diff --git a/go/ql/lib/semmle/go/security/JWT.qll b/go/ql/lib/semmle/go/security/JWT.qll index ffeed4723a7..239cda4722b 100644 --- a/go/ql/lib/semmle/go/security/JWT.qll +++ b/go/ql/lib/semmle/go/security/JWT.qll @@ -1,40 +1,98 @@ import go /** - * A class that contains the following function and method: - * - * func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) - * - * func Parse(tokenString string, keyFunc Keyfunc) + * A abstract class which responsible for parsing a JWT token which the key parameter is a function type */ -class GolangJwtParse extends Function { - GolangJwtParse() { - exists(DataFlow::Function f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4", - "github.com/golang-jwt/jwt/v5", "github.com/dgrijalva/jwt-go", - "github.com/dgrijalva/jwt-go/v4", - ], "Parse") - | - this = f - ) +abstract class JwtParseWithKeyFunction extends Function { + /** + * Gets argument number that responsible for a function returning the secret key + */ + abstract int getKeyFuncArgNum(); + + /** + * Gets argument number that responsible for JWT + * + * `-1` means the receiver is a argument node that responsible for JWT. + * In this case, we must declare some additional taint steps. + */ + abstract int getTokenArgNum(); + + /** + * Gets Argument as DataFlow node that responsible for JWT + */ + DataFlow::Node getTokenArg() { + this.getTokenArgNum() != -1 and result = this.getACall().getArgument(this.getTokenArgNum()) or - exists(DataFlow::Method f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt.Parser", "github.com/golang-jwt/jwt/v4.Parser", - "github.com/golang-jwt/jwt/v5.Parser", "github.com/dgrijalva/jwt-go.Parser", - "github.com/dgrijalva/jwt-go/v4.Parser" - ], "Parse") - | - this = f - ) + this.getTokenArgNum() = -1 and result = this.getACall().getReceiver() } - int getKeyFuncArgNum() { result = 1 } - + /** + * Gets Argument as DataFlow node that responsible for a function returning the secret key + */ DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) } } +/** + * A abstract class which responsible for parsing a JWT token which the key parameter can be a string or byte type + */ +abstract class JwtParse extends Function { + /** + * Gets argument number that responsible for secret key + */ + abstract int getKeyArgNum(); + + /** + * Gets argument number that responsible for JWT + * + * `-1` means the receiver is a argument node that responsible for JWT. + * In this case, we must declare some additional taint steps. + */ + abstract int getTokenArgNum(); + + /** + * Gets Argument as DataFlow node that responsible for JWT + */ + DataFlow::Node getTokenArg() { + this.getTokenArgNum() != -1 and result = this.getACall().getArgument(this.getTokenArgNum()) + or + this.getTokenArgNum() = -1 and result = this.getACall().getReceiver() + } + + /** + * Gets Argument as DataFlow node that responsible for secret key + */ + DataFlow::Node getKeyArg() { result = this.getACall().getArgument(this.getKeyArgNum()) } +} + +/** + * A abstract class which responsible for parsing a JWT without verifying it + */ +abstract class JwtUnverifiedParse extends Function { + /** + * Gets argument number that responsible for JWT + * + * `-1` means the receiver is a argument node that responsible for JWT. + * In this case, we must declare some additional taint steps. + */ + abstract int getTokenArgNum(); + + /** + * Gets Argument as DataFlow node that responsible for JWT + */ + DataFlow::Node getTokenNode() { + this.getTokenArgNum() != -1 and result = this.getACall().getArgument(this.getTokenArgNum()) + or + this.getTokenArgNum() = -1 and result = this.getACall().getReceiver() + } +} + +/** + * Gets `github.com/golang-jwt/jwt` and `github.com/dgrijalva/jwt-go`(previous name of `golang-jwt`) JWT packages + */ +string golangJwtPackage() { + result = package(["github.com/golang-jwt/jwt", "github.com/dgrijalva/jwt-go"], "") +} + /** * A class that contains the following function and method: * @@ -42,15 +100,16 @@ class GolangJwtParse extends Function { * * func Parse(tokenString string, keyFunc Keyfunc) */ -class GolangJwtValidField extends DataFlow::FieldReadNode { - GolangJwtValidField() { - this.getField() - .hasQualifiedName([ - "github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4", - "github.com/golang-jwt/jwt/v5", "github.com/dgrijalva/jwt-go", - "github.com/dgrijalva/jwt-go/v4" - ] + ".Token", "Valid") +class GolangJwtParse extends JwtParseWithKeyFunction { + GolangJwtParse() { + exists(Function f | f.hasQualifiedName(golangJwtPackage(), "Parse") | this = f) + or + exists(Method f | f.hasQualifiedName(golangJwtPackage(), "Parser", "Parse") | this = f) } + + override int getKeyFuncArgNum() { result = 1 } + + override int getTokenArgNum() { result = 0 } } /** @@ -60,32 +119,18 @@ class GolangJwtValidField extends DataFlow::FieldReadNode { * * func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) */ -class GolangJwtParseWithClaims extends Function { +class GolangJwtParseWithClaims extends JwtParseWithKeyFunction { GolangJwtParseWithClaims() { - exists(DataFlow::Function f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4", - "github.com/golang-jwt/jwt/v5", "github.com/dgrijalva/jwt-go", - "github.com/dgrijalva/jwt-go/v4" - ], "ParseWithClaims") - | - this = f - ) + exists(Function f | f.hasQualifiedName(golangJwtPackage(), "ParseWithClaims") | this = f) or - exists(DataFlow::Method f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt.Parser", "github.com/golang-jwt/jwt/v4.Parser", - "github.com/golang-jwt/jwt/v5.Parser", "github.com/dgrijalva/jwt-go.Parser", - "github.com/dgrijalva/jwt-go/v4.Parser" - ], "ParseWithClaims") - | + exists(Method f | f.hasQualifiedName(golangJwtPackage(), "Parser", "ParseWithClaims") | this = f ) } - int getKeyFuncArgNum() { result = 2 } + override int getKeyFuncArgNum() { result = 2 } - DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) } + override int getTokenArgNum() { result = 0 } } /** @@ -93,18 +138,21 @@ class GolangJwtParseWithClaims extends Function { * * func (p *Parser) ParseUnverified(tokenString string, claims Claims) */ -class GolangJwtParseUnverified extends Function { +class GolangJwtParseUnverified extends JwtUnverifiedParse { GolangJwtParseUnverified() { - exists(DataFlow::Method f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt.Parser", "github.com/golang-jwt/jwt/v4.Parser", - "github.com/golang-jwt/jwt/v5.Parser", "github.com/dgrijalva/jwt-go.Parser", - "github.com/dgrijalva/jwt-go/v4.Parser" - ], "ParseUnverified") - | + exists(Method f | f.hasQualifiedName(golangJwtPackage(), "Parser", "ParseUnverified") | this = f ) } + + override int getTokenArgNum() { result = 0 } +} + +/** + * Gets `github.com/golang-jwt/jwt` and `github.com/dgrijalva/jwt-go`(previous name of `golang-jwt`) JWT packages + */ +string golangJwtRequestPackage() { + result = package(["github.com/golang-jwt/jwt", "github.com/dgrijalva/jwt-go"], "request") } /** @@ -112,21 +160,16 @@ class GolangJwtParseUnverified extends Function { * * func ParseFromRequest(req *http.Request, extractor Extractor, keyFunc jwt.Keyfunc, options ...ParseFromRequestOption) */ -class GolangJwtParseFromRequest extends Function { +class GolangJwtParseFromRequest extends JwtParseWithKeyFunction { GolangJwtParseFromRequest() { - exists(DataFlow::Function f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt/request", "github.com/golang-jwt/jwt/v4/request", - "github.com/dgrijalva/jwt-go/request", "github.com/dgrijalva/jwt-go/v4/request" - ], "ParseFromRequest") - | + exists(Function f | f.hasQualifiedName(golangJwtRequestPackage(), "ParseFromRequest") | this = f ) } - int getKeyFuncArgNum() { result = 2 } + override int getKeyFuncArgNum() { result = 2 } - DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) } + override int getTokenArgNum() { result = 0 } } /** @@ -134,45 +177,40 @@ class GolangJwtParseFromRequest extends Function { * * func ParseFromRequestWithClaims(req *http.Request, extractor Extractor, claims jwt.Claims, keyFunc jwt.Keyfunc) */ -class GolangJwtParseFromRequestWithClaims extends Function { +class GolangJwtParseFromRequestWithClaims extends JwtParseWithKeyFunction { GolangJwtParseFromRequestWithClaims() { - exists(DataFlow::Function f | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt/request", "github.com/golang-jwt/jwt/v4/request", - "github.com/dgrijalva/jwt-go/request", "github.com/dgrijalva/jwt-go/v4/request" - ], "ParseFromRequestWithClaims") + exists(Function f | + f.hasQualifiedName(golangJwtRequestPackage(), "ParseFromRequestWithClaims") | this = f ) } - int getKeyFuncArgNum() { result = 3 } + override int getKeyFuncArgNum() { result = 3 } - DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) } + override int getTokenArgNum() { result = 0 } +} + +/** + * Gets `gopkg.in/square/go-jose` and `github.com/go-jose/go-jose` jwt package + */ +string goJoseJwtPackage() { + result = package(["gopkg.in/square/go-jose", "github.com/go-jose/go-jose"], "jwt") } /** * A class that contains the following method: * - *func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) + * func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) */ -class GoJoseClaims extends Function { - GoJoseClaims() { - exists(DataFlow::Method f | - f.hasQualifiedName([ - "gopkg.in/square/go-jose/jwt.JSONWebToken", "gopkg.in/square/go-jose.v2/jwt.JSONWebToken", - "gopkg.in/square/go-jose.v3/jwt.JSONWebToken", - "github.com/go-jose/go-jose/jwt.JSONWebToken", - "github.com/go-jose/go-jose/v3/jwt.JSONWebToken" - ], "Claims") - | - this = f - ) +class GoJoseParseWithClaims extends JwtParse { + GoJoseParseWithClaims() { + exists(Method f | f.hasQualifiedName(goJoseJwtPackage(), "JSONWebToken", "Claims") | this = f) } - int getKeyFuncArgNum() { result = 1 } + override int getKeyArgNum() { result = 0 } - DataFlow::Node getKeyFuncArg() { result = this.getACall().getArgument(this.getKeyFuncArgNum()) } + override int getTokenArgNum() { result = -1 } } /** @@ -180,35 +218,30 @@ class GoJoseClaims extends Function { * * func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) */ -class GoJoseUnsafeClaims extends Function { +class GoJoseUnsafeClaims extends JwtUnverifiedParse { GoJoseUnsafeClaims() { - exists(DataFlow::Method f | - f.hasQualifiedName([ - "gopkg.in/square/go-jose/jwt.JSONWebToken", "gopkg.in/square/go-jose.v2/jwt.JSONWebToken", - "gopkg.in/square/go-jose.v3/jwt.JSONWebToken", - "github.com/go-jose/go-jose/jwt.JSONWebToken", - "github.com/go-jose/go-jose/v3/jwt.JSONWebToken" - ], "UnsafeClaimsWithoutVerification") + exists(Method f | + f.hasQualifiedName(goJoseJwtPackage(), "JSONWebToken", "UnsafeClaimsWithoutVerification") | this = f ) } + + override int getTokenArgNum() { result = -1 } } /** - * Holds if there are additioanl steps related to parsing the secret keys + * Holds for general additioanl steps related to parsing the secret keys in `golang-jwt/jwt`,`dgrijalva/jwt-go` packages */ predicate golangJwtIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - exists(DataFlow::Function f, DataFlow::CallNode call | - f.hasQualifiedName([ - "github.com/golang-jwt/jwt", "github.com/golang-jwt/jwt/v4", "github.com/golang-jwt/jwt/v5" - ], + exists(Function f, DataFlow::CallNode call | + f.hasQualifiedName(package("github.com/golang-jwt/jwt", ""), [ "ParseECPrivateKeyFromPEM", "ParseECPublicKeyFromPEM", "ParseEdPrivateKeyFromPEM", "ParseEdPublicKeyFromPEM", "ParseRSAPrivateKeyFromPEM", "ParseRSAPublicKeyFromPEM", "RegisterSigningMethod" ]) or - f.hasQualifiedName(["github.com/dgrijalva/jwt-go", "github.com/dgrijalva/jwt-go/v4"], + f.hasQualifiedName(package("github.com/dgrijalva/jwt-go", ""), [ "ParseECPrivateKeyFromPEM", "ParseECPublicKeyFromPEM", "ParseRSAPrivateKeyFromPEM", "ParseRSAPrivateKeyFromPEMWithPassword", "ParseRSAPublicKeyFromPEM" @@ -219,7 +252,7 @@ predicate golangJwtIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo = call ) or - exists(DataFlow::Function f, DataFlow::CallNode call | + exists(Function f, DataFlow::CallNode call | f instanceof GolangJwtParse or f instanceof GolangJwtParseWithClaims @@ -228,51 +261,30 @@ predicate golangJwtIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeFrom = call.getArgument(0) and nodeTo = call ) - or - exists(DataFlow::FieldReadNode f | f instanceof GolangJwtValidField | - nodeFrom = f.getBase() and - nodeTo = f - ) } /** - * Holds if there are additioanl steps related to parsing the secret keys + * Holds for general additioanl steps related to parsing the secret keys in `go-jose` package */ predicate goJoseIsAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { - exists(DataFlow::Function f, DataFlow::CallNode call | - f.hasQualifiedName([ - "gopkg.in/square/go-jose/jwt", "gopkg.in/square/go-jose.v2/jwt", - "gopkg.in/square/go-jose.v3/jwt", "github.com/go-jose/go-jose/jwt", - "github.com/go-jose/go-jose/v3/jwt" - ], ["ParseEncrypted", "ParseSigned",]) + exists(Function f, DataFlow::CallNode call | + f.hasQualifiedName(goJoseJwtPackage(), ["ParseEncrypted", "ParseSigned",]) | call = f.getACall() and nodeFrom = call.getArgument(0) and nodeTo = call ) or - exists(DataFlow::Function f, DataFlow::CallNode call | - f.hasQualifiedName([ - "gopkg.in/square/go-jose/jwt.NestedJSONWebToken", - "gopkg.in/square/go-jose.v2/jwt.NestedJSONWebToken", - "gopkg.in/square/go-jose.v3/jwt.NestedJSONWebToken", - "github.com/go-jose/go-jose/jwt.NestedJSONWebToken", - "github.com/go-jose/go-jose/v3/jw.NestedJSONWebTokent" - ], "ParseSignedAndEncrypted") + exists(Method m, DataFlow::CallNode call | + m.hasQualifiedName(goJoseJwtPackage(), "NestedJSONWebToken", "ParseSignedAndEncrypted") | - call = f.getACall() and + call = m.getACall() and nodeFrom = call.getArgument(0) and nodeTo = call ) or - exists(DataFlow::Method f, DataFlow::CallNode call | - f.hasQualifiedName([ - "gopkg.in/square/go-jose/jwt.NestedJSONWebToken", - "gopkg.in/square/go-jose.v2/jwt.NestedJSONWebToken", - "gopkg.in/square/go-jose.v3/jwt.NestedJSONWebToken", - "github.com/go-jose/go-jose/jwt.NestedJSONWebToken", - "github.com/go-jose/go-jose/v3/jw.NestedJSONWebToken" - ], "Decrypt") + exists(Method f, DataFlow::CallNode call | + f.hasQualifiedName(goJoseJwtPackage(), "NestedJSONWebToken", "Decrypt") | call = f.getACall() and nodeFrom = call.getReceiver() and diff --git a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql index 17a92cca3ec..8f416fcf235 100644 --- a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql +++ b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql @@ -1,9 +1,9 @@ /** * @name Decoding JWT with hardcoded key - * @description Decoding JWT Secrect with a Constant value lead to authentication or authorization bypass + * @description Decoding JWT Secret with a Constant value lead to authentication or authorization bypass * @kind path-problem * @problem.severity error - * @id go/hardcoded-key + * @id go/parse-jwt-with-hardcoded-key * @tags security * experimental * external/cwe/cwe-321 @@ -12,10 +12,13 @@ import go import semmle.go.security.JWT -module JwtConfig implements DataFlow::ConfigSig { +module JwtPaseWithConstantKeyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr() instanceof StringLit } predicate isSink(DataFlow::Node sink) { + // first part is the JWT Parsing Functions that get a func type as an argument + // Find a node that has flow to a key Function argument + // then find the first result node of this Function which is the secret key exists(FuncDef fd, DataFlow::Node n, DataFlow::ResultNode rn | GolangJwtKeyFunc::flow(n, _) and fd = n.asExpr() | @@ -31,6 +34,9 @@ module JwtConfig implements DataFlow::ConfigSig { rn.getRoot() = fd.getFuncDecl() and rn.getIndex() = 0 ) + or + // second part is the JWT Parsing Functions that get a string or byte as an argument + sink = any(JwtParse jp).getKeyArg() } } @@ -42,24 +48,17 @@ module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink = - [ - any(GolangJwtParse parseWithClaims).getKeyFuncArg(), - any(GolangJwtParseWithClaims parseWithClaims).getKeyFuncArg(), - any(GolangJwtParseFromRequest parseWithClaims).getKeyFuncArg(), - any(GolangJwtParseFromRequestWithClaims parseWithClaims).getKeyFuncArg(), - any(GoJoseClaims parseWithClaims).getKeyFuncArg(), - ] + sink = any(JwtParseWithKeyFunction parseJWT).getKeyFuncArg() } } -module Jwt = TaintTracking::Global; +module JwtPaseWithConstantKey = TaintTracking::Global; module GolangJwtKeyFunc = TaintTracking::Global; -import Jwt::PathGraph +import JwtPaseWithConstantKey::PathGraph -from Jwt::PathNode source, Jwt::PathNode sink -where Jwt::flowPath(source, sink) +from JwtPaseWithConstantKey::PathNode source, JwtPaseWithConstantKey::PathNode sink +where JwtPaseWithConstantKey::flowPath(source, sink) select sink.getNode(), source, sink, "This $@.", source.getNode(), "Constant Key is used as JWT Secret key" diff --git a/go/ql/src/experimental/CWE-347/NoVerification.ql b/go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql similarity index 84% rename from go/ql/src/experimental/CWE-347/NoVerification.ql rename to go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql index f9e0fd6465c..344efaee3f9 100644 --- a/go/ql/src/experimental/CWE-347/NoVerification.ql +++ b/go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql @@ -3,7 +3,7 @@ * @description Using JWT methods without verification can cause to authorization or authentication bypass * @kind path-problem * @problem.severity error - * @id go/hardcoded-key + * @id go/parse-jwt-without-verification * @tags security * experimental * external/cwe/cwe-321 @@ -16,8 +16,8 @@ module WithValidationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource } predicate isSink(DataFlow::Node sink) { - sink = any(GolangJwtValidField parse) or - sink = any(GoJoseClaims parse).getACall().getReceiver() + sink = any(JwtParse parseUnverified).getTokenArg() or + sink = any(JwtParseWithKeyFunction parseUnverified).getTokenArg() } predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { @@ -34,9 +34,7 @@ module NoValidationConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { - sink = any(GolangJwtParseUnverified parseunverified).getACall().getArgument(0) - or - sink = any(GoJoseUnsafeClaims parse).getACall().getReceiver() + sink = any(JwtUnverifiedParse parseUnverified).getTokenNode() } predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { diff --git a/go/ql/src/experimental/CWE-347/NoVerification.qhelp b/go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql.qhelp similarity index 100% rename from go/ql/src/experimental/CWE-347/NoVerification.qhelp rename to go/ql/src/experimental/CWE-347/ParseJWTWithoutVerification.ql.qhelp diff --git a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected index bf7af10425a..550dcaa9b67 100644 --- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected +++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected @@ -1,10 +1,16 @@ edges -| golang-jwt-v5/golang-jwt-v5.go:19:14:19:34 | type conversion | golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | -| golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | golang-jwt-v5/golang-jwt-v5.go:19:14:19:34 | type conversion | +| go-jose.v3.go:11:14:11:34 | type conversion | go-jose.v3.go:23:32:23:37 | JwtKey | +| go-jose.v3.go:11:21:11:33 | "AllYourBase" | go-jose.v3.go:11:14:11:34 | type conversion | +| golang-jwt-v5.go:19:15:19:35 | type conversion | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | +| golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:19:15:19:35 | type conversion | nodes -| golang-jwt-v5/golang-jwt-v5.go:19:14:19:34 | type conversion | semmle.label | type conversion | -| golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | semmle.label | "AllYourBase" | -| golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | semmle.label | JwtKey | +| go-jose.v3.go:11:14:11:34 | type conversion | semmle.label | type conversion | +| go-jose.v3.go:11:21:11:33 | "AllYourBase" | semmle.label | "AllYourBase" | +| go-jose.v3.go:23:32:23:37 | JwtKey | semmle.label | JwtKey | +| golang-jwt-v5.go:19:15:19:35 | type conversion | semmle.label | type conversion | +| golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" | +| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 | subpaths #select -| golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | golang-jwt-v5/golang-jwt-v5.go:37:9:37:14 | JwtKey | This $@. | golang-jwt-v5/golang-jwt-v5.go:19:21:19:33 | "AllYourBase" | Constant Key is used as JWT Secret key | +| go-jose.v3.go:23:32:23:37 | JwtKey | go-jose.v3.go:11:21:11:33 | "AllYourBase" | go-jose.v3.go:23:32:23:37 | JwtKey | This $@. | go-jose.v3.go:11:21:11:33 | "AllYourBase" | Constant Key is used as JWT Secret key | +| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key | diff --git a/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go new file mode 100644 index 00000000000..9feeab9c466 --- /dev/null +++ b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go @@ -0,0 +1,27 @@ +package jwt + +//go:generate depstubber -vendor github.com/go-jose/go-jose/v3/jwt JSONWebToken ParseSigned + +import ( + "fmt" + "github.com/go-jose/go-jose/v3/jwt" + "net/http" +) + +var JwtKey = []byte("AllYourBase") + +func main2(r *http.Request) { + // NOT OK + signedToken := r.URL.Query().Get("signedToken") + verifyJWT(signedToken) +} + +func verifyJWT(signedToken string) { + fmt.Println("verifying JWT") + DecodedToken, _ := jwt.ParseSigned(signedToken) + out := CustomerInfo{} + if err := DecodedToken.Claims(JwtKey, &out); err != nil { + panic(err) + } + fmt.Printf("%v\n", out) +} diff --git a/go/ql/test/experimental/CWE-321-V2/go-jose.v3/go-jose.v3.go b/go/ql/test/experimental/CWE-321-V2/go-jose.v3/go-jose.v3.go deleted file mode 100644 index f7cf841b7b7..00000000000 --- a/go/ql/test/experimental/CWE-321-V2/go-jose.v3/go-jose.v3.go +++ /dev/null @@ -1,39 +0,0 @@ -package main - -import ( - "fmt" - "github.com/gin-gonic/gin" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" - "net/http" -) - -type CustomerInfo struct { - Name string - ID int -} - -var JwtKey = []byte("AllYourBase") - -func main() { - router := gin.Default() - router.GET("/ping", func(c *gin.Context) { - signedToken := c.Param("signedToken") - verifyJWT(signedToken) - - c.JSON(http.StatusOK, gin.H{ - "message": "pong", - }) - }) - _ = router.Run() - -} -func verifyJWT(signedToken string) { - fmt.Println("verifying JWT") - DecodedToken, _ := jwt.ParseSigned(signedToken) - out := CustomerInfo{} - if err := DecodedToken.Claims(JwtKey, &out); err != nil { - panic(err) - } - fmt.Printf("%v\n", out) -} diff --git a/go/ql/test/experimental/CWE-321-V2/go.mod b/go/ql/test/experimental/CWE-321-V2/go.mod index 84e592efcf3..1f1dec543c2 100644 --- a/go/ql/test/experimental/CWE-321-V2/go.mod +++ b/go/ql/test/experimental/CWE-321-V2/go.mod @@ -1,6 +1,6 @@ module main -go 1.18 +go 1.21 require ( github.com/gin-gonic/gin v1.9.1 diff --git a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5/golang-jwt-v5.go b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go similarity index 52% rename from go/ql/test/experimental/CWE-321-V2/golang-jwt-v5/golang-jwt-v5.go rename to go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go index 2e513859679..71917160bda 100644 --- a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5/golang-jwt-v5.go +++ b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go @@ -1,12 +1,12 @@ -package main +package jwt + +//go:generate depstubber -vendor github.com/golang-jwt/jwt/v5 RegisteredClaims,Parser,Token Parse,ParseWithClaims import ( "fmt" - "github.com/gin-gonic/gin" "github.com/golang-jwt/jwt/v5" "log" "net/http" - "os" ) type CustomerInfo struct { @@ -16,27 +16,18 @@ type CustomerInfo struct { } // BAD constant key -var JwtKey = []byte("AllYourBase") +var JwtKey1 = []byte("AllYourBase") -func main() { - router := gin.Default() - router.GET("/ping", func(c *gin.Context) { - // https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt - var unsignedToken = c.Param("customerName") - signedToken := c.Param("signedToken") - VerifyJWT(signedToken) - - c.JSON(http.StatusOK, gin.H{ - "message": "pong", - }) - }) - _ = router.Run() +func main1(r *http.Request) { + signedToken := r.URL.Query().Get("signedToken") + verifyJWT_golangjwt(signedToken) } func LoadJwtKey(token *jwt.Token) (interface{}, error) { - return JwtKey, nil + return JwtKey1, nil } -func verifyJWT(signedToken string) { + +func verifyJWT_golangjwt(signedToken string) { fmt.Println("verifying JWT") DecodedToken, err := jwt.ParseWithClaims(signedToken, &CustomerInfo{}, LoadJwtKey) if claims, ok := DecodedToken.Claims.(*CustomerInfo); ok && DecodedToken.Valid { @@ -45,4 +36,3 @@ func verifyJWT(signedToken string) { log.Fatal(err) } } - diff --git a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/gin-gonic/gin/stub.go deleted file mode 100644 index a3c8b665036..00000000000 --- a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/gin-gonic/gin/stub.go +++ /dev/null @@ -1,465 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/gin-gonic/gin (exports: Context; functions: ) - -// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. -package gin - -import ( - bufio "bufio" - io "io" - multipart "mime/multipart" - net "net" - http "net/http" - time "time" -) - -type Context struct { - Request *http.Request - Writer ResponseWriter - Params Params - Keys map[string]interface{} - Errors interface{} - Accepted []string -} - -func (_ *Context) Abort() {} - -func (_ *Context) AbortWithError(_ int, _ error) *Error { - return nil -} - -func (_ *Context) AbortWithStatus(_ int) {} - -func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} - -func (_ *Context) AddParam(_ string, _ string) {} - -func (_ *Context) AsciiJSON(_ int, _ interface{}) {} - -func (_ *Context) Bind(_ interface{}) error { - return nil -} - -func (_ *Context) BindHeader(_ interface{}) error { - return nil -} - -func (_ *Context) BindJSON(_ interface{}) error { - return nil -} - -func (_ *Context) BindQuery(_ interface{}) error { - return nil -} - -func (_ *Context) BindTOML(_ interface{}) error { - return nil -} - -func (_ *Context) BindUri(_ interface{}) error { - return nil -} - -func (_ *Context) BindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) BindXML(_ interface{}) error { - return nil -} - -func (_ *Context) BindYAML(_ interface{}) error { - return nil -} - -func (_ *Context) ClientIP() string { - return "" -} - -func (_ *Context) ContentType() string { - return "" -} - -func (_ *Context) Cookie(_ string) (string, error) { - return "", nil -} - -func (_ *Context) Copy() *Context { - return nil -} - -func (_ *Context) Data(_ int, _ string, _ []byte) {} - -func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} - -func (_ *Context) Deadline() (time.Time, bool) { - return time.Time{}, false -} - -func (_ *Context) DefaultPostForm(_ string, _ string) string { - return "" -} - -func (_ *Context) DefaultQuery(_ string, _ string) string { - return "" -} - -func (_ *Context) Done() <-chan struct{} { - return nil -} - -func (_ *Context) Err() error { - return nil -} - -func (_ *Context) Error(_ error) *Error { - return nil -} - -func (_ *Context) File(_ string) {} - -func (_ *Context) FileAttachment(_ string, _ string) {} - -func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} - -func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { - return nil, nil -} - -func (_ *Context) FullPath() string { - return "" -} - -func (_ *Context) Get(_ string) (interface{}, bool) { - return nil, false -} - -func (_ *Context) GetBool(_ string) bool { - return false -} - -func (_ *Context) GetDuration(_ string) time.Duration { - return 0 -} - -func (_ *Context) GetFloat64(_ string) float64 { - return 0 -} - -func (_ *Context) GetHeader(_ string) string { - return "" -} - -func (_ *Context) GetInt(_ string) int { - return 0 -} - -func (_ *Context) GetInt64(_ string) int64 { - return 0 -} - -func (_ *Context) GetPostForm(_ string) (string, bool) { - return "", false -} - -func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { - return nil, false -} - -func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { - return nil, false -} - -func (_ *Context) GetQuery(_ string) (string, bool) { - return "", false -} - -func (_ *Context) GetQueryArray(_ string) ([]string, bool) { - return nil, false -} - -func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { - return nil, false -} - -func (_ *Context) GetRawData() ([]byte, error) { - return nil, nil -} - -func (_ *Context) GetString(_ string) string { - return "" -} - -func (_ *Context) GetStringMap(_ string) map[string]interface{} { - return nil -} - -func (_ *Context) GetStringMapString(_ string) map[string]string { - return nil -} - -func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { - return nil -} - -func (_ *Context) GetStringSlice(_ string) []string { - return nil -} - -func (_ *Context) GetTime(_ string) time.Time { - return time.Time{} -} - -func (_ *Context) GetUint(_ string) uint { - return 0 -} - -func (_ *Context) GetUint64(_ string) uint64 { - return 0 -} - -func (_ *Context) HTML(_ int, _ string, _ interface{}) {} - -func (_ *Context) Handler() HandlerFunc { - return nil -} - -func (_ *Context) HandlerName() string { - return "" -} - -func (_ *Context) HandlerNames() []string { - return nil -} - -func (_ *Context) Header(_ string, _ string) {} - -func (_ *Context) IndentedJSON(_ int, _ interface{}) {} - -func (_ *Context) IsAborted() bool { - return false -} - -func (_ *Context) IsWebsocket() bool { - return false -} - -func (_ *Context) JSON(_ int, _ interface{}) {} - -func (_ *Context) JSONP(_ int, _ interface{}) {} - -func (_ *Context) MultipartForm() (*multipart.Form, error) { - return nil, nil -} - -func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) MustGet(_ string) interface{} { - return nil -} - -func (_ *Context) Negotiate(_ int, _ Negotiate) {} - -func (_ *Context) NegotiateFormat(_ ...string) string { - return "" -} - -func (_ *Context) Next() {} - -func (_ *Context) Param(_ string) string { - return "" -} - -func (_ *Context) PostForm(_ string) string { - return "" -} - -func (_ *Context) PostFormArray(_ string) []string { - return nil -} - -func (_ *Context) PostFormMap(_ string) map[string]string { - return nil -} - -func (_ *Context) ProtoBuf(_ int, _ interface{}) {} - -func (_ *Context) PureJSON(_ int, _ interface{}) {} - -func (_ *Context) Query(_ string) string { - return "" -} - -func (_ *Context) QueryArray(_ string) []string { - return nil -} - -func (_ *Context) QueryMap(_ string) map[string]string { - return nil -} - -func (_ *Context) Redirect(_ int, _ string) {} - -func (_ *Context) RemoteIP() string { - return "" -} - -func (_ *Context) Render(_ int, _ interface{}) {} - -func (_ *Context) SSEvent(_ string, _ interface{}) {} - -func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { - return nil -} - -func (_ *Context) SecureJSON(_ int, _ interface{}) {} - -func (_ *Context) Set(_ string, _ interface{}) {} - -func (_ *Context) SetAccepted(_ ...string) {} - -func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} - -func (_ *Context) SetSameSite(_ http.SameSite) {} - -func (_ *Context) ShouldBind(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindHeader(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindJSON(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindQuery(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindTOML(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindUri(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindXML(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindYAML(_ interface{}) error { - return nil -} - -func (_ *Context) Status(_ int) {} - -func (_ *Context) Stream(_ func(io.Writer) bool) bool { - return false -} - -func (_ *Context) String(_ int, _ string, _ ...interface{}) {} - -func (_ *Context) TOML(_ int, _ interface{}) {} - -func (_ *Context) Value(_ interface{}) interface{} { - return nil -} - -func (_ *Context) XML(_ int, _ interface{}) {} - -func (_ *Context) YAML(_ int, _ interface{}) {} - -type Error struct { - Err error - Type ErrorType - Meta interface{} -} - -func (_ Error) Error() string { - return "" -} - -func (_ *Error) IsType(_ ErrorType) bool { - return false -} - -func (_ *Error) JSON() interface{} { - return nil -} - -func (_ *Error) MarshalJSON() ([]byte, error) { - return nil, nil -} - -func (_ *Error) SetMeta(_ interface{}) *Error { - return nil -} - -func (_ *Error) SetType(_ ErrorType) *Error { - return nil -} - -func (_ *Error) Unwrap() error { - return nil -} - -type ErrorType uint64 - -type HandlerFunc func(*Context) - -type Negotiate struct { - Offered []string - HTMLName string - HTMLData interface{} - JSONData interface{} - XMLData interface{} - YAMLData interface{} - Data interface{} - TOMLData interface{} -} - -type Param struct { - Key string - Value string -} - -type Params []Param - -func (_ Params) ByName(_ string) string { - return "" -} - -func (_ Params) Get(_ string) (string, bool) { - return "", false -} - -type ResponseWriter interface { - CloseNotify() <-chan bool - Flush() - Header() http.Header - Hijack() (net.Conn, *bufio.ReadWriter, error) - Pusher() http.Pusher - Size() int - Status() int - Write(_ []byte) (int, error) - WriteHeader(_ int) - WriteHeaderNow() - WriteString(_ string) (int, error) - Written() bool -} diff --git a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go index de5f359a012..a160226c423 100644 --- a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go +++ b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go @@ -2,7 +2,7 @@ // This is a simple stub for github.com/go-jose/go-jose/v3/jwt, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseEncrypted,ParseSigned) +// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseSigned) // Package jwt is a stub of github.com/go-jose/go-jose/v3/jwt, generated by depstubber. package jwt @@ -19,10 +19,6 @@ func (_ *JSONWebToken) UnsafeClaimsWithoutVerification(_ ...interface{}) error { return nil } -func ParseEncrypted(_ string) (*JSONWebToken, error) { - return nil, nil -} - func ParseSigned(_ string) (*JSONWebToken, error) { return nil, nil } diff --git a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/stub.go b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/stub.go deleted file mode 100644 index c0957df6854..00000000000 --- a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/go-jose/go-jose/v3/stub.go +++ /dev/null @@ -1,154 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/go-jose/go-jose/v3, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/go-jose/go-jose/v3 (exports: JSONWebKey; functions: NewSigner) - -// Package go_pkg is a stub of github.com/go-jose/go-jose/v3, generated by depstubber. -package go_pkg - -import ( - crypto "crypto" - x509 "crypto/x509" - url "net/url" -) - -type ContentType string - -type Header struct { - KeyID string - JSONWebKey *JSONWebKey - Algorithm string - Nonce string - ExtraHeaders map[HeaderKey]interface{} -} - -func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) { - return nil, nil -} - -type HeaderKey string - -type JSONWebKey struct { - Key interface{} - KeyID string - Algorithm string - Use string - Certificates []*x509.Certificate - CertificatesURL *url.URL - CertificateThumbprintSHA1 []byte - CertificateThumbprintSHA256 []byte -} - -func (_ JSONWebKey) MarshalJSON() ([]byte, error) { - return nil, nil -} - -func (_ *JSONWebKey) IsPublic() bool { - return false -} - -func (_ *JSONWebKey) Public() JSONWebKey { - return JSONWebKey{} -} - -func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) { - return nil, nil -} - -func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error { - return nil -} - -func (_ *JSONWebKey) Valid() bool { - return false -} - -type JSONWebSignature struct { - Signatures []Signature -} - -func (_ JSONWebSignature) CompactSerialize() (string, error) { - return "", nil -} - -func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) { - return "", nil -} - -func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error { - return nil -} - -func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) { - return 0, Signature{}, nil -} - -func (_ JSONWebSignature) FullSerialize() string { - return "" -} - -func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte { - return nil -} - -func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) { - return nil, nil -} - -func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) { - return 0, Signature{}, nil, nil -} - -func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) { - return nil, nil -} - -type NonceSource interface { - Nonce() (string, error) -} - -type Signature struct { - Header Header - Protected Header - Unprotected Header - Signature []byte -} - -type SignatureAlgorithm string - -type Signer interface { - Options() SignerOptions - Sign(_ []byte) (*JSONWebSignature, error) -} - -type SignerOptions struct { - NonceSource NonceSource - EmbedJWK bool - ExtraHeaders map[HeaderKey]interface{} -} - -func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions { - return nil -} - -type SigningKey struct { - Algorithm SignatureAlgorithm - Key interface{} -} diff --git a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/stub.go b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/stub.go deleted file mode 100644 index 5c94d670953..00000000000 --- a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/stub.go +++ /dev/null @@ -1,55 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt (exports: Parser; functions: ) - -// Package jwt is a stub of github.com/golang-jwt/jwt, generated by depstubber. -package jwt - -type Claims interface { - Valid() error -} - -type Keyfunc func(*Token) (interface{}, error) - -type Parser struct { - ValidMethods []string - UseJSONNumber bool - SkipClaimsValidation bool -} - -func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) { - return nil, nil -} - -func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) { - return nil, nil, nil -} - -func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) { - return nil, nil -} - -type SigningMethod interface { - Alg() string - Sign(_ string, _ interface{}) (string, error) - Verify(_ string, _ string, _ interface{}) error -} - -type Token struct { - Raw string - Method SigningMethod - Header map[string]interface{} - Claims Claims - Signature string - Valid bool -} - -func (_ *Token) SignedString(_ interface{}) (string, error) { - return "", nil -} - -func (_ *Token) SigningString() (string, error) { - return "", nil -} diff --git a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/request/stub.go b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/request/stub.go deleted file mode 100644 index 460f0eb2168..00000000000 --- a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/request/stub.go +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt/v5/request, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/v5/request (exports: ParseFromRequestOption; functions: ParseFromRequest) - -// Package request is a stub of github.com/golang-jwt/jwt/v5/request, generated by depstubber. -package request - -import ( - http "net/http" -) - -type Extractor interface { - ExtractToken(_ *http.Request) (string, error) -} - -func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) { - return nil, nil -} - -type ParseFromRequestOption func(interface{}) diff --git a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/stub.go b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/stub.go index 61902b8caae..7588530ba3e 100644 --- a/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/stub.go +++ b/go/ql/test/experimental/CWE-321-V2/vendor/github.com/golang-jwt/jwt/v5/stub.go @@ -2,7 +2,7 @@ // This is a simple stub for github.com/golang-jwt/jwt/v5, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/v5 (exports: Parser,Token; functions: ParseWithClaims) +// Source: github.com/golang-jwt/jwt/v5 (exports: RegisteredClaims,Parser,Token; functions: Parse,ParseWithClaims) // Package jwt is a stub of github.com/golang-jwt/jwt/v5, generated by depstubber. package jwt @@ -216,6 +216,10 @@ func (_ *NumericDate) UnmarshalText(_ []byte) error { return nil } +func Parse(_ string, _ Keyfunc, _ ...ParserOption) (*Token, error) { + return nil, nil +} + func ParseWithClaims(_ string, _ Claims, _ Keyfunc, _ ...ParserOption) (*Token, error) { return nil, nil } @@ -240,6 +244,40 @@ func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) type ParserOption func(*Parser) +type RegisteredClaims struct { + Issuer string + Subject string + Audience ClaimStrings + ExpiresAt *NumericDate + NotBefore *NumericDate + IssuedAt *NumericDate + ID string +} + +func (_ RegisteredClaims) GetAudience() (ClaimStrings, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetExpirationTime() (*NumericDate, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetIssuedAt() (*NumericDate, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetIssuer() (string, error) { + return "", nil +} + +func (_ RegisteredClaims) GetNotBefore() (*NumericDate, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetSubject() (string, error) { + return "", nil +} + type SigningMethod interface { Alg() string Sign(_ string, _ interface{}) ([]byte, error) diff --git a/go/ql/test/experimental/CWE-347/NoVerification.expected b/go/ql/test/experimental/CWE-347/NoVerification.expected index 7d7390175a2..193425b0702 100644 --- a/go/ql/test/experimental/CWE-347/NoVerification.expected +++ b/go/ql/test/experimental/CWE-347/NoVerification.expected @@ -1,16 +1,32 @@ edges -| go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | go-jose.v3/go-jose.v3.go:28:16:28:26 | signedToken | -| go-jose.v3/go-jose.v3.go:28:16:28:26 | signedToken | go-jose.v3/go-jose.v3.go:49:19:49:29 | definition of signedToken | -| go-jose.v3/go-jose.v3.go:49:19:49:29 | definition of signedToken | go-jose.v3/go-jose.v3.go:51:37:51:47 | signedToken | -| go-jose.v3/go-jose.v3.go:51:21:51:48 | call to ParseSigned | go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | -| go-jose.v3/go-jose.v3.go:51:37:51:47 | signedToken | go-jose.v3/go-jose.v3.go:51:21:51:48 | call to ParseSigned | +| go-jose.v3.go:25:16:25:20 | selection of URL | go-jose.v3.go:25:16:25:28 | call to Query | +| go-jose.v3.go:25:16:25:28 | call to Query | go-jose.v3.go:25:16:25:47 | call to Get | +| go-jose.v3.go:25:16:25:47 | call to Get | go-jose.v3.go:26:15:26:25 | signedToken | +| go-jose.v3.go:26:15:26:25 | signedToken | go-jose.v3.go:29:19:29:29 | definition of signedToken | +| go-jose.v3.go:29:19:29:29 | definition of signedToken | go-jose.v3.go:31:37:31:47 | signedToken | +| go-jose.v3.go:31:21:31:48 | call to ParseSigned | go-jose.v3.go:33:12:33:23 | DecodedToken | +| go-jose.v3.go:31:37:31:47 | signedToken | go-jose.v3.go:31:21:31:48 | call to ParseSigned | +| golang-jwt-v5.go:28:16:28:20 | selection of URL | golang-jwt-v5.go:28:16:28:28 | call to Query | +| golang-jwt-v5.go:28:16:28:28 | call to Query | golang-jwt-v5.go:28:16:28:47 | call to Get | +| golang-jwt-v5.go:28:16:28:47 | call to Get | golang-jwt-v5.go:29:25:29:35 | signedToken | +| golang-jwt-v5.go:29:25:29:35 | signedToken | golang-jwt-v5.go:32:29:32:39 | definition of signedToken | +| golang-jwt-v5.go:32:29:32:39 | definition of signedToken | golang-jwt-v5.go:34:58:34:68 | signedToken | nodes -| go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | semmle.label | call to Param | -| go-jose.v3/go-jose.v3.go:28:16:28:26 | signedToken | semmle.label | signedToken | -| go-jose.v3/go-jose.v3.go:49:19:49:29 | definition of signedToken | semmle.label | definition of signedToken | -| go-jose.v3/go-jose.v3.go:51:21:51:48 | call to ParseSigned | semmle.label | call to ParseSigned | -| go-jose.v3/go-jose.v3.go:51:37:51:47 | signedToken | semmle.label | signedToken | -| go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | semmle.label | DecodedToken | +| go-jose.v3.go:25:16:25:20 | selection of URL | semmle.label | selection of URL | +| go-jose.v3.go:25:16:25:28 | call to Query | semmle.label | call to Query | +| go-jose.v3.go:25:16:25:47 | call to Get | semmle.label | call to Get | +| go-jose.v3.go:26:15:26:25 | signedToken | semmle.label | signedToken | +| go-jose.v3.go:29:19:29:29 | definition of signedToken | semmle.label | definition of signedToken | +| go-jose.v3.go:31:21:31:48 | call to ParseSigned | semmle.label | call to ParseSigned | +| go-jose.v3.go:31:37:31:47 | signedToken | semmle.label | signedToken | +| go-jose.v3.go:33:12:33:23 | DecodedToken | semmle.label | DecodedToken | +| golang-jwt-v5.go:28:16:28:20 | selection of URL | semmle.label | selection of URL | +| golang-jwt-v5.go:28:16:28:28 | call to Query | semmle.label | call to Query | +| golang-jwt-v5.go:28:16:28:47 | call to Get | semmle.label | call to Get | +| golang-jwt-v5.go:29:25:29:35 | signedToken | semmle.label | signedToken | +| golang-jwt-v5.go:32:29:32:39 | definition of signedToken | semmle.label | definition of signedToken | +| golang-jwt-v5.go:34:58:34:68 | signedToken | semmle.label | signedToken | subpaths #select -| go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | go-jose.v3/go-jose.v3.go:53:12:53:23 | DecodedToken | This $@. | go-jose.v3/go-jose.v3.go:27:17:27:38 | call to Param | decode | +| go-jose.v3.go:33:12:33:23 | DecodedToken | go-jose.v3.go:25:16:25:20 | selection of URL | go-jose.v3.go:33:12:33:23 | DecodedToken | This $@. | go-jose.v3.go:25:16:25:20 | selection of URL | decode | +| golang-jwt-v5.go:34:58:34:68 | signedToken | golang-jwt-v5.go:28:16:28:20 | selection of URL | golang-jwt-v5.go:34:58:34:68 | signedToken | This $@. | golang-jwt-v5.go:28:16:28:20 | selection of URL | decode | diff --git a/go/ql/test/experimental/CWE-347/NoVerification.qlref b/go/ql/test/experimental/CWE-347/NoVerification.qlref deleted file mode 100644 index cf6bf7f8af5..00000000000 --- a/go/ql/test/experimental/CWE-347/NoVerification.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/CWE-347/NoVerification.ql \ No newline at end of file diff --git a/go/ql/test/experimental/CWE-347/ParseJWTWithoutVerification.qlref b/go/ql/test/experimental/CWE-347/ParseJWTWithoutVerification.qlref new file mode 100644 index 00000000000..a4326ff97e6 --- /dev/null +++ b/go/ql/test/experimental/CWE-347/ParseJWTWithoutVerification.qlref @@ -0,0 +1 @@ +experimental/CWE-347/ParseJWTWithoutVerification.ql \ No newline at end of file diff --git a/go/ql/test/experimental/CWE-347/go-jose.v3.go b/go/ql/test/experimental/CWE-347/go-jose.v3.go new file mode 100644 index 00000000000..3e55ced31f6 --- /dev/null +++ b/go/ql/test/experimental/CWE-347/go-jose.v3.go @@ -0,0 +1,46 @@ +package jwt + +//go:generate depstubber -vendor github.com/go-jose/go-jose/v3/jwt JSONWebToken ParseSigned + +import ( + "fmt" + "github.com/go-jose/go-jose/v3/jwt" + "net/http" +) + +type CustomerInfo struct { + Name string + ID int +} + +var JwtKey = []byte("AllYourBase") + +func jose(r *http.Request) { + signedToken := r.URL.Query().Get("signedToken") + // OK: first decode and then verify + notVerifyJWT(signedToken) + verifyJWT(signedToken) + + // NOT OK: no verification + signedToken = r.URL.Query().Get("signedToken") + notVerifyJWT(signedToken) +} + +func notVerifyJWT(signedToken string) { + fmt.Println("only decoding JWT") + DecodedToken, _ := jwt.ParseSigned(signedToken) + out := CustomerInfo{} + if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil { + panic(err) + } + fmt.Printf("%v\n", out) +} +func verifyJWT(signedToken string) { + fmt.Println("verifying JWT") + DecodedToken, _ := jwt.ParseSigned(signedToken) + out := CustomerInfo{} + if err := DecodedToken.Claims(JwtKey, &out); err != nil { + panic(err) + } + fmt.Printf("%v\n", out) +} diff --git a/go/ql/test/experimental/CWE-347/go-jose.v3/go-jose.v3.go b/go/ql/test/experimental/CWE-347/go-jose.v3/go-jose.v3.go deleted file mode 100644 index 45605d5868f..00000000000 --- a/go/ql/test/experimental/CWE-347/go-jose.v3/go-jose.v3.go +++ /dev/null @@ -1,66 +0,0 @@ -package main2 - -import ( - "fmt" - "github.com/gin-gonic/gin" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" - "net/http" -) - -type CustomerInfo struct { - Name string - ID int -} - -var JwtKey = []byte("AllYourBase") - -func main() { - router := gin.Default() - router.GET("/ping", func(c *gin.Context) { - // https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt - signedToken := c.Param("signedToken") - // GOOD: decode first and then verify - notVerifyJWT(signedToken) - verifyJWT(signedToken) - // Bad: no verification - signedToken = c.Param("signedToken") - notVerifyJWT(signedToken) - - c.JSON(http.StatusOK, gin.H{ - "message": "pong", - }) - }) - _ = router.Run() - -} - -func newToken(unsignedToken string) string { - fmt.Println("Creating new JWT") - signer, _ := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: JwtKey}, nil) - raw, err := jwt.Signed(signer).Claims(CustomerInfo{ID: 1, Name: unsignedToken}).CompactSerialize() - if err != nil { - panic(err) - } - fmt.Println(raw) - return raw -} - -func notVerifyJWT(signedToken string) { - fmt.Println("only decoding JWT") - DecodedToken, _ := jwt.ParseSigned(signedToken) - out := CustomerInfo{} - if err := DecodedToken.UnsafeClaimsWithoutVerification(&out); err != nil { - panic(err) - } - fmt.Printf("%v\n", out) -} -func verifyJWT(signedToken string) { - fmt.Println("verifying JWT") - DecodedToken, _ := jwt.ParseSigned(signedToken) - out := CustomerInfo{} - if err := DecodedToken.Claims(JwtKey, &out); err != nil { - panic(err) - } - fmt.Printf("%v\n", out) -} diff --git a/go/ql/test/experimental/CWE-347/golang-jwt-v5.go b/go/ql/test/experimental/CWE-347/golang-jwt-v5.go new file mode 100644 index 00000000000..e37265f03c0 --- /dev/null +++ b/go/ql/test/experimental/CWE-347/golang-jwt-v5.go @@ -0,0 +1,54 @@ +package jwt + +//go:generate depstubber -vendor github.com/golang-jwt/jwt/v5 RegisteredClaims,Parser,Token ParseWithClaims,NewParser + +import ( + "fmt" + "github.com/golang-jwt/jwt/v5" + "log" + "net/http" +) + +type CustomerInfo1 struct { + Name string + ID int + jwt.RegisteredClaims +} + +// BAD constant key +var JwtKey1 = []byte("AllYourBase") + +func golangjwt(r *http.Request) { + signedToken := r.URL.Query().Get("signedToken") + // OK: first decode and then verify + notVerifyJWT_golangjwt(signedToken) + verifyJWT_golangjwt(signedToken) + + // NOT OK: only unverified parse + signedToken = r.URL.Query().Get("signedToken") + notVerifyJWT_golangjwt(signedToken) +} + +func notVerifyJWT_golangjwt(signedToken string) { + fmt.Println("only decoding JWT") + DecodedToken, _, err := jwt.NewParser().ParseUnverified(signedToken, &CustomerInfo1{}) + if claims, ok := DecodedToken.Claims.(*CustomerInfo1); ok { + fmt.Printf("DecodedToken:%v\n", claims) + } else { + log.Fatal("error", err) + } +} + +func LoadJwtKey(token *jwt.Token) (interface{}, error) { + return JwtKey, nil +} + +func verifyJWT_golangjwt(signedToken string) { + fmt.Println("verifying JWT") + DecodedToken, err := jwt.ParseWithClaims(signedToken, &CustomerInfo1{}, LoadJwtKey) + if claims, ok := DecodedToken.Claims.(*CustomerInfo1); ok && DecodedToken.Valid { + fmt.Printf("NAME:%v ,ID:%v\n", claims.Name, claims.ID) + } else { + log.Fatal(err) + } +} diff --git a/go/ql/test/experimental/CWE-347/golang-jwt-v5/golang-jwt-v5.go b/go/ql/test/experimental/CWE-347/golang-jwt-v5/golang-jwt-v5.go deleted file mode 100644 index ff5437ee7f6..00000000000 --- a/go/ql/test/experimental/CWE-347/golang-jwt-v5/golang-jwt-v5.go +++ /dev/null @@ -1,78 +0,0 @@ -package main - -import ( - "fmt" - "github.com/gin-gonic/gin" - "github.com/golang-jwt/jwt/v5" - "log" - "net/http" - "os" -) - -type CustomerInfo struct { - Name string - ID int - jwt.RegisteredClaims -} - -// BAD constant key -var JwtKey = []byte("AllYourBase") - -func main() { - router := gin.Default() - router.GET("/ping", func(c *gin.Context) { - // https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt - var unsignedToken = c.Param("customerName") - signedToken := newToken(unsignedToken) - signedToken = c.Param("signedToken") - // GOOD - verifyJWT(signedToken) - notVerifyJWT(signedToken) - - // BAD only unverified parse - signedToken = c.Param("signedToken") - notVerifyJWT(signedToken) - - c.JSON(http.StatusOK, gin.H{ - "message": "pong", - }) - }) - _ = router.Run() -} - -func newToken(unsignedToken string) string { - fmt.Println("Signing JWT") - signer := jwt.GetSigningMethod(jwt.SigningMethodHS256.Alg()) - claims := CustomerInfo{ID: 1, Name: unsignedToken} - signedToken, err := jwt.NewWithClaims(signer, claims).SignedString(JwtKey) - signedToken2, err := jwt.New(signer).SignedString(JwtKey) - if err != nil { - fmt.Println(err) - os.Exit(1) - } - fmt.Println(signedToken) - fmt.Println(signedToken2) - return signedToken -} -func notVerifyJWT(signedToken string) { - fmt.Println("only decoding JWT") - DecodedToken, _, err := jwt.NewParser().ParseUnverified(signedToken, &CustomerInfo{}) - if claims, ok := DecodedToken.Claims.(*CustomerInfo); ok { - fmt.Printf("DecodedToken:%v\n", claims) - } else { - log.Fatal("error", err) - } -} -func LoadJwtKey(token *jwt.Token) (interface{}, error) { - return JwtKey, nil -} -func verifyJWT(signedToken string) { - fmt.Println("verifying JWT") - DecodedToken, err := jwt.ParseWithClaims(signedToken, &CustomerInfo{}, LoadJwtKey) - if claims, ok := DecodedToken.Claims.(*CustomerInfo); ok && DecodedToken.Valid { - fmt.Printf("NAME:%v ,ID:%v\n", claims.Name, claims.ID) - } else { - log.Fatal(err) - } -} - diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/request/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/request/stub.go deleted file mode 100644 index 38a028bf9b8..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/request/stub.go +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/dgrijalva/jwt-go/request, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/dgrijalva/jwt-go/request (exports: ParseFromRequestOption; functions: ParseFromRequest) - -// Package request is a stub of github.com/dgrijalva/jwt-go/request, generated by depstubber. -package request - -import ( - http "net/http" -) - -type Extractor interface { - ExtractToken(_ *http.Request) (string, error) -} - -func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) { - return nil, nil -} - -type ParseFromRequestOption func(interface{}) diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/stub.go deleted file mode 100644 index cd6d52c00e4..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/stub.go +++ /dev/null @@ -1,80 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/dgrijalva/jwt-go, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/dgrijalva/jwt-go (exports: Parser,Token; functions: ParseECPrivateKeyFromPEM,ParseECPublicKeyFromPEM,ParseRSAPrivateKeyFromPEM,ParseRSAPrivateKeyFromPEMWithPassword,ParseRSAPublicKeyFromPEM) - -// Package jwt is a stub of github.com/dgrijalva/jwt-go, generated by depstubber. -package jwt - -import ( - ecdsa "crypto/ecdsa" - rsa "crypto/rsa" -) - -type Claims interface { - Valid() error -} - -type Keyfunc func(*Token) (interface{}, error) - -func ParseECPrivateKeyFromPEM(_ []byte) (*ecdsa.PrivateKey, error) { - return nil, nil -} - -func ParseECPublicKeyFromPEM(_ []byte) (*ecdsa.PublicKey, error) { - return nil, nil -} - -func ParseRSAPrivateKeyFromPEM(_ []byte) (*rsa.PrivateKey, error) { - return nil, nil -} - -func ParseRSAPrivateKeyFromPEMWithPassword(_ []byte, _ string) (*rsa.PrivateKey, error) { - return nil, nil -} - -func ParseRSAPublicKeyFromPEM(_ []byte) (*rsa.PublicKey, error) { - return nil, nil -} - -type Parser struct { - ValidMethods []string - UseJSONNumber bool - SkipClaimsValidation bool -} - -func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) { - return nil, nil -} - -func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) { - return nil, nil, nil -} - -func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) { - return nil, nil -} - -type SigningMethod interface { - Alg() string - Sign(_ string, _ interface{}) (string, error) - Verify(_ string, _ string, _ interface{}) error -} - -type Token struct { - Raw string - Method SigningMethod - Header map[string]interface{} - Claims Claims - Signature string - Valid bool -} - -func (_ *Token) SignedString(_ interface{}) (string, error) { - return "", nil -} - -func (_ *Token) SigningString() (string, error) { - return "", nil -} diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/request/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/request/stub.go deleted file mode 100644 index 7c892da25c5..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/request/stub.go +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/dgrijalva/jwt-go/v4/request, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/dgrijalva/jwt-go/v4/request (exports: ParseFromRequestOption; functions: ParseFromRequest) - -// Package request is a stub of github.com/dgrijalva/jwt-go/v4/request, generated by depstubber. -package request - -import ( - http "net/http" -) - -type Extractor interface { - ExtractToken(_ *http.Request) (string, error) -} - -func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) { - return nil, nil -} - -type ParseFromRequestOption func(interface{}) diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/stub.go deleted file mode 100644 index f94182bc290..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/dgrijalva/jwt-go/v4/stub.go +++ /dev/null @@ -1,337 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/dgrijalva/jwt-go/v4, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/dgrijalva/jwt-go/v4 (exports: Parser,Token; functions: ParseECPrivateKeyFromPEM,ParseECPublicKeyFromPEM,ParseRSAPrivateKeyFromPEM,ParseRSAPrivateKeyFromPEMWithPassword,ParseRSAPublicKeyFromPEM) - -// Package jwt is a stub of github.com/dgrijalva/jwt-go/v4, generated by depstubber. -package jwt - -import ( - ecdsa "crypto/ecdsa" - rsa "crypto/rsa" - time "time" -) - -type ClaimStrings []string - -func (_ *ClaimStrings) UnmarshalJSON(_ []byte) error { - return nil -} - -type Claims interface { - Valid(_ *ValidationHelper) error -} - -type Keyfunc func(*Token) (interface{}, error) - -func ParseECPrivateKeyFromPEM(_ []byte) (*ecdsa.PrivateKey, error) { - return nil, nil -} - -func ParseECPublicKeyFromPEM(_ []byte) (*ecdsa.PublicKey, error) { - return nil, nil -} - -func ParseRSAPrivateKeyFromPEM(_ []byte) (*rsa.PrivateKey, error) { - return nil, nil -} - -func ParseRSAPrivateKeyFromPEMWithPassword(_ []byte, _ string) (*rsa.PrivateKey, error) { - return nil, nil -} - -func ParseRSAPublicKeyFromPEM(_ []byte) (*rsa.PublicKey, error) { - return nil, nil -} - -type Parser struct { - ValidationHelper *ValidationHelper -} - -func (_ Parser) After(_ time.Time) bool { - return false -} - -func (_ Parser) Before(_ time.Time) bool { - return false -} - -func (_ Parser) ValidateAudience(_ ClaimStrings) error { - return nil -} - -func (_ Parser) ValidateAudienceAgainst(_ ClaimStrings, _ string) error { - return nil -} - -func (_ Parser) ValidateExpiresAt(_ *Time) error { - return nil -} - -func (_ Parser) ValidateIssuer(_ string) error { - return nil -} - -func (_ Parser) ValidateIssuerAgainst(_ string, _ string) error { - return nil -} - -func (_ Parser) ValidateNotBefore(_ *Time) error { - return nil -} - -func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) { - return nil, nil -} - -func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) { - return nil, nil, nil -} - -func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) { - return nil, nil -} - -type SigningMethod interface { - Alg() string - Sign(_ string, _ interface{}) (string, error) - Verify(_ string, _ string, _ interface{}) error -} - -type SigningOption func(interface{}) - -type Time struct { - Time time.Time -} - -func (_ Time) Add(_ time.Duration) time.Time { - return time.Time{} -} - -func (_ Time) AddDate(_ int, _ int, _ int) time.Time { - return time.Time{} -} - -func (_ Time) After(_ time.Time) bool { - return false -} - -func (_ Time) AppendFormat(_ []byte, _ string) []byte { - return nil -} - -func (_ Time) Before(_ time.Time) bool { - return false -} - -func (_ Time) Clock() (int, int, int) { - return 0, 0, 0 -} - -func (_ Time) Compare(_ time.Time) int { - return 0 -} - -func (_ Time) Date() (int, time.Month, int) { - return 0, 0, 0 -} - -func (_ Time) Day() int { - return 0 -} - -func (_ Time) Equal(_ time.Time) bool { - return false -} - -func (_ Time) Format(_ string) string { - return "" -} - -func (_ Time) GoString() string { - return "" -} - -func (_ Time) GobEncode() ([]byte, error) { - return nil, nil -} - -func (_ Time) Hour() int { - return 0 -} - -func (_ Time) ISOWeek() (int, int) { - return 0, 0 -} - -func (_ Time) In(_ *time.Location) time.Time { - return time.Time{} -} - -func (_ Time) IsDST() bool { - return false -} - -func (_ Time) IsZero() bool { - return false -} - -func (_ Time) Local() time.Time { - return time.Time{} -} - -func (_ Time) Location() *time.Location { - return nil -} - -func (_ Time) MarshalBinary() ([]byte, error) { - return nil, nil -} - -func (_ Time) MarshalText() ([]byte, error) { - return nil, nil -} - -func (_ Time) Minute() int { - return 0 -} - -func (_ Time) Month() time.Month { - return 0 -} - -func (_ Time) Nanosecond() int { - return 0 -} - -func (_ Time) Round(_ time.Duration) time.Time { - return time.Time{} -} - -func (_ Time) Second() int { - return 0 -} - -func (_ Time) String() string { - return "" -} - -func (_ Time) Sub(_ time.Time) time.Duration { - return 0 -} - -func (_ Time) Truncate(_ time.Duration) time.Time { - return time.Time{} -} - -func (_ Time) UTC() time.Time { - return time.Time{} -} - -func (_ Time) Unix() int64 { - return 0 -} - -func (_ Time) UnixMicro() int64 { - return 0 -} - -func (_ Time) UnixMilli() int64 { - return 0 -} - -func (_ Time) UnixNano() int64 { - return 0 -} - -func (_ Time) Weekday() time.Weekday { - return 0 -} - -func (_ Time) Year() int { - return 0 -} - -func (_ Time) YearDay() int { - return 0 -} - -func (_ Time) Zone() (string, int) { - return "", 0 -} - -func (_ Time) ZoneBounds() (time.Time, time.Time) { - return time.Time{}, time.Time{} -} - -func (_ *Time) GobDecode(_ []byte) error { - return nil -} - -func (_ *Time) MarshalJSON() ([]byte, error) { - return nil, nil -} - -func (_ *Time) UnmarshalBinary(_ []byte) error { - return nil -} - -func (_ *Time) UnmarshalJSON(_ []byte) error { - return nil -} - -func (_ *Time) UnmarshalText(_ []byte) error { - return nil -} - -type Token struct { - Raw string - Method SigningMethod - Header map[string]interface{} - Claims Claims - Signature string - Valid bool -} - -func (_ *Token) SignedString(_ interface{}, _ ...SigningOption) (string, error) { - return "", nil -} - -func (_ *Token) SigningString(_ ...SigningOption) (string, error) { - return "", nil -} - -type ValidationHelper struct{} - -func (_ *ValidationHelper) After(_ time.Time) bool { - return false -} - -func (_ *ValidationHelper) Before(_ time.Time) bool { - return false -} - -func (_ *ValidationHelper) ValidateAudience(_ ClaimStrings) error { - return nil -} - -func (_ *ValidationHelper) ValidateAudienceAgainst(_ ClaimStrings, _ string) error { - return nil -} - -func (_ *ValidationHelper) ValidateExpiresAt(_ *Time) error { - return nil -} - -func (_ *ValidationHelper) ValidateIssuer(_ string) error { - return nil -} - -func (_ *ValidationHelper) ValidateIssuerAgainst(_ string, _ string) error { - return nil -} - -func (_ *ValidationHelper) ValidateNotBefore(_ *Time) error { - return nil -} diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/gin-gonic/gin/stub.go deleted file mode 100644 index a3c8b665036..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/gin-gonic/gin/stub.go +++ /dev/null @@ -1,465 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/gin-gonic/gin (exports: Context; functions: ) - -// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. -package gin - -import ( - bufio "bufio" - io "io" - multipart "mime/multipart" - net "net" - http "net/http" - time "time" -) - -type Context struct { - Request *http.Request - Writer ResponseWriter - Params Params - Keys map[string]interface{} - Errors interface{} - Accepted []string -} - -func (_ *Context) Abort() {} - -func (_ *Context) AbortWithError(_ int, _ error) *Error { - return nil -} - -func (_ *Context) AbortWithStatus(_ int) {} - -func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} - -func (_ *Context) AddParam(_ string, _ string) {} - -func (_ *Context) AsciiJSON(_ int, _ interface{}) {} - -func (_ *Context) Bind(_ interface{}) error { - return nil -} - -func (_ *Context) BindHeader(_ interface{}) error { - return nil -} - -func (_ *Context) BindJSON(_ interface{}) error { - return nil -} - -func (_ *Context) BindQuery(_ interface{}) error { - return nil -} - -func (_ *Context) BindTOML(_ interface{}) error { - return nil -} - -func (_ *Context) BindUri(_ interface{}) error { - return nil -} - -func (_ *Context) BindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) BindXML(_ interface{}) error { - return nil -} - -func (_ *Context) BindYAML(_ interface{}) error { - return nil -} - -func (_ *Context) ClientIP() string { - return "" -} - -func (_ *Context) ContentType() string { - return "" -} - -func (_ *Context) Cookie(_ string) (string, error) { - return "", nil -} - -func (_ *Context) Copy() *Context { - return nil -} - -func (_ *Context) Data(_ int, _ string, _ []byte) {} - -func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} - -func (_ *Context) Deadline() (time.Time, bool) { - return time.Time{}, false -} - -func (_ *Context) DefaultPostForm(_ string, _ string) string { - return "" -} - -func (_ *Context) DefaultQuery(_ string, _ string) string { - return "" -} - -func (_ *Context) Done() <-chan struct{} { - return nil -} - -func (_ *Context) Err() error { - return nil -} - -func (_ *Context) Error(_ error) *Error { - return nil -} - -func (_ *Context) File(_ string) {} - -func (_ *Context) FileAttachment(_ string, _ string) {} - -func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} - -func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { - return nil, nil -} - -func (_ *Context) FullPath() string { - return "" -} - -func (_ *Context) Get(_ string) (interface{}, bool) { - return nil, false -} - -func (_ *Context) GetBool(_ string) bool { - return false -} - -func (_ *Context) GetDuration(_ string) time.Duration { - return 0 -} - -func (_ *Context) GetFloat64(_ string) float64 { - return 0 -} - -func (_ *Context) GetHeader(_ string) string { - return "" -} - -func (_ *Context) GetInt(_ string) int { - return 0 -} - -func (_ *Context) GetInt64(_ string) int64 { - return 0 -} - -func (_ *Context) GetPostForm(_ string) (string, bool) { - return "", false -} - -func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { - return nil, false -} - -func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { - return nil, false -} - -func (_ *Context) GetQuery(_ string) (string, bool) { - return "", false -} - -func (_ *Context) GetQueryArray(_ string) ([]string, bool) { - return nil, false -} - -func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { - return nil, false -} - -func (_ *Context) GetRawData() ([]byte, error) { - return nil, nil -} - -func (_ *Context) GetString(_ string) string { - return "" -} - -func (_ *Context) GetStringMap(_ string) map[string]interface{} { - return nil -} - -func (_ *Context) GetStringMapString(_ string) map[string]string { - return nil -} - -func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { - return nil -} - -func (_ *Context) GetStringSlice(_ string) []string { - return nil -} - -func (_ *Context) GetTime(_ string) time.Time { - return time.Time{} -} - -func (_ *Context) GetUint(_ string) uint { - return 0 -} - -func (_ *Context) GetUint64(_ string) uint64 { - return 0 -} - -func (_ *Context) HTML(_ int, _ string, _ interface{}) {} - -func (_ *Context) Handler() HandlerFunc { - return nil -} - -func (_ *Context) HandlerName() string { - return "" -} - -func (_ *Context) HandlerNames() []string { - return nil -} - -func (_ *Context) Header(_ string, _ string) {} - -func (_ *Context) IndentedJSON(_ int, _ interface{}) {} - -func (_ *Context) IsAborted() bool { - return false -} - -func (_ *Context) IsWebsocket() bool { - return false -} - -func (_ *Context) JSON(_ int, _ interface{}) {} - -func (_ *Context) JSONP(_ int, _ interface{}) {} - -func (_ *Context) MultipartForm() (*multipart.Form, error) { - return nil, nil -} - -func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) MustGet(_ string) interface{} { - return nil -} - -func (_ *Context) Negotiate(_ int, _ Negotiate) {} - -func (_ *Context) NegotiateFormat(_ ...string) string { - return "" -} - -func (_ *Context) Next() {} - -func (_ *Context) Param(_ string) string { - return "" -} - -func (_ *Context) PostForm(_ string) string { - return "" -} - -func (_ *Context) PostFormArray(_ string) []string { - return nil -} - -func (_ *Context) PostFormMap(_ string) map[string]string { - return nil -} - -func (_ *Context) ProtoBuf(_ int, _ interface{}) {} - -func (_ *Context) PureJSON(_ int, _ interface{}) {} - -func (_ *Context) Query(_ string) string { - return "" -} - -func (_ *Context) QueryArray(_ string) []string { - return nil -} - -func (_ *Context) QueryMap(_ string) map[string]string { - return nil -} - -func (_ *Context) Redirect(_ int, _ string) {} - -func (_ *Context) RemoteIP() string { - return "" -} - -func (_ *Context) Render(_ int, _ interface{}) {} - -func (_ *Context) SSEvent(_ string, _ interface{}) {} - -func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { - return nil -} - -func (_ *Context) SecureJSON(_ int, _ interface{}) {} - -func (_ *Context) Set(_ string, _ interface{}) {} - -func (_ *Context) SetAccepted(_ ...string) {} - -func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} - -func (_ *Context) SetSameSite(_ http.SameSite) {} - -func (_ *Context) ShouldBind(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindHeader(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindJSON(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindQuery(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindTOML(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindUri(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindXML(_ interface{}) error { - return nil -} - -func (_ *Context) ShouldBindYAML(_ interface{}) error { - return nil -} - -func (_ *Context) Status(_ int) {} - -func (_ *Context) Stream(_ func(io.Writer) bool) bool { - return false -} - -func (_ *Context) String(_ int, _ string, _ ...interface{}) {} - -func (_ *Context) TOML(_ int, _ interface{}) {} - -func (_ *Context) Value(_ interface{}) interface{} { - return nil -} - -func (_ *Context) XML(_ int, _ interface{}) {} - -func (_ *Context) YAML(_ int, _ interface{}) {} - -type Error struct { - Err error - Type ErrorType - Meta interface{} -} - -func (_ Error) Error() string { - return "" -} - -func (_ *Error) IsType(_ ErrorType) bool { - return false -} - -func (_ *Error) JSON() interface{} { - return nil -} - -func (_ *Error) MarshalJSON() ([]byte, error) { - return nil, nil -} - -func (_ *Error) SetMeta(_ interface{}) *Error { - return nil -} - -func (_ *Error) SetType(_ ErrorType) *Error { - return nil -} - -func (_ *Error) Unwrap() error { - return nil -} - -type ErrorType uint64 - -type HandlerFunc func(*Context) - -type Negotiate struct { - Offered []string - HTMLName string - HTMLData interface{} - JSONData interface{} - XMLData interface{} - YAMLData interface{} - Data interface{} - TOMLData interface{} -} - -type Param struct { - Key string - Value string -} - -type Params []Param - -func (_ Params) ByName(_ string) string { - return "" -} - -func (_ Params) Get(_ string) (string, bool) { - return "", false -} - -type ResponseWriter interface { - CloseNotify() <-chan bool - Flush() - Header() http.Header - Hijack() (net.Conn, *bufio.ReadWriter, error) - Pusher() http.Pusher - Size() int - Status() int - Write(_ []byte) (int, error) - WriteHeader(_ int) - WriteHeaderNow() - WriteString(_ string) (int, error) - Written() bool -} diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go index de5f359a012..a160226c423 100644 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go +++ b/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/jwt/stub.go @@ -2,7 +2,7 @@ // This is a simple stub for github.com/go-jose/go-jose/v3/jwt, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseEncrypted,ParseSigned) +// Source: github.com/go-jose/go-jose/v3/jwt (exports: JSONWebToken; functions: ParseSigned) // Package jwt is a stub of github.com/go-jose/go-jose/v3/jwt, generated by depstubber. package jwt @@ -19,10 +19,6 @@ func (_ *JSONWebToken) UnsafeClaimsWithoutVerification(_ ...interface{}) error { return nil } -func ParseEncrypted(_ string) (*JSONWebToken, error) { - return nil, nil -} - func ParseSigned(_ string) (*JSONWebToken, error) { return nil, nil } diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/stub.go deleted file mode 100644 index c0957df6854..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/go-jose/go-jose/v3/stub.go +++ /dev/null @@ -1,154 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/go-jose/go-jose/v3, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/go-jose/go-jose/v3 (exports: JSONWebKey; functions: NewSigner) - -// Package go_pkg is a stub of github.com/go-jose/go-jose/v3, generated by depstubber. -package go_pkg - -import ( - crypto "crypto" - x509 "crypto/x509" - url "net/url" -) - -type ContentType string - -type Header struct { - KeyID string - JSONWebKey *JSONWebKey - Algorithm string - Nonce string - ExtraHeaders map[HeaderKey]interface{} -} - -func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) { - return nil, nil -} - -type HeaderKey string - -type JSONWebKey struct { - Key interface{} - KeyID string - Algorithm string - Use string - Certificates []*x509.Certificate - CertificatesURL *url.URL - CertificateThumbprintSHA1 []byte - CertificateThumbprintSHA256 []byte -} - -func (_ JSONWebKey) MarshalJSON() ([]byte, error) { - return nil, nil -} - -func (_ *JSONWebKey) IsPublic() bool { - return false -} - -func (_ *JSONWebKey) Public() JSONWebKey { - return JSONWebKey{} -} - -func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) { - return nil, nil -} - -func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error { - return nil -} - -func (_ *JSONWebKey) Valid() bool { - return false -} - -type JSONWebSignature struct { - Signatures []Signature -} - -func (_ JSONWebSignature) CompactSerialize() (string, error) { - return "", nil -} - -func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) { - return "", nil -} - -func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error { - return nil -} - -func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) { - return 0, Signature{}, nil -} - -func (_ JSONWebSignature) FullSerialize() string { - return "" -} - -func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte { - return nil -} - -func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) { - return nil, nil -} - -func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) { - return 0, Signature{}, nil, nil -} - -func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) { - return nil, nil -} - -type NonceSource interface { - Nonce() (string, error) -} - -type Signature struct { - Header Header - Protected Header - Unprotected Header - Signature []byte -} - -type SignatureAlgorithm string - -type Signer interface { - Options() SignerOptions - Sign(_ []byte) (*JSONWebSignature, error) -} - -type SignerOptions struct { - NonceSource NonceSource - EmbedJWK bool - ExtraHeaders map[HeaderKey]interface{} -} - -func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions { - return nil -} - -func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions { - return nil -} - -type SigningKey struct { - Algorithm SignatureAlgorithm - Key interface{} -} diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/request/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/request/stub.go deleted file mode 100644 index 61c97bc92a0..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/request/stub.go +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt/request, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/request (exports: ParseFromRequestOption; functions: ParseFromRequest) - -// Package request is a stub of github.com/golang-jwt/jwt/request, generated by depstubber. -package request - -import ( - http "net/http" -) - -type Extractor interface { - ExtractToken(_ *http.Request) (string, error) -} - -func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) { - return nil, nil -} - -type ParseFromRequestOption func(interface{}) diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/stub.go deleted file mode 100644 index 5c94d670953..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/stub.go +++ /dev/null @@ -1,55 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt (exports: Parser; functions: ) - -// Package jwt is a stub of github.com/golang-jwt/jwt, generated by depstubber. -package jwt - -type Claims interface { - Valid() error -} - -type Keyfunc func(*Token) (interface{}, error) - -type Parser struct { - ValidMethods []string - UseJSONNumber bool - SkipClaimsValidation bool -} - -func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) { - return nil, nil -} - -func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) { - return nil, nil, nil -} - -func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) { - return nil, nil -} - -type SigningMethod interface { - Alg() string - Sign(_ string, _ interface{}) (string, error) - Verify(_ string, _ string, _ interface{}) error -} - -type Token struct { - Raw string - Method SigningMethod - Header map[string]interface{} - Claims Claims - Signature string - Valid bool -} - -func (_ *Token) SignedString(_ interface{}) (string, error) { - return "", nil -} - -func (_ *Token) SigningString() (string, error) { - return "", nil -} diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/request/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/request/stub.go deleted file mode 100644 index ae101703756..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/request/stub.go +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt/v4/request, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/v4/request (exports: ParseFromRequestOption; functions: ParseFromRequest) - -// Package request is a stub of github.com/golang-jwt/jwt/v4/request, generated by depstubber. -package request - -import ( - http "net/http" -) - -type Extractor interface { - ExtractToken(_ *http.Request) (string, error) -} - -func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) { - return nil, nil -} - -type ParseFromRequestOption func(interface{}) diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/stub.go deleted file mode 100644 index ddec1e07d64..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v4/stub.go +++ /dev/null @@ -1,97 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt/v4, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/v4 (exports: Parser,Token; functions: Parse,ParseWithClaims,ParseECPrivateKeyFromPEM,ParseECPublicKeyFromPEM,ParseEdPrivateKeyFromPEM,ParseEdPublicKeyFromPEM,ParseRSAPrivateKeyFromPEM,ParseRSAPublicKeyFromPEM,RegisterSigningMethod) - -// Package jwt is a stub of github.com/golang-jwt/jwt/v4, generated by depstubber. -package jwt - -import ( - crypto "crypto" - ecdsa "crypto/ecdsa" - rsa "crypto/rsa" -) - -type Claims interface { - Valid() error -} - -type Keyfunc func(*Token) (interface{}, error) - -func Parse(_ string, _ Keyfunc, _ ...ParserOption) (*Token, error) { - return nil, nil -} - -func ParseECPrivateKeyFromPEM(_ []byte) (*ecdsa.PrivateKey, error) { - return nil, nil -} - -func ParseECPublicKeyFromPEM(_ []byte) (*ecdsa.PublicKey, error) { - return nil, nil -} - -func ParseEdPrivateKeyFromPEM(_ []byte) (crypto.PrivateKey, error) { - return nil, nil -} - -func ParseEdPublicKeyFromPEM(_ []byte) (crypto.PublicKey, error) { - return nil, nil -} - -func ParseRSAPrivateKeyFromPEM(_ []byte) (*rsa.PrivateKey, error) { - return nil, nil -} - -func ParseRSAPublicKeyFromPEM(_ []byte) (*rsa.PublicKey, error) { - return nil, nil -} - -func ParseWithClaims(_ string, _ Claims, _ Keyfunc, _ ...ParserOption) (*Token, error) { - return nil, nil -} - -type Parser struct { - ValidMethods []string - UseJSONNumber bool - SkipClaimsValidation bool -} - -func (_ *Parser) Parse(_ string, _ Keyfunc) (*Token, error) { - return nil, nil -} - -func (_ *Parser) ParseUnverified(_ string, _ Claims) (*Token, []string, error) { - return nil, nil, nil -} - -func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) { - return nil, nil -} - -type ParserOption func(*Parser) - -func RegisterSigningMethod(_ string, _ func() SigningMethod) {} - -type SigningMethod interface { - Alg() string - Sign(_ string, _ interface{}) (string, error) - Verify(_ string, _ string, _ interface{}) error -} - -type Token struct { - Raw string - Method SigningMethod - Header map[string]interface{} - Claims Claims - Signature string - Valid bool -} - -func (_ *Token) SignedString(_ interface{}) (string, error) { - return "", nil -} - -func (_ *Token) SigningString() (string, error) { - return "", nil -} diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/request/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/request/stub.go deleted file mode 100644 index 460f0eb2168..00000000000 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/request/stub.go +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by depstubber. DO NOT EDIT. -// This is a simple stub for github.com/golang-jwt/jwt/v5/request, strictly for use in testing. - -// See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/v5/request (exports: ParseFromRequestOption; functions: ParseFromRequest) - -// Package request is a stub of github.com/golang-jwt/jwt/v5/request, generated by depstubber. -package request - -import ( - http "net/http" -) - -type Extractor interface { - ExtractToken(_ *http.Request) (string, error) -} - -func ParseFromRequest(_ *http.Request, _ Extractor, _ interface{}, _ ...ParseFromRequestOption) (interface{}, error) { - return nil, nil -} - -type ParseFromRequestOption func(interface{}) diff --git a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/stub.go b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/stub.go index 9d47449a745..6e4c4f327af 100644 --- a/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/stub.go +++ b/go/ql/test/experimental/CWE-347/vendor/github.com/golang-jwt/jwt/v5/stub.go @@ -2,7 +2,7 @@ // This is a simple stub for github.com/golang-jwt/jwt/v5, strictly for use in testing. // See the LICENSE file for information about the licensing of the original library. -// Source: github.com/golang-jwt/jwt/v5 (exports: Parser; functions: ) +// Source: github.com/golang-jwt/jwt/v5 (exports: RegisteredClaims,Parser,Token; functions: ParseWithClaims,NewParser) // Package jwt is a stub of github.com/golang-jwt/jwt/v5, generated by depstubber. package jwt @@ -32,6 +32,10 @@ type Claims interface { type Keyfunc func(*Token) (interface{}, error) +func NewParser(_ ...ParserOption) *Parser { + return nil +} + type NumericDate struct { Time time.Time } @@ -216,6 +220,10 @@ func (_ *NumericDate) UnmarshalText(_ []byte) error { return nil } +func ParseWithClaims(_ string, _ Claims, _ Keyfunc, _ ...ParserOption) (*Token, error) { + return nil, nil +} + type Parser struct{} func (_ *Parser) DecodeSegment(_ string) ([]byte, error) { @@ -234,6 +242,42 @@ func (_ *Parser) ParseWithClaims(_ string, _ Claims, _ Keyfunc) (*Token, error) return nil, nil } +type ParserOption func(*Parser) + +type RegisteredClaims struct { + Issuer string + Subject string + Audience ClaimStrings + ExpiresAt *NumericDate + NotBefore *NumericDate + IssuedAt *NumericDate + ID string +} + +func (_ RegisteredClaims) GetAudience() (ClaimStrings, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetExpirationTime() (*NumericDate, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetIssuedAt() (*NumericDate, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetIssuer() (string, error) { + return "", nil +} + +func (_ RegisteredClaims) GetNotBefore() (*NumericDate, error) { + return nil, nil +} + +func (_ RegisteredClaims) GetSubject() (string, error) { + return "", nil +} + type SigningMethod interface { Alg() string Sign(_ string, _ interface{}) ([]byte, error) diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll index b185098dcb8..afeb9aea85b 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll @@ -38,7 +38,7 @@ deprecated class Configuration extends TaintTracking::Configuration { sink instanceof Sink and ( state instanceof NotNormalized or - state instanceof NormalizedUnchecked + state instanceof NormalizedUnchecked ) }