hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor MissingJWTSignatureCheck

Browse Source
This commit is contained in:
Ed Minnix
2023-03-21 17:46:28 -04:00
parent cae5637d8d
commit f8e26f1571
3 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll
View File

@@ -5,10 +5,12 @@ import semmle.code.java.dataflow.DataFlow
import semmle.code.java.security.JWT import semmle.code.java.security.JWT
/** /**
* DEPRECATED: Use `MissingJwtSignatureCheckFlow` instead.
*
* Models flow from signing keys assignments to qualifiers of JWT insecure parsers. * Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
* This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set. * This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
*/ */
class MissingJwtSignatureCheckConf extends DataFlow::Configuration { deprecated class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
MissingJwtSignatureCheckConf() { this = "SigningToExprDataFlow" } MissingJwtSignatureCheckConf() { this = "SigningToExprDataFlow" }
override predicate isSource(DataFlow::Node source) { override predicate isSource(DataFlow::Node source) {
@@ -21,3 +23,19 @@ class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
} }
} }
/**
* Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
* This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
*/
private module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof JwtParserWithInsecureParseSource }
predicate isSink(DataFlow::Node sink) { sink instanceof JwtParserWithInsecureParseSink }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
}
}
module MissingJwtSignatureCheckFlow = DataFlow::Global<MissingJwtSignatureCheckConfig>;

6
java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
View File

@@ -12,9 +12,9 @@
import java import java
import semmle.code.java.security.MissingJWTSignatureCheckQuery import semmle.code.java.security.MissingJWTSignatureCheckQuery
import DataFlow::PathGraph import MissingJwtSignatureCheckFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, MissingJwtSignatureCheckConf conf from MissingJwtSignatureCheckFlow::PathNode source, MissingJwtSignatureCheckFlow::PathNode sink
where conf.hasFlowPath(source, sink) where MissingJwtSignatureCheckFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.", select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.",
source.getNode(), "JWT signing key" source.getNode(), "JWT signing key"

2
java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql
View File

@@ -9,7 +9,7 @@ class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) { override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasMissingJwtSignatureCheck" and tag = "hasMissingJwtSignatureCheck" and
exists(DataFlow::Node sink, MissingJwtSignatureCheckConf conf | conf.hasFlowTo(sink) | exists(DataFlow::Node sink | MissingJwtSignatureCheckFlow::flowTo(sink) |
sink.getLocation() = location and sink.getLocation() = location and
element = sink.toString() and element = sink.toString() and
value = "" value = ""