move to CWE-347, update comments of tests

javascript/ql/src/Security/CWE-347-noVerification/JsonWebToken.ql

@@ -3,11 +3,11 @@
  * @description The application does not verify the JWT payload with a cryptographic secret or public key.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 9.0
+ * @security-severity 8.0
  * @precision high
- * @id js/jwt-missing-verification
+ * @id js/jwt-missing-verification-jsonwebtoken
  * @tags security
- *       external/cwe/cwe-321
+ *       external/cwe/cwe-347
  */
 
 import javascript

javascript/ql/src/Security/CWE-347-noVerification/jose.ql

@@ -2,10 +2,10 @@
  * @name JWT missing secret or public key verification
  * @description The application does not verify the JWT payload with a cryptographic secret or public key.
  * @kind problem
- * @problem.severity warning
- * @security-severity 7.0
+ * @problem.severity error
+ * @security-severity 8.0
  * @precision high
- * @id js/jwt-missing-verification
+ * @id js/jwt-missing-verification-jose
  * @tags security
  *       external/cwe/cwe-347
  */

javascript/ql/src/Security/CWE-347-noVerification/jwtDecode.ql

@@ -2,10 +2,10 @@
  * @name JWT missing secret or public key verification
  * @description The application does not verify the JWT payload with a cryptographic secret or public key.
  * @kind problem
- * @problem.severity warning
- * @security-severity 7.0
+ * @problem.severity error
+ * @security-severity 8.0
  * @precision high
- * @id js/jwt-missing-verification
+ * @id js/jwt-missing-verification-jwt-decode
  * @tags security
  *       external/cwe/cwe-347
  */

javascript/ql/src/Security/CWE-347-noVerification/jwtSimple.ql

@@ -2,8 +2,8 @@
  * @name JWT missing secret or public key verification
  * @description The application does not verify the JWT payload with a cryptographic secret or public key.
  * @kind problem
- * @problem.severity warning
- * @security-severity 7.0
+ * @problem.severity error
+ * @security-severity 8.0
  * @precision high
  * @id js/jwt-missing-verification
  * @tags security

javascript/ql/test/query-tests/Security/CWE-347-noVerification/NoVerification.js

@@ -0,0 +1,84 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const { getSecret } = require('./Config.js');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+async function startSymmetric(token) {
+    const { payload, protectedHeader } = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
+    return {
+        payload, protectedHeader
+    }
+}
+
+app.get('/jose', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jose
+    jose.decodeJwt(UserToken)    // NOT OK: no signature verification
+
+    startSymmetric(UserToken).then(result => console.log(result)) // OK: with signature verification
+
+
+})
+
+
+app.get('/jwtDecode', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-decode
+    jwt_decode(UserToken) // NOT OK: no signature verification
+})
+
+app.get('/jwtSimple', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    jwt_simple.decode(UserToken, getSecret(), true); // NOT OK: no signature verification
+})
+
+app.get('/jwtSimple2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    jwt_simple.decode(UserToken, getSecret(), false); // OK: with signature verification
+    jwt_simple.decode(UserToken, getSecret()); // OK: with signature verification
+})
+
+app.get('/jwtSimple3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    jwt_simple.decode(UserToken, getSecret(), true); // OK: verify the signature of same token in next line
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})
+
+app.get('/jwtJsonwebtoken', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    jwtJsonwebtoken.decode(UserToken) // NOT OK: no signature verification 
+    jwtJsonwebtoken.verify(UserToken, false, { algorithms: ["HS256", "none"] }) // NOT OK: no signature verification
+})
+
+app.get('/jwtJsonwebtoken2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK: with signature verification
+})
+
+app.get('/jwtJsonwebtoken3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    jwtJsonwebtoken.decode(UserToken) // OK: verify the signature of same token in next line
+    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})

javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtNoVerification.expected

@@ -0,0 +1,38 @@
+nodes
+| NoVerification.js:63:11:63:47 | UserToken |
+| NoVerification.js:63:23:63:47 | req.hea ... ization |
+| NoVerification.js:63:23:63:47 | req.hea ... ization |
+| NoVerification.js:65:28:65:36 | UserToken |
+| NoVerification.js:65:28:65:36 | UserToken |
+| NoVerification.js:66:28:66:36 | UserToken |
+| NoVerification.js:66:28:66:36 | UserToken |
+| NoVerification.js:70:11:70:47 | UserToken |
+| NoVerification.js:70:23:70:47 | req.hea ... ization |
+| NoVerification.js:70:23:70:47 | req.hea ... ization |
+| NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken |
+| NoVerification.js:76:23:76:47 | req.hea ... ization |
+| NoVerification.js:76:23:76:47 | req.hea ... ization |
+| NoVerification.js:78:28:78:36 | UserToken |
+| NoVerification.js:78:28:78:36 | UserToken |
+| NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:79:28:79:36 | UserToken |
+edges
+| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:65:28:65:36 | UserToken |
+| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:65:28:65:36 | UserToken |
+| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:66:28:66:36 | UserToken |
+| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:66:28:66:36 | UserToken |
+| NoVerification.js:63:23:63:47 | req.hea ... ization | NoVerification.js:63:11:63:47 | UserToken |
+| NoVerification.js:63:23:63:47 | req.hea ... ization | NoVerification.js:63:11:63:47 | UserToken |
+| NoVerification.js:70:11:70:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:70:11:70:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:70:23:70:47 | req.hea ... ization | NoVerification.js:70:11:70:47 | UserToken |
+| NoVerification.js:70:23:70:47 | req.hea ... ization | NoVerification.js:70:11:70:47 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:78:28:78:36 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:78:28:78:36 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
+| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
+#select

javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtNoVerification.qlref

@@ -0,0 +1 @@
+Security/CWE-347-noVerification/JsonWebToken.ql