parsing a JWT token which the key parameter is a function type
*/
class GolangJwtParse extends Function {
GolangJwtParse() {
exists(DataFlow::Function f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4",
"github.com/golang-jwt/jwt/v5", "github.com/dgrijalva/jwt-go",
"github.com/dgrijalva/jwt-go/v4",
], "Parse")
|
this = f
)
abstract class JwtParseWithKeyFunction extends Function {
/**
* Gets argument number that responsible for a function returning the secret key
*/
abstract int getKeyFuncArgNum();
/**
* Gets argument number that responsible for JWT
*
* `-1` means the receiver is a argument node that responsible for JWT.
* In this case, we must declare some additional taint steps.
*/
abstract int getTokenArgNum();
/**
* Gets Argument as DataFlow node that responsible for JWT
*/
DataFlow::Node getTokenArg() {
this.getTokenArgNum() != -1 and result = this.getACall().getArgument(this.getTokenArgNum())
or
exists(DataFlow::Method f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt.Parser", "github.com/golang-jwt/jwt/v4.Parser",
"github.com/golang-jwt/jwt/v5.Parser", "github.com/dgrijalva/jwt-go.Parser",
"github.com/dgrijalva/jwt-go/v4.Parser"
], "Parse")
|
this = f
)
this.getTokenArgNum() = -1 and result = this.getACall().getReceiver()
}
int getKeyFuncArgNum() { result = 1 }
/**
* Gets Argument as DataFlow node that responsible for a function returning the secret key
*/
DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) }
}
/**
* A abstract class which responsible for parsing a JWT token which the key parameter can be a string or byte type
*/
abstract class JwtParse extends Function {
/**
* Gets argument number that responsible for secret key
*/
abstract int getKeyArgNum();
/**
* Gets argument number that responsible for JWT
*
* `-1` means the receiver is a argument node that responsible for JWT.
* In this case, we must declare some additional taint steps.
*/
abstract int getTokenArgNum();
/**
* Gets Argument as DataFlow node that responsible for JWT
*/
DataFlow::Node getTokenArg() {
this.getTokenArgNum() != -1 and result = this.getACall().getArgument(this.getTokenArgNum())
or
this.getTokenArgNum() = -1 and result = this.getACall().getReceiver()
}
/**
* Gets Argument as DataFlow node that responsible for secret key
*/
DataFlow::Node getKeyArg() { result = this.getACall().getArgument(this.getKeyArgNum()) }
}
/**
* A abstract class which responsible for parsing a JWT without verifying it
*/
abstract class JwtUnverifiedParse extends Function {
/**
* Gets argument number that responsible for JWT
*
* `-1` means the receiver is a argument node that responsible for JWT.
* In this case, we must declare some additional taint steps.
*/
abstract int getTokenArgNum();
/**
* Gets Argument as DataFlow node that responsible for JWT
*/
DataFlow::Node getTokenNode() {
this.getTokenArgNum() != -1 and result = this.getACall().getArgument(this.getTokenArgNum())
or
this.getTokenArgNum() = -1 and result = this.getACall().getReceiver()
}
}
/**
* Gets `github.com/golang-jwt/jwt` and `github.com/dgrijalva/jwt-go`(previous name of `golang-jwt`) JWT packages
*/
string golangJwtPackage() {
result = package(["github.com/golang-jwt/jwt", "github.com/dgrijalva/jwt-go"], "")
}
/**
* A class that contains the following function and method:
*
@@ -42,15 +100,16 @@ class GolangJwtParse extends Function {
*
* func Parse(tokenString string, keyFunc Keyfunc)
*/
class GolangJwtValidField extends DataFlow::FieldReadNode {
GolangJwtValidField() {
this.getField()
.hasQualifiedName([
"github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4",
"github.com/golang-jwt/jwt/v5", "github.com/dgrijalva/jwt-go",
"github.com/dgrijalva/jwt-go/v4"
] + ".Token", "Valid")
class GolangJwtParse extends JwtParseWithKeyFunction {
GolangJwtParse() {
exists(Function f | f.hasQualifiedName(golangJwtPackage(), "Parse") | this = f)
or
exists(Method f | f.hasQualifiedName(golangJwtPackage(), "Parser", "Parse") | this = f)
}
override int getKeyFuncArgNum() { result = 1 }
override int getTokenArgNum() { result = 0 }
}
/**
@@ -60,32 +119,18 @@ class GolangJwtValidField extends DataFlow::FieldReadNode {
*
* func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc)
*/
class GolangJwtParseWithClaims extends Function {
class GolangJwtParseWithClaims extends JwtParseWithKeyFunction {
GolangJwtParseWithClaims() {
exists(DataFlow::Function f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4",
"github.com/golang-jwt/jwt/v5", "github.com/dgrijalva/jwt-go",
"github.com/dgrijalva/jwt-go/v4"
], "ParseWithClaims")
|
this = f
)
exists(Function f | f.hasQualifiedName(golangJwtPackage(), "ParseWithClaims") | this = f)
or
exists(DataFlow::Method f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt.Parser", "github.com/golang-jwt/jwt/v4.Parser",
"github.com/golang-jwt/jwt/v5.Parser", "github.com/dgrijalva/jwt-go.Parser",
"github.com/dgrijalva/jwt-go/v4.Parser"
], "ParseWithClaims")
|
exists(Method f | f.hasQualifiedName(golangJwtPackage(), "Parser", "ParseWithClaims") |
this = f
)
}
int getKeyFuncArgNum() { result = 2 }
override int getKeyFuncArgNum() { result = 2 }
DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) }
override int getTokenArgNum() { result = 0 }
}
/**
@@ -93,18 +138,21 @@ class GolangJwtParseWithClaims extends Function {
*
* func (p *Parser) ParseUnverified(tokenString string, claims Claims)
*/
class GolangJwtParseUnverified extends Function {
class GolangJwtParseUnverified extends JwtUnverifiedParse {
GolangJwtParseUnverified() {
exists(DataFlow::Method f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt.Parser", "github.com/golang-jwt/jwt/v4.Parser",
"github.com/golang-jwt/jwt/v5.Parser", "github.com/dgrijalva/jwt-go.Parser",
"github.com/dgrijalva/jwt-go/v4.Parser"
], "ParseUnverified")
|
exists(Method f | f.hasQualifiedName(golangJwtPackage(), "Parser", "ParseUnverified") |
this = f
)
}
override int getTokenArgNum() { result = 0 }
}
/**
* Gets `github.com/golang-jwt/jwt` and `github.com/dgrijalva/jwt-go`(previous name of `golang-jwt`) JWT packages
*/
string golangJwtRequestPackage() {
result = package(["github.com/golang-jwt/jwt", "github.com/dgrijalva/jwt-go"], "request")
}
/**
@@ -112,21 +160,16 @@ class GolangJwtParseUnverified extends Function {
*
* func ParseFromRequest(req *http.Request, extractor Extractor, keyFunc jwt.Keyfunc, options ...ParseFromRequestOption)
*/
class GolangJwtParseFromRequest extends Function {
class GolangJwtParseFromRequest extends JwtParseWithKeyFunction {
GolangJwtParseFromRequest() {
exists(DataFlow::Function f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt/request", "github.com/golang-jwt/jwt/v4/request",
"github.com/dgrijalva/jwt-go/request", "github.com/dgrijalva/jwt-go/v4/request"
], "ParseFromRequest")
|
exists(Function f | f.hasQualifiedName(golangJwtRequestPackage(), "ParseFromRequest") |
this = f
)
}
int getKeyFuncArgNum() { result = 2 }
override int getKeyFuncArgNum() { result = 2 }
DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) }
override int getTokenArgNum() { result = 0 }
}
/**
@@ -134,45 +177,40 @@ class GolangJwtParseFromRequest extends Function {
*
* func ParseFromRequestWithClaims(req *http.Request, extractor Extractor, claims jwt.Claims, keyFunc jwt.Keyfunc)
*/
class GolangJwtParseFromRequestWithClaims extends Function {
class GolangJwtParseFromRequestWithClaims extends JwtParseWithKeyFunction {
GolangJwtParseFromRequestWithClaims() {
exists(DataFlow::Function f |
f.hasQualifiedName([
"github.com/golang-jwt/jwt/request", "github.com/golang-jwt/jwt/v4/request",
"github.com/dgrijalva/jwt-go/request", "github.com/dgrijalva/jwt-go/v4/request"
], "ParseFromRequestWithClaims")
exists(Function f |
f.hasQualifiedName(golangJwtRequestPackage(), "ParseFromRequestWithClaims")
|
this = f
)
}
int getKeyFuncArgNum() { result = 3 }
override int getKeyFuncArgNum() { result = 3 }
DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) }
override int getTokenArgNum() { result = 0 }
}
/**
* Gets `gopkg.in/square/go-jose` and `github.com/go-jose/go-jose` jwt package
*/
string goJoseJwtPackage() {
result = package(["gopkg.in/square/go-jose", "github.com/go-jose/go-jose"], "jwt")
}
/**
* A class that contains the following method:
*
*func (t *JSONWebToken) Claims(key interface{}, dest ...interface{})
* func (t *JSONWebToken) Claims(key interface{}, dest ...interface{})
*/
class GoJoseClaims extends Function {
GoJoseClaims() {
exists(DataFlow::Method f |
f.hasQualifiedName([
"gopkg.in/square/go-jose/jwt.JSONWebToken", "gopkg.in/square/go-jose.v2/jwt.JSONWebToken",
"gopkg.in/square/go-jose.v3/jwt.JSONWebToken",
"github.com/go-jose/go-jose/jwt.JSONWebToken",
"github.com/go-jose/go-jose/v3/jwt.JSONWebToken"
], "Claims")
|
this = f
)
class GoJoseParseWithClaims extends JwtParse {
GoJoseParseWithClaims() {
exists(Method f | f.hasQualifiedName(goJoseJwtPackage(), "JSONWebToken", "Claims") | this = f)
}
int getKeyFuncArgNum() { result = 1 }
override int getKeyArgNum() { result = 0 }
DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) }
override int getTokenArgNum() { result = -1 }
}
/**
@@ -180,35 +218,30 @@ class GoJoseClaims extends Function {
*
* func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{})
*/
class GoJoseUnsafeClaims extends Function {
class GoJoseUnsafeClaims extends JwtUnverifiedParse {
GoJoseUnsafeClaims() {
exists(DataFlow::Method f |
f.hasQualifiedName([
"gopkg.in/square/go-jose/jwt.JSONWebToken", "gopkg.in/square/go-jose.v2/jwt.JSONWebToken",
"gopkg.in/square/go-jose.v3/jwt.JSONWebToken",
"github.com/go-jose/go-jose/jwt.JSONWebToken",
"github.com/go-jose/go-jose/v3/jwt.JSONWebToken"
], "UnsafeClaimsWithoutVerification")
exists(Method f |
f.hasQualifiedName(goJoseJwtPackage(), "JSONWebToken", "UnsafeClaimsWithoutVerification")
|
this = f
)
}
override int getTokenArgNum() { result = -1 }
}
/**
* Holds if there are additioanl steps related to parsing the secret keys
* Holds for general additioanl steps related to parsing the secret keys in `golang-jwt/jwt`,`dgrijalva/jwt-go` packages
*/
predicate golangJwtIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::Function f, DataFlow::CallNode call |
f.hasQualifiedName([
"github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4", "github.com/golang-jwt/jwt/v5"
],
exists(Function f, DataFlow::CallNode call |
f.hasQualifiedName(package("github.com/golang-jwt/jwt", ""),
[
"ParseECPrivateKeyFromPEM", "ParseECPublicKeyFromPEM", "ParseEdPrivateKeyFromPEM",
"ParseEdPublicKeyFromPEM", "ParseRSAPrivateKeyFromPEM", "ParseRSAPublicKeyFromPEM",
"RegisterSigningMethod"
]) or
f.hasQualifiedName(["github.com/dgrijalva/jwt-go", "github.com/dgrijalva/jwt-go/v4"],
f.hasQualifiedName(package("github.com/dgrijalva/jwt-go", ""),
[
"ParseECPrivateKeyFromPEM", "ParseECPublicKeyFromPEM", "ParseRSAPrivateKeyFromPEM",
"ParseRSAPrivateKeyFromPEMWithPassword", "ParseRSAPublicKeyFromPEM"
@@ -219,7 +252,7 @@ predicate golangJwtIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node
nodeTo = call
)
or
exists(DataFlow::Function f, DataFlow::CallNode call |
exists(Function f, DataFlow::CallNode call |
f instanceof GolangJwtParse
or
f instanceof GolangJwtParseWithClaims
@@ -228,51 +261,30 @@ predicate golangJwtIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node
nodeFrom = call.getArgument(0) and
nodeTo = call
)
or
exists(DataFlow::FieldReadNode f | f instanceof GolangJwtValidField |
nodeFrom = f.getBase() and
nodeTo = f
)
}
/**
* Holds if there are additioanl steps related to parsing the secret keys
* Holds for general additioanl steps related to parsing the secret keys in `go-jose` package
*/
predicate goJoseIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(DataFlow::Function f, DataFlow::CallNode call |
f.hasQualifiedName([
"gopkg.in/square/go-jose/jwt", "gopkg.in/square/go-jose.v2/jwt",
"gopkg.in/square/go-jose.v3/jwt", "github.com/go-jose/go-jose/jwt",
"github.com/go-jose/go-jose/v3/jwt"
], ["ParseEncrypted", "ParseSigned",])
exists(Function f, DataFlow::CallNode call |
f.hasQualifiedName(goJoseJwtPackage(), ["ParseEncrypted", "ParseSigned",])
|
call = f.getACall() and
nodeFrom = call.getArgument(0) and
nodeTo = call
)
or
exists(DataFlow::Function f, DataFlow::CallNode call |
f.hasQualifiedName([
"gopkg.in/square/go-jose/jwt.NestedJSONWebToken",
"gopkg.in/square/go-jose.v2/jwt.NestedJSONWebToken",
"gopkg.in/square/go-jose.v3/jwt.NestedJSONWebToken",
"github.com/go-jose/go-jose/jwt.NestedJSONWebToken",
"github.com/go-jose/go-jose/v3/jw.NestedJSONWebTokent"
], "ParseSignedAndEncrypted")
exists(Method m, DataFlow::CallNode call |
m.hasQualifiedName(goJoseJwtPackage(), "NestedJSONWebToken", "ParseSignedAndEncrypted")
|
call = f.getACall() and
call = m.getACall() and
nodeFrom = call.getArgument(0) and
nodeTo = call
)
or
exists(DataFlow::Method f, DataFlow::CallNode call |
f.hasQualifiedName([
"gopkg.in/square/go-jose/jwt.NestedJSONWebToken",
"gopkg.in/square/go-jose.v2/jwt.NestedJSONWebToken",
"gopkg.in/square/go-jose.v3/jwt.NestedJSONWebToken",
"github.com/go-jose/go-jose/jwt.NestedJSONWebToken",
"github.com/go-jose/go-jose/v3/jw.NestedJSONWebToken"
], "Decrypt")
exists(Method f, DataFlow::CallNode call |
f.hasQualifiedName(goJoseJwtPackage(), "NestedJSONWebToken", "Decrypt")
|
call = f.getACall() and
nodeFrom = call.getReceiver() and

29
go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql
View File

@@ -1,9 +1,9 @@
/**
* @name Decoding JWT with hardcoded key
* @description Decoding JWT Secrect with a Constant value lead to authentication or authorization bypass
* @description Decoding JWT Secret with a Constant value lead to authentication or authorization bypass
* @kind path-problem
* @problem.severity error
* @id go/hardcoded-key
* @id go/parse-jwt-with-hardcoded-key
* @tags security
* experimental
* external/cwe/cwe-321
@@ -12,10 +12,13 @@
import go
import semmle.go.security.JWT
module JwtConfig implements DataFlow::ConfigSig {
module JwtPaseWithConstantKeyConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof StringLit }
predicate isSink(DataFlow::Node sink) {
// first part is the JWT Parsing Functions that get a func type as an argument
// Find a node that has flow to a key Function argument
// then find the first result node of this Function which is the secret key
exists(FuncDef fd, DataFlow::Node n, DataFlow::ResultNode rn |
GolangJwtKeyFunc::flow(n, _) and fd = n.asExpr()
|
@@ -31,6 +34,9 @@ module JwtConfig implements DataFlow::ConfigSig {
rn.getRoot() = fd.getFuncDecl() and
rn.getIndex() = 0
)
or
// second part is the JWT Parsing Functions that get a string or byte as an argument
sink = any(JwtParse jp).getKeyArg()
}
}
@@ -42,24 +48,17 @@ module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig {
}
predicate isSink(DataFlow::Node sink) {
sink =
[
any(GolangJwtParse parseWithClaims).getKeyFuncArg(),
any(GolangJwtParseWithClaims parseWithClaims).getKeyFuncArg(),
any(GolangJwtParseFromRequest parseWithClaims).getKeyFuncArg(),
any(GolangJwtParseFromRequestWithClaims parseWithClaims).getKeyFuncArg(),
any(GoJoseClaims parseWithClaims).getKeyFuncArg(),
]
sink = any(JwtParseWithKeyFunction parseJWT).getKeyFuncArg()
}
}
module Jwt = TaintTracking::Global<JwtConfig>;
module JwtPaseWithConstantKey = TaintTracking::Global<JwtPaseWithConstantKeyConfig>;
module GolangJwtKeyFunc = TaintTracking::Global<GolangJwtKeyFuncConfig>;
import Jwt::PathGraph
import JwtPaseWithConstantKey::PathGraph
from Jwt::PathNode source, Jwt::PathNode sink
where Jwt::flowPath(source, sink)
from JwtPaseWithConstantKey::PathNode source, JwtPaseWithConstantKey::PathNode sink
where JwtPaseWithConstantKey::flowPath(source, sink)
select sink.getNode(), source, sink, "This $@.", source.getNode(),
"Constant Key is used as JWT Secret key"

10
go/ql/src/experimental/CWE-347/NoVerification.ql → go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql
View File

@@ -3,7 +3,7 @@
* @description Using JWT methods without verification can cause to authorization or authentication bypass
* @kind path-problem
* @problem.severity error
* @id go/hardcoded-key
* @id go/parse-jwt-without-verification
* @tags security
* experimental
* external/cwe/cwe-321
@@ -16,8 +16,8 @@ module WithValidationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
predicate isSink(DataFlow::Node sink) {
sink = any(GolangJwtValidField parse) or
sink = any(GoJoseClaims parse).getACall().getReceiver()
sink = any(JwtParse parseUnverified).getTokenArg() or
sink = any(JwtParseWithKeyFunction parseUnverified).getTokenArg()
}
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -34,9 +34,7 @@ module NoValidationConfig implements DataFlow::ConfigSig {
}
predicate isSink(DataFlow::Node sink) {
sink = any(GolangJwtParseUnverified parseunverified).getACall().getArgument(0)
or
sink = any(GoJoseUnsafeClaims parse).getACall().getReceiver()
sink = any(JwtUnverifiedParse parseUnverified).getTokenNode()
}
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {

0
go/ql/src/experimental/CWE-347/NoVerification.qhelp → go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql.qhelp
View File

18
go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected
View File

@@ -1,10 +1,16 @@
edges
| golang-jwt-v5/golang-jwt-v5.go:19:14:19:34 | type conversion | golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey |
| golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | golang-jwt-v5/golang-jwt-v5.go:19:14:19:34 | type conversion |
| go-jose.v3.go:11:14:11:34 | type conversion | go-jose.v3.go:23:32:23:37 | JwtKey |
| go-jose.v3.go:11:21:11:33 | "AllYourBase" | go-jose.v3.go:11:14:11:34 | type conversion |
| golang-jwt-v5.go:19:15:19:35 | type conversion | golang-jwt-v5.go:27:9:27:15 | JwtKey1 |
| golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:19:15:19:35 | type conversion |
nodes
| golang-jwt-v5/golang-jwt-v5.go:19:14:19:34 | type conversion | semmle.label | type conversion |
| golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | semmle.label | "AllYourBase" |
| golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | semmle.label | JwtKey |
| go-jose.v3.go:11:14:11:34 | type conversion | semmle.label | type conversion |
| go-jose.v3.go:11:21:11:33 | "AllYourBase" | semmle.label | "AllYourBase" |
| go-jose.v3.go:23:32:23:37 | JwtKey | semmle.label | JwtKey |
| golang-jwt-v5.go:19:15:19:35 | type conversion | semmle.label | type conversion |
| golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" |
| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 |
subpaths
#select
| golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | This $@. | golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
| go-jose.v3.go:23:32:23:37 | JwtKey | go-jose.v3.go:11:21:11:33 | "AllYourBase" | go-jose.v3.go:23:32:23:37 | JwtKey | This $@. | go-jose.v3.go:11:21:11:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |

27
go/ql/test/experimental/CWE-321-V2/go-jose.v3.go Normal file
View File

@@ -0,0 +1,27 @@
package jwt
//go:generate depstubber -vendor github.com/go-jose/go-jose/v3/jwt JSONWebToken ParseSigned
import (
"fmt"
"github.com/go-jose/go-jose/v3/jwt"
"net/http"
)
var JwtKey = []byte("AllYourBase")
func main2(r *http.Request) {
// NOT OK
signedToken := r.URL.Query().Get("signedToken")
verifyJWT(signedToken)
}
func verifyJWT(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, _ := jwt.ParseSigned(signedToken)
out := CustomerInfo{}
if err := DecodedToken.Claims(JwtKey, &out); err != nil {
panic(err)
}
fmt.Printf("%v\n", out)
}

39
go/ql/test/experimental/CWE-321-V2/go-jose.v3/go-jose.v3.go
View File

@@ -1,39 +0,0 @@
package main
import (
"fmt"
"github.com/gin-gonic/gin"
"github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v3/jwt"
"net/http"
)
type CustomerInfo struct {
Name string
ID int
}
var JwtKey = []byte("AllYourBase")
func main() {
router := gin.Default()
router.GET("/ping", func(c *gin.Context) {
signedToken := c.Param("signedToken")
verifyJWT(signedToken)
c.JSON(http.StatusOK, gin.H{
"message": "pong",
})
})
_ = router.Run()
}
func verifyJWT(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, _ := jwt.ParseSigned(signedToken)
out := CustomerInfo{}
if err := DecodedToken.Claims(JwtKey, &out); err != nil {
panic(err)
}
fmt.Printf("%v\n", out)
}

2
go/ql/test/experimental/CWE-321-V2/go.mod
View File

@@ -1,6 +1,6 @@
module main
go 1.18
go 1.21
require (
github.com/gin-gonic/gin v1.9.1

30
go/ql/test/experimental/CWE-321-V2/golang-jwt-v5/golang-jwt-v5.go → go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go
View File

@@ -1,12 +1,12 @@
package main
package jwt
//go:generate depstubber -vendor github.com/golang-jwt/jwt/v5 RegisteredClaims,Parser,Token Parse,ParseWithClaims
import (
"fmt"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
"log"
"net/http"
"os"
)
type CustomerInfo struct {
@@ -16,27 +16,18 @@ type CustomerInfo struct {
}
// BAD constant key
var JwtKey = []byte("AllYourBase")
var JwtKey1 = []byte("AllYourBase")
func main() {
router := gin.Default()
router.GET("/ping", func(c *gin.Context) {
// https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt
var unsignedToken = c.Param("customerName")
signedToken := c.Param("signedToken")
VerifyJWT(signedToken)
c.JSON(http.StatusOK, gin.H{
"message": "pong",
})
})
_ = router.Run()
func main1(r *http.Request) {
signedToken := r.URL.Query().Get("signedToken")
verifyJWT_golangjwt(signedToken)
}
func LoadJwtKey(token *jwt.Token) (interface{}, error) {
return JwtKey, nil
return JwtKey1, nil
}
func verifyJWT(signedToken string) {
func verifyJWT_golangjwt(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, err := jwt.ParseWithClaims(signedToken, &CustomerInfo{}, LoadJwtKey)
if claims, ok := DecodedToken.Claims.(*CustomerInfo); ok && DecodedToken.Valid {
@@ -45,4 +36,3 @@ func verifyJWT(signedToken string) {
log.Fatal(err)
}
}

465
go/ql/test/experimental/CWE-321-V2/vendor/github.com/gin-gonic/gin/stub.go generated vendored
View File

@@ -1,465 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/gin-gonic/gin (exports: Context; functions: )
// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber.
package gin
import (
bufio "bufio"
io "io"
multipart "mime/multipart"
net "net"
http "net/http"
time "time"
)
type Context struct {
Request *http.Request
Writer ResponseWriter
Params Params
Keys map[string]interface{}
Errors interface{}
Accepted []string
}
func (_ *Context) Abort() {}
func (_ *Context) AbortWithError(_ int, _ error) *Error {
return nil
}
func (_ *Context) AbortWithStatus(_ int) {}
func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {}
func (_ *Context) AddParam(_ string, _ string) {}
func (_ *Context) AsciiJSON(_ int, _ interface{}) {}
func (_ *Context) Bind(_ interface{}) error {
return nil
}
func (_ *Context) BindHeader(_ interface{}) error {
return nil
}
func (_ *Context) BindJSON(_ interface{}) error {
return nil
}
func (_ *Context) BindQuery(_ interface{}) error {
return nil
}
func (_ *Context) BindTOML(_ interface{}) error {
return nil
}
func (_ *Context) BindUri(_ interface{}) error {
return nil
}
func (_ *Context) BindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) BindXML(_ interface{}) error {
return nil
}
func (_ *Context) BindYAML(_ interface{}) error {
return nil
}
func (_ *Context) ClientIP() string {
return ""
}
func (_ *Context) ContentType() string {
return ""
}
func (_ *Context) Cookie(_ string) (string, error) {
return "", nil
}
func (_ *Context) Copy() *Context {
return nil
}
func (_ *Context) Data(_ int, _ string, _ []byte) {}
func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {}
func (_ *Context) Deadline() (time.Time, bool) {
return time.Time{}, false
}
func (_ *Context) DefaultPostForm(_ string, _ string) string {
return ""
}
func (_ *Context) DefaultQuery(_ string, _ string) string {
return ""
}
func (_ *Context) Done() <-chan struct{} {
return nil
}
func (_ *Context) Err() error {
return nil
}
func (_ *Context) Error(_ error) *Error {
return nil
}
func (_ *Context) File(_ string) {}
func (_ *Context) FileAttachment(_ string, _ string) {}
func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {}
func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) {
return nil, nil
}
func (_ *Context) FullPath() string {
return ""
}
func (_ *Context) Get(_ string) (interface{}, bool) {
return nil, false
}
func (_ *Context) GetBool(_ string) bool {
return false
}
func (_ *Context) GetDuration(_ string) time.Duration {
return 0
}
func (_ *Context) GetFloat64(_ string) float64 {
return 0
}
func (_ *Context) GetHeader(_ string) string {
return ""
}
func (_ *Context) GetInt(_ string) int {
return 0
}
func (_ *Context) GetInt64(_ string) int64 {
return 0
}
func (_ *Context) GetPostForm(_ string) (string, bool) {
return "", false
}
func (_ *Context) GetPostFormArray(_ string) ([]string, bool) {
return nil, false
}
func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) {
return nil, false
}
func (_ *Context) GetQuery(_ string) (string, bool) {
return "", false
}
func (_ *Context) GetQueryArray(_ string) ([]string, bool) {
return nil, false
}
func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) {
return nil, false
}
func (_ *Context) GetRawData() ([]byte, error) {
return nil, nil
}
func (_ *Context) GetString(_ string) string {
return ""
}
func (_ *Context) GetStringMap(_ string) map[string]interface{} {
return nil
}
func (_ *Context) GetStringMapString(_ string) map[string]string {
return nil
}
func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string {
return nil
}
func (_ *Context) GetStringSlice(_ string) []string {
return nil
}
func (_ *Context) GetTime(_ string) time.Time {
return time.Time{}
}
func (_ *Context) GetUint(_ string) uint {
return 0
}
func (_ *Context) GetUint64(_ string) uint64 {
return 0
}
func (_ *Context) HTML(_ int, _ string, _ interface{}) {}
func (_ *Context) Handler() HandlerFunc {
return nil
}
func (_ *Context) HandlerName() string {
return ""
}
func (_ *Context) HandlerNames() []string {
return nil
}
func (_ *Context) Header(_ string, _ string) {}
func (_ *Context) IndentedJSON(_ int, _ interface{}) {}
func (_ *Context) IsAborted() bool {
return false
}
func (_ *Context) IsWebsocket() bool {
return false
}
func (_ *Context) JSON(_ int, _ interface{}) {}
func (_ *Context) JSONP(_ int, _ interface{}) {}
func (_ *Context) MultipartForm() (*multipart.Form, error) {
return nil, nil
}
func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) MustGet(_ string) interface{} {
return nil
}
func (_ *Context) Negotiate(_ int, _ Negotiate) {}
func (_ *Context) NegotiateFormat(_ ...string) string {
return ""
}
func (_ *Context) Next() {}
func (_ *Context) Param(_ string) string {
return ""
}
func (_ *Context) PostForm(_ string) string {
return ""
}
func (_ *Context) PostFormArray(_ string) []string {
return nil
}
func (_ *Context) PostFormMap(_ string) map[string]string {
return nil
}
func (_ *Context) ProtoBuf(_ int, _ interface{}) {}
func (_ *Context) PureJSON(_ int, _ interface{}) {}
func (_ *Context) Query(_ string) string {
return ""
}
func (_ *Context) QueryArray(_ string) []string {
return nil
}
func (_ *Context) QueryMap(_ string) map[string]string {
return nil
}
func (_ *Context) Redirect(_ int, _ string) {}
func (_ *Context) RemoteIP() string {
return ""
}
func (_ *Context) Render(_ int, _ interface{}) {}
func (_ *Context) SSEvent(_ string, _ interface{}) {}
func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error {
return nil
}
func (_ *Context) SecureJSON(_ int, _ interface{}) {}
func (_ *Context) Set(_ string, _ interface{}) {}
func (_ *Context) SetAccepted(_ ...string) {}
func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {}
func (_ *Context) SetSameSite(_ http.SameSite) {}
func (_ *Context) ShouldBind(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) ShouldBindHeader(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindJSON(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindQuery(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindTOML(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindUri(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) ShouldBindXML(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindYAML(_ interface{}) error {
return nil
}
func (_ *Context) Status(_ int) {}
func (_ *Context) Stream(_ func(io.Writer) bool) bool {
return false
}
func (_ *Context) String(_ int, _ string, _ ...interface{}) {}
func (_ *Context) TOML(_ int, _ interface{}) {}
func (_ *Context) Value(_ interface{}) interface{} {
return nil
}
func (_ *Context) XML(_ int, _ interface{}) {}
func (_ *Context) YAML(_ int, _ interface{}) {}
type Error struct {
Err error
Type ErrorType
Meta interface{}
}
func (_ Error) Error() string {
return ""
}
func (_ *Error) IsType(_ ErrorType) bool {
return false
}
func (_ *Error) JSON() interface{} {
return nil
}
func (_ *Error) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *Error) SetMeta(_ interface{}) *Error {
return nil
}
func (_ *Error) SetType(_ ErrorType) *Error {
return nil
}
func (_ *Error) Unwrap() error {
return nil
}
type ErrorType uint64
type HandlerFunc func(*Context)
type Negotiate struct {
Offered []string
HTMLName string
HTMLData interface{}
JSONData interface{}
XMLData interface{}
YAMLData interface{}
Data interface{}
TOMLData interface{}
}
type Param struct {
Key string
Value string
}
type Params []Param
func (_ Params) ByName(_ string) string {
return ""
}
func (_ Params) Get(_ string) (string, bool) {
return "", false
}
type ResponseWriter interface {
CloseNotify() <-chan bool
Flush()
Header() http.Header
Hijack() (net.Conn, *bufio.ReadWriter, error)
Pusher() http.Pusher
Size() int
Status() int
Write(_ []byte) (int, error)
WriteHeader(_ int)
WriteHeaderNow()
WriteString(_ string) (int, error)
Written() bool
}

6
go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go generated vendored
View File

@@ -2,7 +2,7 @@
// This is a simple stub for github.com/go-jose/go-jose/v3/jwt, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseEncrypted,ParseSigned)
// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseSigned)
// Package jwt is a stub of github.com/go-jose/go-jose/v3/jwt, generated by depstubber.
package jwt
@@ -19,10 +19,6 @@ func (_ *JSONWebToken) UnsafeClaimsWithoutVerification(_ ...interface{}) error {
return nil
}
func ParseEncrypted(_ string) (*JSONWebToken, error) {
return nil, nil
}
func ParseSigned(_ string) (*JSONWebToken, error) {
return nil, nil
}

154
go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/stub.go generated vendored
View File

@@ -1,154 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/go-jose/go-jose/v3, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/go-jose/go-jose/v3 (exports: JSONWebKey; functions: NewSigner)
// Package go_pkg is a stub of github.com/go-jose/go-jose/v3, generated by depstubber.
package go_pkg
import (
crypto "crypto"
x509 "crypto/x509"
url "net/url"
)
type ContentType string
type Header struct {
KeyID string
JSONWebKey *JSONWebKey
Algorithm string
Nonce string
ExtraHeaders map[HeaderKey]interface{}
}
func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) {
return nil, nil
}
type HeaderKey string
type JSONWebKey struct {
Key interface{}
KeyID string
Algorithm string
Use string
Certificates []*x509.Certificate
CertificatesURL *url.URL
CertificateThumbprintSHA1 []byte
CertificateThumbprintSHA256 []byte
}
func (_ JSONWebKey) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) IsPublic() bool {
return false
}
func (_ *JSONWebKey) Public() JSONWebKey {
return JSONWebKey{}
}
func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error {
return nil
}
func (_ *JSONWebKey) Valid() bool {
return false
}
type JSONWebSignature struct {
Signatures []Signature
}
func (_ JSONWebSignature) CompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error {
return nil
}
func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) {
return 0, Signature{}, nil
}
func (_ JSONWebSignature) FullSerialize() string {
return ""
}
func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
return nil
}
func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) {
return nil, nil
}
func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) {
return 0, Signature{}, nil, nil
}
func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) {
return nil, nil
}
type NonceSource interface {
Nonce() (string, error)
}
type Signature struct {
Header Header
Protected Header
Unprotected Header
Signature []byte
}
type SignatureAlgorithm string
type Signer interface {
Options() SignerOptions
Sign(_ []byte) (*JSONWebSignature, error)
}
type SignerOptions struct {
NonceSource NonceSource
EmbedJWK bool
ExtraHeaders map[HeaderKey]interface{}
}
func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions {
return nil
}
type SigningKey struct {
Algorithm SignatureAlgorithm
Key interface{}
}

55
go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/stub.go generated vendored
View File

@@ -1,55 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt (exports: Parser; functions: )
// Package jwt is a stub of github.com/golang-jwt/jwt, generated by depstubber.
package jwt
type Claims interface {
Valid() error
}
type Keyfunc func(*Token) (interface{}, error)
type Parser struct {
ValidMethods []string
UseJSONNumber bool
SkipClaimsValidation bool
}
func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) {
return nil, nil
}
func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) {
return nil, nil, nil
}
func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) {
return nil, nil
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) (string, error)
Verify(_ string, _ string, _ interface{}) error
}
type Token struct {
Raw string
Method SigningMethod
Header map[string]interface{}
Claims Claims
Signature string
Valid bool
}
func (_ *Token) SignedString(_ interface{}) (string, error) {
return "", nil
}
func (_ *Token) SigningString() (string, error) {
return "", nil
}

22
go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/request/stub.go generated vendored
View File

@@ -1,22 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt/v5/request, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v5/request (exports: ParseFromRequestOption; functions: ParseFromRequest)
// Package request is a stub of github.com/golang-jwt/jwt/v5/request, generated by depstubber.
package request
import (
http "net/http"
)
type Extractor interface {
ExtractToken(_ *http.Request) (string, error)
}
func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) {
return nil, nil
}
type ParseFromRequestOption func(interface{})

40
go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/stub.go generated vendored
View File

@@ -2,7 +2,7 @@
// This is a simple stub for github.com/golang-jwt/jwt/v5, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v5 (exports: Parser,Token; functions: ParseWithClaims)
// Source: github.com/golang-jwt/jwt/v5 (exports: RegisteredClaims,Parser,Token; functions: Parse,ParseWithClaims)
// Package jwt is a stub of github.com/golang-jwt/jwt/v5, generated by depstubber.
package jwt
@@ -216,6 +216,10 @@ func (_ *NumericDate) UnmarshalText(_ []byte) error {
return nil
}
func Parse(_ string, _ Keyfunc, _ ...ParserOption) (*Token, error) {
return nil, nil
}
func ParseWithClaims(_ string, _ Claims, _ Keyfunc, _ ...ParserOption) (*Token, error) {
return nil, nil
}
@@ -240,6 +244,40 @@ func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error)
type ParserOption func(*Parser)
type RegisteredClaims struct {
Issuer string
Subject string
Audience ClaimStrings
ExpiresAt *NumericDate
NotBefore *NumericDate
IssuedAt *NumericDate
ID string
}
func (_ RegisteredClaims) GetAudience() (ClaimStrings, error) {
return nil, nil
}
func (_ RegisteredClaims) GetExpirationTime() (*NumericDate, error) {
return nil, nil
}
func (_ RegisteredClaims) GetIssuedAt() (*NumericDate, error) {
return nil, nil
}
func (_ RegisteredClaims) GetIssuer() (string, error) {
return "", nil
}
func (_ RegisteredClaims) GetNotBefore() (*NumericDate, error) {
return nil, nil
}
func (_ RegisteredClaims) GetSubject() (string, error) {
return "", nil
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) ([]byte, error)

40
go/ql/test/experimental/CWE-347/NoVerification.expected
View File

@@ -1,16 +1,32 @@
edges
| go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | go-jose.v3/go-jose.v3.go:28:16:28:26 | signedToken |
| go-jose.v3/go-jose.v3.go:28:16:28:26 | signedToken | go-jose.v3/go-jose.v3.go:49:19:49:29 | definition of signedToken |
| go-jose.v3/go-jose.v3.go:49:19:49:29 | definition of signedToken | go-jose.v3/go-jose.v3.go:51:37:51:47 | signedToken |
| go-jose.v3/go-jose.v3.go:51:21:51:48 | call to ParseSigned | go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken |
| go-jose.v3/go-jose.v3.go:51:37:51:47 | signedToken | go-jose.v3/go-jose.v3.go:51:21:51:48 | call to ParseSigned |
| go-jose.v3.go:25:16:25:20 | selection of URL | go-jose.v3.go:25:16:25:28 | call to Query |
| go-jose.v3.go:25:16:25:28 | call to Query | go-jose.v3.go:25:16:25:47 | call to Get |
| go-jose.v3.go:25:16:25:47 | call to Get | go-jose.v3.go:26:15:26:25 | signedToken |
| go-jose.v3.go:26:15:26:25 | signedToken | go-jose.v3.go:29:19:29:29 | definition of signedToken |
| go-jose.v3.go:29:19:29:29 | definition of signedToken | go-jose.v3.go:31:37:31:47 | signedToken |
| go-jose.v3.go:31:21:31:48 | call to ParseSigned | go-jose.v3.go:33:12:33:23 | DecodedToken |
| go-jose.v3.go:31:37:31:47 | signedToken | go-jose.v3.go:31:21:31:48 | call to ParseSigned |
| golang-jwt-v5.go:28:16:28:20 | selection of URL | golang-jwt-v5.go:28:16:28:28 | call to Query |
| golang-jwt-v5.go:28:16:28:28 | call to Query | golang-jwt-v5.go:28:16:28:47 | call to Get |
| golang-jwt-v5.go:28:16:28:47 | call to Get | golang-jwt-v5.go:29:25:29:35 | signedToken |
| golang-jwt-v5.go:29:25:29:35 | signedToken | golang-jwt-v5.go:32:29:32:39 | definition of signedToken |
| golang-jwt-v5.go:32:29:32:39 | definition of signedToken | golang-jwt-v5.go:34:58:34:68 | signedToken |
nodes
| go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | semmle.label | call to Param |
| go-jose.v3/go-jose.v3.go:28:16:28:26 | signedToken | semmle.label | signedToken |
| go-jose.v3/go-jose.v3.go:49:19:49:29 | definition of signedToken | semmle.label | definition of signedToken |
| go-jose.v3/go-jose.v3.go:51:21:51:48 | call to ParseSigned | semmle.label | call to ParseSigned |
| go-jose.v3/go-jose.v3.go:51:37:51:47 | signedToken | semmle.label | signedToken |
| go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | semmle.label | DecodedToken |
| go-jose.v3.go:25:16:25:20 | selection of URL | semmle.label | selection of URL |
| go-jose.v3.go:25:16:25:28 | call to Query | semmle.label | call to Query |
| go-jose.v3.go:25:16:25:47 | call to Get | semmle.label | call to Get |
| go-jose.v3.go:26:15:26:25 | signedToken | semmle.label | signedToken |
| go-jose.v3.go:29:19:29:29 | definition of signedToken | semmle.label | definition of signedToken |
| go-jose.v3.go:31:21:31:48 | call to ParseSigned | semmle.label | call to ParseSigned |
| go-jose.v3.go:31:37:31:47 | signedToken | semmle.label | signedToken |
| go-jose.v3.go:33:12:33:23 | DecodedToken | semmle.label | DecodedToken |
| golang-jwt-v5.go:28:16:28:20 | selection of URL | semmle.label | selection of URL |
| golang-jwt-v5.go:28:16:28:28 | call to Query | semmle.label | call to Query |
| golang-jwt-v5.go:28:16:28:47 | call to Get | semmle.label | call to Get |
| golang-jwt-v5.go:29:25:29:35 | signedToken | semmle.label | signedToken |
| golang-jwt-v5.go:32:29:32:39 | definition of signedToken | semmle.label | definition of signedToken |
| golang-jwt-v5.go:34:58:34:68 | signedToken | semmle.label | signedToken |
subpaths
#select
| go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | This $@. | go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | decode |
| go-jose.v3.go:33:12:33:23 | DecodedToken | go-jose.v3.go:25:16:25:20 | selection of URL | go-jose.v3.go:33:12:33:23 | DecodedToken | This $@. | go-jose.v3.go:25:16:25:20 | selection of URL | decode |
| golang-jwt-v5.go:34:58:34:68 | signedToken | golang-jwt-v5.go:28:16:28:20 | selection of URL | golang-jwt-v5.go:34:58:34:68 | signedToken | This $@. | golang-jwt-v5.go:28:16:28:20 | selection of URL | decode |

1
go/ql/test/experimental/CWE-347/NoVerification.qlref
View File

@@ -1 +0,0 @@
experimental/CWE-347/NoVerification.ql

1
go/ql/test/experimental/CWE-347/ParseJWTWithoutVerification.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/CWE-347/ParseJWTWithoutVerification.ql

46
go/ql/test/experimental/CWE-347/go-jose.v3.go Normal file
View File

@@ -0,0 +1,46 @@
package jwt
//go:generate depstubber -vendor github.com/go-jose/go-jose/v3/jwt JSONWebToken ParseSigned
import (
"fmt"
"github.com/go-jose/go-jose/v3/jwt"
"net/http"
)
type CustomerInfo struct {
Name string
ID int
}
var JwtKey = []byte("AllYourBase")
func jose(r *http.Request) {
signedToken := r.URL.Query().Get("signedToken")
// OK: first decode and then verify
notVerifyJWT(signedToken)
verifyJWT(signedToken)
// NOT OK: no verification
signedToken = r.URL.Query().Get("signedToken")
notVerifyJWT(signedToken)
}
func notVerifyJWT(signedToken string) {
fmt.Println("only decoding JWT")
DecodedToken, _ := jwt.ParseSigned(signedToken)
out := CustomerInfo{}
if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil {
panic(err)
}
fmt.Printf("%v\n", out)
}
func verifyJWT(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, _ := jwt.ParseSigned(signedToken)
out := CustomerInfo{}
if err := DecodedToken.Claims(JwtKey, &out); err != nil {
panic(err)
}
fmt.Printf("%v\n", out)
}

66
go/ql/test/experimental/CWE-347/go-jose.v3/go-jose.v3.go
View File

@@ -1,66 +0,0 @@
package main2
import (
"fmt"
"github.com/gin-gonic/gin"
"github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v3/jwt"
"net/http"
)
type CustomerInfo struct {
Name string
ID int
}
var JwtKey = []byte("AllYourBase")
func main() {
router := gin.Default()
router.GET("/ping", func(c *gin.Context) {
// https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt
signedToken := c.Param("signedToken")
// GOOD: decode first and then verify
notVerifyJWT(signedToken)
verifyJWT(signedToken)
// Bad: no verification
signedToken = c.Param("signedToken")
notVerifyJWT(signedToken)
c.JSON(http.StatusOK, gin.H{
"message": "pong",
})
})
_ = router.Run()
}
func newToken(unsignedToken string) string {
fmt.Println("Creating new JWT")
signer, _ := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: JwtKey}, nil)
raw, err := jwt.Signed(signer).Claims(CustomerInfo{ID: 1, Name: unsignedToken}).CompactSerialize()
if err != nil {
panic(err)
}
fmt.Println(raw)
return raw
}
func notVerifyJWT(signedToken string) {
fmt.Println("only decoding JWT")
DecodedToken, _ := jwt.ParseSigned(signedToken)
out := CustomerInfo{}
if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil {
panic(err)
}
fmt.Printf("%v\n", out)
}
func verifyJWT(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, _ := jwt.ParseSigned(signedToken)
out := CustomerInfo{}
if err := DecodedToken.Claims(JwtKey, &out); err != nil {
panic(err)
}
fmt.Printf("%v\n", out)
}

54
go/ql/test/experimental/CWE-347/golang-jwt-v5.go Normal file
View File

@@ -0,0 +1,54 @@
package jwt
//go:generate depstubber -vendor github.com/golang-jwt/jwt/v5 RegisteredClaims,Parser,Token ParseWithClaims,NewParser
import (
"fmt"
"github.com/golang-jwt/jwt/v5"
"log"
"net/http"
)
type CustomerInfo1 struct {
Name string
ID int
jwt.RegisteredClaims
}
// BAD constant key
var JwtKey1 = []byte("AllYourBase")
func golangjwt(r *http.Request) {
signedToken := r.URL.Query().Get("signedToken")
// OK: first decode and then verify
notVerifyJWT_golangjwt(signedToken)
verifyJWT_golangjwt(signedToken)
// NOT OK: only unverified parse
signedToken = r.URL.Query().Get("signedToken")
notVerifyJWT_golangjwt(signedToken)
}
func notVerifyJWT_golangjwt(signedToken string) {
fmt.Println("only decoding JWT")
DecodedToken, _, err := jwt.NewParser().ParseUnverified(signedToken, &CustomerInfo1{})
if claims, ok := DecodedToken.Claims.(*CustomerInfo1); ok {
fmt.Printf("DecodedToken:%v\n", claims)
} else {
log.Fatal("error", err)
}
}
func LoadJwtKey(token *jwt.Token) (interface{}, error) {
return JwtKey, nil
}
func verifyJWT_golangjwt(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, err := jwt.ParseWithClaims(signedToken, &CustomerInfo1{}, LoadJwtKey)
if claims, ok := DecodedToken.Claims.(*CustomerInfo1); ok && DecodedToken.Valid {
fmt.Printf("NAME:%v ,ID:%v\n", claims.Name, claims.ID)
} else {
log.Fatal(err)
}
}

78
go/ql/test/experimental/CWE-347/golang-jwt-v5/golang-jwt-v5.go
View File

@@ -1,78 +0,0 @@
package main
import (
"fmt"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
"log"
"net/http"
"os"
)
type CustomerInfo struct {
Name string
ID int
jwt.RegisteredClaims
}
// BAD constant key
var JwtKey = []byte("AllYourBase")
func main() {
router := gin.Default()
router.GET("/ping", func(c *gin.Context) {
// https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt
var unsignedToken = c.Param("customerName")
signedToken := newToken(unsignedToken)
signedToken = c.Param("signedToken")
// GOOD
verifyJWT(signedToken)
notVerifyJWT(signedToken)
// BAD only unverified parse
signedToken = c.Param("signedToken")
notVerifyJWT(signedToken)
c.JSON(http.StatusOK, gin.H{
"message": "pong",
})
})
_ = router.Run()
}
func newToken(unsignedToken string) string {
fmt.Println("Signing JWT")
signer := jwt.GetSigningMethod(jwt.SigningMethodHS256.Alg())
claims := CustomerInfo{ID: 1, Name: unsignedToken}
signedToken, err := jwt.NewWithClaims(signer, claims).SignedString(JwtKey)
signedToken2, err := jwt.New(signer).SignedString(JwtKey)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
fmt.Println(signedToken)
fmt.Println(signedToken2)
return signedToken
}
func notVerifyJWT(signedToken string) {
fmt.Println("only decoding JWT")
DecodedToken, _, err := jwt.NewParser().ParseUnverified(signedToken, &CustomerInfo{})
if claims, ok := DecodedToken.Claims.(*CustomerInfo); ok {
fmt.Printf("DecodedToken:%v\n", claims)
} else {
log.Fatal("error", err)
}
}
func LoadJwtKey(token *jwt.Token) (interface{}, error) {
return JwtKey, nil
}
func verifyJWT(signedToken string) {
fmt.Println("verifying JWT")
DecodedToken, err := jwt.ParseWithClaims(signedToken, &CustomerInfo{}, LoadJwtKey)
if claims, ok := DecodedToken.Claims.(*CustomerInfo); ok && DecodedToken.Valid {
fmt.Printf("NAME:%v ,ID:%v\n", claims.Name, claims.ID)
} else {
log.Fatal(err)
}
}

22
go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/request/stub.go generated vendored
View File

@@ -1,22 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/dgrijalva/jwt-go/request, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/dgrijalva/jwt-go/request (exports: ParseFromRequestOption; functions: ParseFromRequest)
// Package request is a stub of github.com/dgrijalva/jwt-go/request, generated by depstubber.
package request
import (
http "net/http"
)
type Extractor interface {
ExtractToken(_ *http.Request) (string, error)
}
func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) {
return nil, nil
}
type ParseFromRequestOption func(interface{})

80
go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/stub.go generated vendored
View File

@@ -1,80 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/dgrijalva/jwt-go, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/dgrijalva/jwt-go (exports: Parser,Token; functions: ParseECPrivateKeyFromPEM,ParseECPublicKeyFromPEM,ParseRSAPrivateKeyFromPEM,ParseRSAPrivateKeyFromPEMWithPassword,ParseRSAPublicKeyFromPEM)
// Package jwt is a stub of github.com/dgrijalva/jwt-go, generated by depstubber.
package jwt
import (
ecdsa "crypto/ecdsa"
rsa "crypto/rsa"
)
type Claims interface {
Valid() error
}
type Keyfunc func(*Token) (interface{}, error)
func ParseECPrivateKeyFromPEM(_ []byte) (*ecdsa.PrivateKey, error) {
return nil, nil
}
func ParseECPublicKeyFromPEM(_ []byte) (*ecdsa.PublicKey, error) {
return nil, nil
}
func ParseRSAPrivateKeyFromPEM(_ []byte) (*rsa.PrivateKey, error) {
return nil, nil
}
func ParseRSAPrivateKeyFromPEMWithPassword(_ []byte, _ string) (*rsa.PrivateKey, error) {
return nil, nil
}
func ParseRSAPublicKeyFromPEM(_ []byte) (*rsa.PublicKey, error) {
return nil, nil
}
type Parser struct {
ValidMethods []string
UseJSONNumber bool
SkipClaimsValidation bool
}
func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) {
return nil, nil
}
func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) {
return nil, nil, nil
}
func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) {
return nil, nil
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) (string, error)
Verify(_ string, _ string, _ interface{}) error
}
type Token struct {
Raw string
Method SigningMethod
Header map[string]interface{}
Claims Claims
Signature string
Valid bool
}
func (_ *Token) SignedString(_ interface{}) (string, error) {
return "", nil
}
func (_ *Token) SigningString() (string, error) {
return "", nil
}

22
go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/request/stub.go generated vendored
View File

@@ -1,22 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/dgrijalva/jwt-go/v4/request, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/dgrijalva/jwt-go/v4/request (exports: ParseFromRequestOption; functions: ParseFromRequest)
// Package request is a stub of github.com/dgrijalva/jwt-go/v4/request, generated by depstubber.
package request
import (
http "net/http"
)
type Extractor interface {
ExtractToken(_ *http.Request) (string, error)
}
func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) {
return nil, nil
}
type ParseFromRequestOption func(interface{})

337
go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/stub.go generated vendored
View File

@@ -1,337 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/dgrijalva/jwt-go/v4, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/dgrijalva/jwt-go/v4 (exports: Parser,Token; functions: ParseECPrivateKeyFromPEM,ParseECPublicKeyFromPEM,ParseRSAPrivateKeyFromPEM,ParseRSAPrivateKeyFromPEMWithPassword,ParseRSAPublicKeyFromPEM)
// Package jwt is a stub of github.com/dgrijalva/jwt-go/v4, generated by depstubber.
package jwt
import (
ecdsa "crypto/ecdsa"
rsa "crypto/rsa"
time "time"
)
type ClaimStrings []string
func (_ *ClaimStrings) UnmarshalJSON(_ []byte) error {
return nil
}
type Claims interface {
Valid(_ *ValidationHelper) error
}
type Keyfunc func(*Token) (interface{}, error)
func ParseECPrivateKeyFromPEM(_ []byte) (*ecdsa.PrivateKey, error) {
return nil, nil
}
func ParseECPublicKeyFromPEM(_ []byte) (*ecdsa.PublicKey, error) {
return nil, nil
}
func ParseRSAPrivateKeyFromPEM(_ []byte) (*rsa.PrivateKey, error) {
return nil, nil
}
func ParseRSAPrivateKeyFromPEMWithPassword(_ []byte, _ string) (*rsa.PrivateKey, error) {
return nil, nil
}
func ParseRSAPublicKeyFromPEM(_ []byte) (*rsa.PublicKey, error) {
return nil, nil
}
type Parser struct {
ValidationHelper *ValidationHelper
}
func (_ Parser) After(_ time.Time) bool {
return false
}
func (_ Parser) Before(_ time.Time) bool {
return false
}
func (_ Parser) ValidateAudience(_ ClaimStrings) error {
return nil
}
func (_ Parser) ValidateAudienceAgainst(_ ClaimStrings, _ string) error {
return nil
}
func (_ Parser) ValidateExpiresAt(_ *Time) error {
return nil
}
func (_ Parser) ValidateIssuer(_ string) error {
return nil
}
func (_ Parser) ValidateIssuerAgainst(_ string, _ string) error {
return nil
}
func (_ Parser) ValidateNotBefore(_ *Time) error {
return nil
}
func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) {
return nil, nil
}
func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) {
return nil, nil, nil
}
func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) {
return nil, nil
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) (string, error)
Verify(_ string, _ string, _ interface{}) error
}
type SigningOption func(interface{})
type Time struct {
Time time.Time
}
func (_ Time) Add(_ time.Duration) time.Time {
return time.Time{}
}
func (_ Time) AddDate(_ int, _ int, _ int) time.Time {
return time.Time{}
}
func (_ Time) After(_ time.Time) bool {
return false
}
func (_ Time) AppendFormat(_ []byte, _ string) []byte {
return nil
}
func (_ Time) Before(_ time.Time) bool {
return false
}
func (_ Time) Clock() (int, int, int) {
return 0, 0, 0
}
func (_ Time) Compare(_ time.Time) int {
return 0
}
func (_ Time) Date() (int, time.Month, int) {
return 0, 0, 0
}
func (_ Time) Day() int {
return 0
}
func (_ Time) Equal(_ time.Time) bool {
return false
}
func (_ Time) Format(_ string) string {
return ""
}
func (_ Time) GoString() string {
return ""
}
func (_ Time) GobEncode() ([]byte, error) {
return nil, nil
}
func (_ Time) Hour() int {
return 0
}
func (_ Time) ISOWeek() (int, int) {
return 0, 0
}
func (_ Time) In(_ *time.Location) time.Time {
return time.Time{}
}
func (_ Time) IsDST() bool {
return false
}
func (_ Time) IsZero() bool {
return false
}
func (_ Time) Local() time.Time {
return time.Time{}
}
func (_ Time) Location() *time.Location {
return nil
}
func (_ Time) MarshalBinary() ([]byte, error) {
return nil, nil
}
func (_ Time) MarshalText() ([]byte, error) {
return nil, nil
}
func (_ Time) Minute() int {
return 0
}
func (_ Time) Month() time.Month {
return 0
}
func (_ Time) Nanosecond() int {
return 0
}
func (_ Time) Round(_ time.Duration) time.Time {
return time.Time{}
}
func (_ Time) Second() int {
return 0
}
func (_ Time) String() string {
return ""
}
func (_ Time) Sub(_ time.Time) time.Duration {
return 0
}
func (_ Time) Truncate(_ time.Duration) time.Time {
return time.Time{}
}
func (_ Time) UTC() time.Time {
return time.Time{}
}
func (_ Time) Unix() int64 {
return 0
}
func (_ Time) UnixMicro() int64 {
return 0
}
func (_ Time) UnixMilli() int64 {
return 0
}
func (_ Time) UnixNano() int64 {
return 0
}
func (_ Time) Weekday() time.Weekday {
return 0
}
func (_ Time) Year() int {
return 0
}
func (_ Time) YearDay() int {
return 0
}
func (_ Time) Zone() (string, int) {
return "", 0
}
func (_ Time) ZoneBounds() (time.Time, time.Time) {
return time.Time{}, time.Time{}
}
func (_ *Time) GobDecode(_ []byte) error {
return nil
}
func (_ *Time) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *Time) UnmarshalBinary(_ []byte) error {
return nil
}
func (_ *Time) UnmarshalJSON(_ []byte) error {
return nil
}
func (_ *Time) UnmarshalText(_ []byte) error {
return nil
}
type Token struct {
Raw string
Method SigningMethod
Header map[string]interface{}
Claims Claims
Signature string
Valid bool
}
func (_ *Token) SignedString(_ interface{}, _ ...SigningOption) (string, error) {
return "", nil
}
func (_ *Token) SigningString(_ ...SigningOption) (string, error) {
return "", nil
}
type ValidationHelper struct{}
func (_ *ValidationHelper) After(_ time.Time) bool {
return false
}
func (_ *ValidationHelper) Before(_ time.Time) bool {
return false
}
func (_ *ValidationHelper) ValidateAudience(_ ClaimStrings) error {
return nil
}
func (_ *ValidationHelper) ValidateAudienceAgainst(_ ClaimStrings, _ string) error {
return nil
}
func (_ *ValidationHelper) ValidateExpiresAt(_ *Time) error {
return nil
}
func (_ *ValidationHelper) ValidateIssuer(_ string) error {
return nil
}
func (_ *ValidationHelper) ValidateIssuerAgainst(_ string, _ string) error {
return nil
}
func (_ *ValidationHelper) ValidateNotBefore(_ *Time) error {
return nil
}

465
go/ql/test/experimental/CWE-347/vendor/github.com/gin-gonic/gin/stub.go generated vendored
View File

@@ -1,465 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/gin-gonic/gin (exports: Context; functions: )
// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber.
package gin
import (
bufio "bufio"
io "io"
multipart "mime/multipart"
net "net"
http "net/http"
time "time"
)
type Context struct {
Request *http.Request
Writer ResponseWriter
Params Params
Keys map[string]interface{}
Errors interface{}
Accepted []string
}
func (_ *Context) Abort() {}
func (_ *Context) AbortWithError(_ int, _ error) *Error {
return nil
}
func (_ *Context) AbortWithStatus(_ int) {}
func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {}
func (_ *Context) AddParam(_ string, _ string) {}
func (_ *Context) AsciiJSON(_ int, _ interface{}) {}
func (_ *Context) Bind(_ interface{}) error {
return nil
}
func (_ *Context) BindHeader(_ interface{}) error {
return nil
}
func (_ *Context) BindJSON(_ interface{}) error {
return nil
}
func (_ *Context) BindQuery(_ interface{}) error {
return nil
}
func (_ *Context) BindTOML(_ interface{}) error {
return nil
}
func (_ *Context) BindUri(_ interface{}) error {
return nil
}
func (_ *Context) BindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) BindXML(_ interface{}) error {
return nil
}
func (_ *Context) BindYAML(_ interface{}) error {
return nil
}
func (_ *Context) ClientIP() string {
return ""
}
func (_ *Context) ContentType() string {
return ""
}
func (_ *Context) Cookie(_ string) (string, error) {
return "", nil
}
func (_ *Context) Copy() *Context {
return nil
}
func (_ *Context) Data(_ int, _ string, _ []byte) {}
func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {}
func (_ *Context) Deadline() (time.Time, bool) {
return time.Time{}, false
}
func (_ *Context) DefaultPostForm(_ string, _ string) string {
return ""
}
func (_ *Context) DefaultQuery(_ string, _ string) string {
return ""
}
func (_ *Context) Done() <-chan struct{} {
return nil
}
func (_ *Context) Err() error {
return nil
}
func (_ *Context) Error(_ error) *Error {
return nil
}
func (_ *Context) File(_ string) {}
func (_ *Context) FileAttachment(_ string, _ string) {}
func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {}
func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) {
return nil, nil
}
func (_ *Context) FullPath() string {
return ""
}
func (_ *Context) Get(_ string) (interface{}, bool) {
return nil, false
}
func (_ *Context) GetBool(_ string) bool {
return false
}
func (_ *Context) GetDuration(_ string) time.Duration {
return 0
}
func (_ *Context) GetFloat64(_ string) float64 {
return 0
}
func (_ *Context) GetHeader(_ string) string {
return ""
}
func (_ *Context) GetInt(_ string) int {
return 0
}
func (_ *Context) GetInt64(_ string) int64 {
return 0
}
func (_ *Context) GetPostForm(_ string) (string, bool) {
return "", false
}
func (_ *Context) GetPostFormArray(_ string) ([]string, bool) {
return nil, false
}
func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) {
return nil, false
}
func (_ *Context) GetQuery(_ string) (string, bool) {
return "", false
}
func (_ *Context) GetQueryArray(_ string) ([]string, bool) {
return nil, false
}
func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) {
return nil, false
}
func (_ *Context) GetRawData() ([]byte, error) {
return nil, nil
}
func (_ *Context) GetString(_ string) string {
return ""
}
func (_ *Context) GetStringMap(_ string) map[string]interface{} {
return nil
}
func (_ *Context) GetStringMapString(_ string) map[string]string {
return nil
}
func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string {
return nil
}
func (_ *Context) GetStringSlice(_ string) []string {
return nil
}
func (_ *Context) GetTime(_ string) time.Time {
return time.Time{}
}
func (_ *Context) GetUint(_ string) uint {
return 0
}
func (_ *Context) GetUint64(_ string) uint64 {
return 0
}
func (_ *Context) HTML(_ int, _ string, _ interface{}) {}
func (_ *Context) Handler() HandlerFunc {
return nil
}
func (_ *Context) HandlerName() string {
return ""
}
func (_ *Context) HandlerNames() []string {
return nil
}
func (_ *Context) Header(_ string, _ string) {}
func (_ *Context) IndentedJSON(_ int, _ interface{}) {}
func (_ *Context) IsAborted() bool {
return false
}
func (_ *Context) IsWebsocket() bool {
return false
}
func (_ *Context) JSON(_ int, _ interface{}) {}
func (_ *Context) JSONP(_ int, _ interface{}) {}
func (_ *Context) MultipartForm() (*multipart.Form, error) {
return nil, nil
}
func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) MustGet(_ string) interface{} {
return nil
}
func (_ *Context) Negotiate(_ int, _ Negotiate) {}
func (_ *Context) NegotiateFormat(_ ...string) string {
return ""
}
func (_ *Context) Next() {}
func (_ *Context) Param(_ string) string {
return ""
}
func (_ *Context) PostForm(_ string) string {
return ""
}
func (_ *Context) PostFormArray(_ string) []string {
return nil
}
func (_ *Context) PostFormMap(_ string) map[string]string {
return nil
}
func (_ *Context) ProtoBuf(_ int, _ interface{}) {}
func (_ *Context) PureJSON(_ int, _ interface{}) {}
func (_ *Context) Query(_ string) string {
return ""
}
func (_ *Context) QueryArray(_ string) []string {
return nil
}
func (_ *Context) QueryMap(_ string) map[string]string {
return nil
}
func (_ *Context) Redirect(_ int, _ string) {}
func (_ *Context) RemoteIP() string {
return ""
}
func (_ *Context) Render(_ int, _ interface{}) {}
func (_ *Context) SSEvent(_ string, _ interface{}) {}
func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error {
return nil
}
func (_ *Context) SecureJSON(_ int, _ interface{}) {}
func (_ *Context) Set(_ string, _ interface{}) {}
func (_ *Context) SetAccepted(_ ...string) {}
func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {}
func (_ *Context) SetSameSite(_ http.SameSite) {}
func (_ *Context) ShouldBind(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) ShouldBindHeader(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindJSON(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindQuery(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindTOML(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindUri(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error {
return nil
}
func (_ *Context) ShouldBindXML(_ interface{}) error {
return nil
}
func (_ *Context) ShouldBindYAML(_ interface{}) error {
return nil
}
func (_ *Context) Status(_ int) {}
func (_ *Context) Stream(_ func(io.Writer) bool) bool {
return false
}
func (_ *Context) String(_ int, _ string, _ ...interface{}) {}
func (_ *Context) TOML(_ int, _ interface{}) {}
func (_ *Context) Value(_ interface{}) interface{} {
return nil
}
func (_ *Context) XML(_ int, _ interface{}) {}
func (_ *Context) YAML(_ int, _ interface{}) {}
type Error struct {
Err error
Type ErrorType
Meta interface{}
}
func (_ Error) Error() string {
return ""
}
func (_ *Error) IsType(_ ErrorType) bool {
return false
}
func (_ *Error) JSON() interface{} {
return nil
}
func (_ *Error) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *Error) SetMeta(_ interface{}) *Error {
return nil
}
func (_ *Error) SetType(_ ErrorType) *Error {
return nil
}
func (_ *Error) Unwrap() error {
return nil
}
type ErrorType uint64
type HandlerFunc func(*Context)
type Negotiate struct {
Offered []string
HTMLName string
HTMLData interface{}
JSONData interface{}
XMLData interface{}
YAMLData interface{}
Data interface{}
TOMLData interface{}
}
type Param struct {
Key string
Value string
}
type Params []Param
func (_ Params) ByName(_ string) string {
return ""
}
func (_ Params) Get(_ string) (string, bool) {
return "", false
}
type ResponseWriter interface {
CloseNotify() <-chan bool
Flush()
Header() http.Header
Hijack() (net.Conn, *bufio.ReadWriter, error)
Pusher() http.Pusher
Size() int
Status() int
Write(_ []byte) (int, error)
WriteHeader(_ int)
WriteHeaderNow()
WriteString(_ string) (int, error)
Written() bool
}

6
go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go generated vendored
View File

@@ -2,7 +2,7 @@
// This is a simple stub for github.com/go-jose/go-jose/v3/jwt, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseEncrypted,ParseSigned)
// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseSigned)
// Package jwt is a stub of github.com/go-jose/go-jose/v3/jwt, generated by depstubber.
package jwt
@@ -19,10 +19,6 @@ func (_ *JSONWebToken) UnsafeClaimsWithoutVerification(_ ...interface{}) error {
return nil
}
func ParseEncrypted(_ string) (*JSONWebToken, error) {
return nil, nil
}
func ParseSigned(_ string) (*JSONWebToken, error) {
return nil, nil
}

154
go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/stub.go generated vendored
View File

@@ -1,154 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/go-jose/go-jose/v3, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/go-jose/go-jose/v3 (exports: JSONWebKey; functions: NewSigner)
// Package go_pkg is a stub of github.com/go-jose/go-jose/v3, generated by depstubber.
package go_pkg
import (
crypto "crypto"
x509 "crypto/x509"
url "net/url"
)
type ContentType string
type Header struct {
KeyID string
JSONWebKey *JSONWebKey
Algorithm string
Nonce string
ExtraHeaders map[HeaderKey]interface{}
}
func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) {
return nil, nil
}
type HeaderKey string
type JSONWebKey struct {
Key interface{}
KeyID string
Algorithm string
Use string
Certificates []*x509.Certificate
CertificatesURL *url.URL
CertificateThumbprintSHA1 []byte
CertificateThumbprintSHA256 []byte
}
func (_ JSONWebKey) MarshalJSON() ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) IsPublic() bool {
return false
}
func (_ *JSONWebKey) Public() JSONWebKey {
return JSONWebKey{}
}
func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) {
return nil, nil
}
func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error {
return nil
}
func (_ *JSONWebKey) Valid() bool {
return false
}
type JSONWebSignature struct {
Signatures []Signature
}
func (_ JSONWebSignature) CompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) {
return "", nil
}
func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error {
return nil
}
func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) {
return 0, Signature{}, nil
}
func (_ JSONWebSignature) FullSerialize() string {
return ""
}
func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
return nil
}
func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) {
return nil, nil
}
func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) {
return 0, Signature{}, nil, nil
}
func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) {
return nil, nil
}
type NonceSource interface {
Nonce() (string, error)
}
type Signature struct {
Header Header
Protected Header
Unprotected Header
Signature []byte
}
type SignatureAlgorithm string
type Signer interface {
Options() SignerOptions
Sign(_ []byte) (*JSONWebSignature, error)
}
type SignerOptions struct {
NonceSource NonceSource
EmbedJWK bool
ExtraHeaders map[HeaderKey]interface{}
}
func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions {
return nil
}
func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions {
return nil
}
type SigningKey struct {
Algorithm SignatureAlgorithm
Key interface{}
}

22
go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/request/stub.go generated vendored
View File

@@ -1,22 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt/request, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/request (exports: ParseFromRequestOption; functions: ParseFromRequest)
// Package request is a stub of github.com/golang-jwt/jwt/request, generated by depstubber.
package request
import (
http "net/http"
)
type Extractor interface {
ExtractToken(_ *http.Request) (string, error)
}
func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) {
return nil, nil
}
type ParseFromRequestOption func(interface{})

55
go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/stub.go generated vendored
View File

@@ -1,55 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt (exports: Parser; functions: )
// Package jwt is a stub of github.com/golang-jwt/jwt, generated by depstubber.
package jwt
type Claims interface {
Valid() error
}
type Keyfunc func(*Token) (interface{}, error)
type Parser struct {
ValidMethods []string
UseJSONNumber bool
SkipClaimsValidation bool
}
func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) {
return nil, nil
}
func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) {
return nil, nil, nil
}
func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) {
return nil, nil
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) (string, error)
Verify(_ string, _ string, _ interface{}) error
}
type Token struct {
Raw string
Method SigningMethod
Header map[string]interface{}
Claims Claims
Signature string
Valid bool
}
func (_ *Token) SignedString(_ interface{}) (string, error) {
return "", nil
}
func (_ *Token) SigningString() (string, error) {
return "", nil
}

22
go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/request/stub.go generated vendored
View File

@@ -1,22 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt/v4/request, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v4/request (exports: ParseFromRequestOption; functions: ParseFromRequest)
// Package request is a stub of github.com/golang-jwt/jwt/v4/request, generated by depstubber.
package request
import (
http "net/http"
)
type Extractor interface {
ExtractToken(_ *http.Request) (string, error)
}
func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) {
return nil, nil
}
type ParseFromRequestOption func(interface{})

97
go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/stub.go generated vendored
View File

@@ -1,97 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt/v4, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v4 (exports: Parser,Token; functions: Parse,ParseWithClaims,ParseECPrivateKeyFromPEM,ParseECPublicKeyFromPEM,ParseEdPrivateKeyFromPEM,ParseEdPublicKeyFromPEM,ParseRSAPrivateKeyFromPEM,ParseRSAPublicKeyFromPEM,RegisterSigningMethod)
// Package jwt is a stub of github.com/golang-jwt/jwt/v4, generated by depstubber.
package jwt
import (
crypto "crypto"
ecdsa "crypto/ecdsa"
rsa "crypto/rsa"
)
type Claims interface {
Valid() error
}
type Keyfunc func(*Token) (interface{}, error)
func Parse(_ string, _ Keyfunc, _ ...ParserOption) (*Token, error) {
return nil, nil
}
func ParseECPrivateKeyFromPEM(_ []byte) (*ecdsa.PrivateKey, error) {
return nil, nil
}
func ParseECPublicKeyFromPEM(_ []byte) (*ecdsa.PublicKey, error) {
return nil, nil
}
func ParseEdPrivateKeyFromPEM(_ []byte) (crypto.PrivateKey, error) {
return nil, nil
}
func ParseEdPublicKeyFromPEM(_ []byte) (crypto.PublicKey, error) {
return nil, nil
}
func ParseRSAPrivateKeyFromPEM(_ []byte) (*rsa.PrivateKey, error) {
return nil, nil
}
func ParseRSAPublicKeyFromPEM(_ []byte) (*rsa.PublicKey, error) {
return nil, nil
}
func ParseWithClaims(_ string, _ Claims, _ Keyfunc, _ ...ParserOption) (*Token, error) {
return nil, nil
}
type Parser struct {
ValidMethods []string
UseJSONNumber bool
SkipClaimsValidation bool
}
func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) {
return nil, nil
}
func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) {
return nil, nil, nil
}
func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) {
return nil, nil
}
type ParserOption func(*Parser)
func RegisterSigningMethod(_ string, _ func() SigningMethod) {}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) (string, error)
Verify(_ string, _ string, _ interface{}) error
}
type Token struct {
Raw string
Method SigningMethod
Header map[string]interface{}
Claims Claims
Signature string
Valid bool
}
func (_ *Token) SignedString(_ interface{}) (string, error) {
return "", nil
}
func (_ *Token) SigningString() (string, error) {
return "", nil
}

22
go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/request/stub.go generated vendored
View File

@@ -1,22 +0,0 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/golang-jwt/jwt/v5/request, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v5/request (exports: ParseFromRequestOption; functions: ParseFromRequest)
// Package request is a stub of github.com/golang-jwt/jwt/v5/request, generated by depstubber.
package request
import (
http "net/http"
)
type Extractor interface {
ExtractToken(_ *http.Request) (string, error)
}
func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) {
return nil, nil
}
type ParseFromRequestOption func(interface{})

46
go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/stub.go generated vendored
View File

@@ -2,7 +2,7 @@
// This is a simple stub for github.com/golang-jwt/jwt/v5, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/golang-jwt/jwt/v5 (exports: Parser; functions: )
// Source: github.com/golang-jwt/jwt/v5 (exports: RegisteredClaims,Parser,Token; functions: ParseWithClaims,NewParser)
// Package jwt is a stub of github.com/golang-jwt/jwt/v5, generated by depstubber.
package jwt
@@ -32,6 +32,10 @@ type Claims interface {
type Keyfunc func(*Token) (interface{}, error)
func NewParser(_ ...ParserOption) *Parser {
return nil
}
type NumericDate struct {
Time time.Time
}
@@ -216,6 +220,10 @@ func (_ *NumericDate) UnmarshalText(_ []byte) error {
return nil
}
func ParseWithClaims(_ string, _ Claims, _ Keyfunc, _ ...ParserOption) (*Token, error) {
return nil, nil
}
type Parser struct{}
func (_ *Parser) DecodeSegment(_ string) ([]byte, error) {
@@ -234,6 +242,42 @@ func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error)
return nil, nil
}
type ParserOption func(*Parser)
type RegisteredClaims struct {
Issuer string
Subject string
Audience ClaimStrings
ExpiresAt *NumericDate
NotBefore *NumericDate
IssuedAt *NumericDate
ID string
}
func (_ RegisteredClaims) GetAudience() (ClaimStrings, error) {
return nil, nil
}
func (_ RegisteredClaims) GetExpirationTime() (*NumericDate, error) {
return nil, nil
}
func (_ RegisteredClaims) GetIssuedAt() (*NumericDate, error) {
return nil, nil
}
func (_ RegisteredClaims) GetIssuer() (string, error) {
return "", nil
}
func (_ RegisteredClaims) GetNotBefore() (*NumericDate, error) {
return nil, nil
}
func (_ RegisteredClaims) GetSubject() (string, error) {
return "", nil
}
type SigningMethod interface {
Alg() string
Sign(_ string, _ interface{}) ([]byte, error)

2
python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
View File

@@ -38,7 +38,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
sink instanceof Sink and
(
state instanceof NotNormalized or
state instanceof NormalizedUnchecked
state instanceof NormalizedUnchecked
)
}