merge all JWT pkgs into one

2026-04-26 17:25:19 +02:00 · 2024-05-25 13:47:43 +02:00
parent 4af4040bd6
commit d2d945c66d
7 changed files with 28 additions and 132 deletions
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/jsonWebToken.qll
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/jsonWebToken.qll
@@ -12,6 +12,18 @@ DataFlow::Node unverifiedDecode() {
        .mayHaveStringValue("none") and
    result = verify.getParameter(0).asSink()
  )
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
+    result = n.getParameter(0).asSink()
+  )
+  or
+  // jwt-decode
+  result = API::moduleImport("jwt-decode").getParameter(0).asSink()
+  or
+  //jose
+  result = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
 }

 DataFlow::Node verifiedDecode() {
@@ -27,4 +39,16 @@ DataFlow::Node verifiedDecode() {
    ) and
    result = verify.getParameter(0).asSink()
  )
-}
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    (
+      n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = false) or
+      not exists(n.getParameter(2))
+    ) and
+    result = n.getParameter(0).asSink()
+    or
+    //jose
+    result = API::moduleImport("jose").getMember("jwtVerify").getParameter(0).asSink()
+  )
+}
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebToken.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebToken.ql
@@ -12,7 +12,7 @@

 import javascript
 import DataFlow::PathGraph
-import jsonWebToken
+import JWT

 class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "jsonwebtoken without any signature verification" }
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenLocalSource.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenLocalSource.ql
@@ -12,7 +12,7 @@

 import javascript
 import DataFlow::PathGraph
-import jsonWebToken
+import JWT

 class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "jsonwebtoken without any signature verification" }
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql
@@ -12,7 +12,7 @@

 import javascript
 import DataFlow::PathGraph
-import jsonWebToken
+import JWT

 class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/jose.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/jose.ql
@@ -1,44 +0,0 @@
-/**
- * @name JWT missing secret or public key verification
- * @description The application does not verify the JWT payload with a cryptographic secret or public key.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 8.0
- * @precision high
- * @id js/jwt-missing-verification-jose
- * @tags security
- *       external/cwe/cwe-347
- */
-
-import javascript
-import DataFlow::PathGraph
-
-DataFlow::Node unverifiedDecode() {
-  result = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
-}
-
-DataFlow::Node verifiedDecode() {
-  result = API::moduleImport("jose").getMember("jwtVerify").getParameter(0).asSink()
-}
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "jsonwebtoken without any signature verification" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = unverifiedDecode()
-    or
-    sink = verifiedDecode()
-  }
-}
-
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where
-  cfg.hasFlowPath(source, sink) and
-  sink.getNode() = unverifiedDecode() and
-  not exists(Configuration cfg2 |
-    cfg2.hasFlowPath(source, any(DataFlow::SinkPathNode n | n.getNode() = verifiedDecode()))
-  )
-select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
-  "without signature verification"
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtDecode.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtDecode.ql
@@ -1,31 +0,0 @@
-/**
- * @name JWT missing secret or public key verification
- * @description The application does not verify the JWT payload with a cryptographic secret or public key.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 8.0
- * @precision high
- * @id js/jwt-missing-verification-jwt-decode
- * @tags security
- *       external/cwe/cwe-347
- */
-
-import javascript
-import DataFlow::PathGraph
-
-DataFlow::Node unverifiedDecode() {
-  result = API::moduleImport("jwt-decode").getParameter(0).asSink()
-}
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "jsonwebtoken without any signature verification" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
-}
-
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
-select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
-  "without signature verification"
--- a/javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtSimple.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtSimple.ql
@@ -1,53 +0,0 @@
-/**
- * @name JWT missing secret or public key verification
- * @description The application does not verify the JWT payload with a cryptographic secret or public key.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 8.0
- * @precision high
- * @id js/jwt-missing-verification-jwt-simple
- * @tags security
- *       external/cwe/cwe-347
- */
-
-import javascript
-import DataFlow::PathGraph
-
-DataFlow::Node unverifiedDecode() {
-  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
-    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
-    result = n.getParameter(0).asSink()
-  )
-}
-
-DataFlow::Node verifiedDecode() {
-  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
-    (
-      n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = false) or
-      not exists(n.getParameter(2))
-    ) and
-    result = n.getParameter(0).asSink()
-  )
-}
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "jsonwebtoken without any signature verification" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = unverifiedDecode()
-    or
-    sink = verifiedDecode()
-  }
-}
-
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where
-  cfg.hasFlowPath(source, sink) and
-  sink.getNode() = unverifiedDecode() and
-  not exists(Configuration cfg2 |
-    cfg2.hasFlowPath(source, any(DataFlow::SinkPathNode n | n.getNode() = verifiedDecode()))
-  )
-select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
-  "without signature verification"