hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-06 06:05:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add com.auth0.jwt.algorithm.Algorithm sinks

Browse Source 
The HMAC* constructors of the com.auth0.jwt.algorithm.Algorithm class
take a secret as a parameter. Therefore, the arguments should be added
to be checked for hardcoded credentials.
This commit is contained in:
Ed Minnix
2023-01-30 14:18:04 -05:00
committed by Tony Torralba
parent 85bf10ee0f
commit fa6ac063d1
4 changed files with 71 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/lib/semmle/code/java/security/SensitiveApi.qll
View File

@@ -490,5 +490,8 @@ private predicate otherApiCallableCredentialParam(string s) {
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;setPassword(String);0",
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);0",
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);1",
"com.auth0.jwt.algorithms.Algorithm;HMAC256(String);0",
"com.auth0.jwt.algorithms.Algorithm;HMAC384(String);0",
"com.auth0.jwt.algorithms.Algorithm;HMAC512(String);0"
]
}