hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 21:25:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add com.auth0.jwt.algorithm.Algorithm sinks

Browse Source 
The HMAC* constructors of the com.auth0.jwt.algorithm.Algorithm class
take a secret as a parameter. Therefore, the arguments should be added
to be checked for hardcoded credentials.
This commit is contained in:
Ed Minnix
2023-01-30 14:18:04 -05:00
committed by Tony Torralba
parent 85bf10ee0f
commit fa6ac063d1
4 changed files with 71 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java
View File

@@ -22,7 +22,7 @@ public class HardcodedJwtKey {
.withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
.withIssuer(ISSUER)
.withClaim("username", username)
.sign(algorithm);
.sign(algorithm); // $ HardcodedCredentialsApiCall
}
// GOOD: Get secret from system configuration then sign a token
@@ -43,7 +43,7 @@ public class HardcodedJwtKey {
.withIssuer(ISSUER)
.build();
try {
verifier.verify(token);
verifier.verify(token); // $ HardcodedCredentialsApiCall
return true;
} catch (JWTVerificationException e) {
return false;