diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll index 818a4c664fe..38d80b43996 100644 --- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll @@ -5,10 +5,12 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.JWT /** + * DEPRECATED: Use `MissingJwtSignatureCheckFlow` instead. + * * Models flow from signing keys assignments to qualifiers of JWT insecure parsers. * This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set. */ -class MissingJwtSignatureCheckConf extends DataFlow::Configuration { +deprecated class MissingJwtSignatureCheckConf extends DataFlow::Configuration { MissingJwtSignatureCheckConf() { this = "SigningToExprDataFlow" } override predicate isSource(DataFlow::Node source) { @@ -21,3 +23,19 @@ class MissingJwtSignatureCheckConf extends DataFlow::Configuration { any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) } } + +/** + * Models flow from signing keys assignments to qualifiers of JWT insecure parsers. + * This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set. + */ +private module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof JwtParserWithInsecureParseSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof JwtParserWithInsecureParseSink } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) + } +} + +module MissingJwtSignatureCheckFlow = DataFlow::Global; diff --git a/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql index 648321ec3ab..077d7a67370 100644 --- a/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql +++ b/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql @@ -12,9 +12,9 @@ import java import semmle.code.java.security.MissingJWTSignatureCheckQuery -import DataFlow::PathGraph +import MissingJwtSignatureCheckFlow::PathGraph -from DataFlow::PathNode source, DataFlow::PathNode sink, MissingJwtSignatureCheckConf conf -where conf.hasFlowPath(source, sink) +from MissingJwtSignatureCheckFlow::PathNode source, MissingJwtSignatureCheckFlow::PathNode sink +where MissingJwtSignatureCheckFlow::flowPath(source, sink) select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.", source.getNode(), "JWT signing key" diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql index b4f4c1c445e..df6867bbefe 100644 --- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql +++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql @@ -9,7 +9,7 @@ class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasMissingJwtSignatureCheck" and - exists(DataFlow::Node sink, MissingJwtSignatureCheckConf conf | conf.hasFlowTo(sink) | + exists(DataFlow::Node sink | MissingJwtSignatureCheckFlow::flowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = ""