hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update MissingJWTSignatureCheck.qhelp

Browse Source 
Using same syntax as on other queries for 'BAD' and 'GOOD'.
This commit is contained in:
mc
2021-07-29 09:13:00 +01:00
committed by GitHub
parent 76905c47b4
commit ebf004a4df
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
View File

@@ -25,9 +25,9 @@ by overriding the <code>onPlaintextJws</code> or <code>onClaimsJws</code> of <co
<example>
<p>The following example shows four cases where a signing key is set for a parser.
In the first bad case the <code>parse</code> method is used which will not validate the signature.
The second bad case uses a <code>JwtHandlerAdapter</code> where the <code>onPlaintextJwt</code> method is overriden so it will not validate the signature.
The third and fourth good cases use <code>parseClaimsJws</code> method or override the <code>onPlaintextJws</code> method.
In the first 'BAD' case the <code>parse</code> method is used, which will not validate the signature.
The second 'BAD' case uses a <code>JwtHandlerAdapter</code> where the <code>onPlaintextJwt</code> method is overriden, so it will not validate the signature.
The third and fourth 'GOOD' cases use <code>parseClaimsJws</code> method or override the <code>onPlaintextJws</code> method.
</p>
<sample src="MissingJWTSignatureCheck.java" />