hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add indeterminate test to pyjwt

Browse Source
This commit is contained in:
jorgectf
2021-07-21 21:30:54 +02:00
parent f1b3c70909
commit e14b10370e
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
python/ql/test/experimental/query-tests/Security/CWE-437/pyjwt.py
View File

@@ -3,15 +3,15 @@ import jwt
# Encoding
# good - key and algorithm supplied
jwt.encode({"foo": "bar"}, "key", "HS256")
jwt.encode({"foo": "bar"}, key="key", algorithm="HS256")
jwt.encode(token, "key", "HS256")
jwt.encode(token, key="key", algorithm="HS256")
# bad - both key and algorithm set to None
jwt.encode({"foo": "bar"}, None, None)
jwt.encode(token, None, None)
# bad - empty key
jwt.encode({"foo": "bar"}, "", algorithm="HS256")
jwt.encode({"foo": "bar"}, key="", algorithm="HS256")
jwt.encode(token, "", algorithm="HS256")
jwt.encode(token, key="", algorithm="HS256")
# Decoding
@@ -25,3 +25,7 @@ jwt.decode(token, key, options={"verify_signature": False})
# good - verified decoding
jwt.decode(token, verify=True)
jwt.decode(token, key, options={"verify_signature": True})
def indeterminate(verify):
jwt.decode(token, key, verify)