hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

model the verify function in jsonwebtoken

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-11-09 16:20:22 +01:00
parent 6732493377
commit e75259d3a6
4 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/src/semmle/javascript/frameworks/JWT.qll
View File

@@ -20,3 +20,20 @@ private module JwtDecode {
}
}
}
/**
* Provides classes and predicates modelling the `jsonwebtoken` libary.
*/
private module JsonWebToken {
/**
* A taint-step for `require("jsonwebtoken").verify(pred, "key", (err succ) => {...})`.
*/
private class VerifyStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
VerifyStep() { this = DataFlow::moduleMember("jsonwebtoken", "verify").getACall() }
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
pred = this.getArgument(0) and
succ = this.getABoundCallbackParameter(2, 1)
}
}
}

16
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -125,6 +125,14 @@ nodes
| jquery.js:16:38:16:52 | window.location |
| jquery.js:16:38:16:52 | window.location |
| jquery.js:16:38:16:63 | window. ... tring() |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
| jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:9:55:9:61 | decoded |
| jwt-server.js:11:19:11:25 | decoded |
| jwt-server.js:11:19:11:29 | decoded.foo |
| jwt-server.js:11:19:11:29 | decoded.foo |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message |
@@ -716,6 +724,13 @@ edges
| jquery.js:16:38:16:52 | window.location | jquery.js:16:38:16:63 | window. ... tring() |
| jquery.js:16:38:16:63 | window. ... tring() | jquery.js:16:19:16:64 | decodeU ... ring()) |
| jquery.js:16:38:16:63 | window. ... tring() | jquery.js:16:19:16:64 | decodeU ... ring()) |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded |
| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded |
| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo |
| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
@@ -1186,6 +1201,7 @@ edges
| jquery.js:14:19:14:58 | decodeU ... n.hash) | jquery.js:14:38:14:52 | window.location | jquery.js:14:19:14:58 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | jquery.js:14:38:14:52 | window.location | user-provided value |
| jquery.js:15:19:15:60 | decodeU ... search) | jquery.js:15:38:15:52 | window.location | jquery.js:15:19:15:60 | decodeU ... search) | Cross-site scripting vulnerability due to $@. | jquery.js:15:38:15:52 | window.location | user-provided value |
| jquery.js:16:19:16:64 | decodeU ... ring()) | jquery.js:16:38:16:52 | window.location | jquery.js:16:19:16:64 | decodeU ... ring()) | Cross-site scripting vulnerability due to $@. | jquery.js:16:38:16:52 | window.location | user-provided value |
| jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |

15
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -125,6 +125,14 @@ nodes
| jquery.js:16:38:16:52 | window.location |
| jquery.js:16:38:16:52 | window.location |
| jquery.js:16:38:16:63 | window. ... tring() |
| jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
| jwt-server.js:7:17:7:35 | req.param("wobble") |
| jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:9:55:9:61 | decoded |
| jwt-server.js:11:19:11:25 | decoded |
| jwt-server.js:11:19:11:29 | decoded.foo |
| jwt-server.js:11:19:11:29 | decoded.foo |
| jwt.js:4:36:4:39 | data |
| jwt.js:4:36:4:39 | data |
| jwt.js:5:9:5:34 | decoded |
@@ -727,6 +735,13 @@ edges
| jquery.js:16:38:16:52 | window.location | jquery.js:16:38:16:63 | window. ... tring() |
| jquery.js:16:38:16:63 | window. ... tring() | jquery.js:16:19:16:64 | decodeU ... ring()) |
| jquery.js:16:38:16:63 | window. ... tring() | jquery.js:16:19:16:64 | decodeU ... ring()) |
| jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint |
| jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded |
| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded |
| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo |
| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo |
| jwt.js:4:36:4:39 | data | jwt.js:5:30:5:33 | data |
| jwt.js:4:36:4:39 | data | jwt.js:5:30:5:33 | data |
| jwt.js:5:9:5:34 | decoded | jwt.js:6:14:6:20 | decoded |

13
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js Normal file
View File

@@ -0,0 +1,13 @@
var express = require('express');
var app = express();
import jwt from "jsonwebtoken";
import { JSDOM } from "jsdom";
app.get('/some/path', function (req, res) {
var taint = req.param("wobble");
jwt.verify(taint, 'my-secret-key', function (err, decoded) {
// NOT OK
new JSDOM(decoded.foo, { runScripts: "dangerously" });
});
});