Add com.auth0.jwt.algorithm.Algorithm sinks

The HMAC* constructors of the com.auth0.jwt.algorithm.Algorithm class take a secret as a parameter. Therefore, the arguments should be added to be checked for hardcoded credentials.
2025-12-16 16:53:25 +01:00 · 2023-01-30 14:18:04 -05:00
parent 85bf10ee0f
commit fa6ac063d1
4 changed files with 71 additions and 3 deletions
--- a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
@@ -490,5 +490,8 @@ private predicate otherApiCallableCredentialParam(string s) {
      "com.microsoft.sqlserver.jdbc.SQLServerDataSource;setPassword(String);0",
      "com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);0",
      "com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);1",
+      "com.auth0.jwt.algorithms.Algorithm;HMAC256(String);0",
+      "com.auth0.jwt.algorithms.Algorithm;HMAC384(String);0",
+      "com.auth0.jwt.algorithms.Algorithm;HMAC512(String);0"
    ]
 }
--- a/java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java
@@ -22,7 +22,7 @@ public class HardcodedJwtKey {
                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
                .withIssuer(ISSUER)
                .withClaim("username", username)
-                .sign(algorithm);
+                .sign(algorithm); // $ HardcodedCredentialsApiCall
    }

    // GOOD: Get secret from system configuration then sign a token
@@ -43,7 +43,7 @@ public class HardcodedJwtKey {
                .withIssuer(ISSUER)
                .build();
        try {
-            verifier.verify(token);
+            verifier.verify(token); // $ HardcodedCredentialsApiCall
            return true;
        } catch (JWTVerificationException e) {
            return false;
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJwtKey.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJwtKey.java
@@ -0,0 +1,65 @@
+import java.util.Date;
+import java.util.Properties;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.JWTVerifier;
+
+public class HardcodedJwtKey {
+    // 15 minutes
+    private static final long ACCESS_EXPIRE_TIME = 1000 * 60 * 15;
+
+    private static final String ISSUER = "example_com";
+
+    private static final String SECRET = "hardcoded_secret";
+
+    // BAD: Get secret from hardcoded string then sign a JWT token
+    public String accessTokenBad(String username) {
+        Algorithm algorithm = Algorithm.HMAC256(SECRET); // $ HardcodedCredentialsApiCall
+
+        return JWT.create()
+                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
+                .withIssuer(ISSUER)
+                .withClaim("username", username)
+                .sign(algorithm);
+    }
+
+    // GOOD: Get secret from system configuration then sign a token
+    public String accessTokenGood(String username) {
+        String tokenSecret = System.getenv("SECRET_KEY");
+        Algorithm algorithm = Algorithm.HMAC256(tokenSecret);
+
+        return JWT.create()
+                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
+                .withIssuer(ISSUER)
+                .withClaim("username", username)
+                .sign(algorithm);
+    }
+
+    // BAD: Get secret from hardcoded string then verify a JWT token
+    public boolean verifyTokenBad(String token) {
+        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET)) // $ HardcodedCredentialsApiCall
+                .withIssuer(ISSUER)
+                .build();
+        try {
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException e) {
+            return false;
+        }
+    }
+
+    // GOOD: Get secret from environment variable then verify a JWT token
+    public boolean verifyTokenGood(String token) {
+        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(System.getenv("SECRET_KEY")))
+                .withIssuer(ISSUER)
+                .build();
+        try {
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException e) {
+            return false;
+        }
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3