Refactor MissingJWTSignatureCheck

2025-12-22 03:36:30 +01:00 · 2023-03-21 17:46:28 -04:00
parent cae5637d8d
commit f8e26f1571
3 changed files with 23 additions and 5 deletions
--- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll
@@ -5,10 +5,12 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.JWT

 /**
+ * DEPRECATED: Use `MissingJwtSignatureCheckFlow` instead.
+ *
 * Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
 * This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
 */
-class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
+deprecated class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
  MissingJwtSignatureCheckConf() { this = "SigningToExprDataFlow" }

  override predicate isSource(DataFlow::Node source) {
@@ -21,3 +23,19 @@ class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
    any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
  }
 }
+
+/**
+ * Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
+ * This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
+ */
+private module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof JwtParserWithInsecureParseSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof JwtParserWithInsecureParseSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
+  }
+}
+
+module MissingJwtSignatureCheckFlow = DataFlow::Global<MissingJwtSignatureCheckConfig>;
--- a/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -12,9 +12,9 @@

 import java
 import semmle.code.java.security.MissingJWTSignatureCheckQuery
-import DataFlow::PathGraph
+import MissingJwtSignatureCheckFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink, MissingJwtSignatureCheckConf conf
-where conf.hasFlowPath(source, sink)
+from MissingJwtSignatureCheckFlow::PathNode source, MissingJwtSignatureCheckFlow::PathNode sink
+where MissingJwtSignatureCheckFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.",
  source.getNode(), "JWT signing key"
--- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql
+++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql
@@ -9,7 +9,7 @@ class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasMissingJwtSignatureCheck" and
-    exists(DataFlow::Node sink, MissingJwtSignatureCheckConf conf | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink | MissingJwtSignatureCheckFlow::flowTo(sink) |
      sink.getLocation() = location and
      element = sink.toString() and
      value = ""