Skip to content

Commit 5cc4206

Browse files
am0o0am0o0
committed
add a temporary Query file to demonstrate unsuccessful usage of two DataFlow configs
1 parent 0652afc commit 5cc4206

File tree

3 files changed

+127
-0
lines changed

3 files changed

+127
-0
lines changed

javascript/ql/src/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
/**
2+
* @name This query is for seeing if we can have two taint config within on query file
3+
* @description The application does not verify the JWT payload with a cryptographic secret or public key.
4+
* @kind path-problem
5+
* @problem.severity error
6+
* @security-severity 8.0
7+
* @precision high
8+
* @id js/jwt-missing-verification-jsonwebtoken
9+
* @tags security
10+
* external/cwe/cwe-347
11+
*/
12+
13+
import javascript
14+
import DataFlow::PathGraph
15+
16+
DataFlow::Node unverifiedDecode() {
17+
result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
18+
or
19+
exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
20+
verify
21+
.getParameter(2)
22+
.getMember("algorithms")
23+
.getUnknownMember()
24+
.asSink()
25+
.mayHaveStringValue("none") and
26+
result = verify.getParameter(0).asSink()
27+
)
28+
}
29+
30+
DataFlow::Node verifiedDecode() {
31+
exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
32+
(
33+
not verify
34+
.getParameter(2)
35+
.getMember("algorithms")
36+
.getUnknownMember()
37+
.asSink()
38+
.mayHaveStringValue("none") or
39+
not exists(verify.getParameter(2).getMember("algorithms"))
40+
) and
41+
result = verify.getParameter(0).asSink()
42+
)
43+
}
44+
45+
class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
46+
ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
47+
48+
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
49+
50+
override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
51+
}
52+
53+
class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
54+
ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
55+
56+
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
57+
58+
override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
59+
}
60+
61+
from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
62+
where
63+
cfg.hasFlowPath(source, sink) and
64+
not exists(ConfigurationVerifiedDecode cfg2 | cfg2.hasFlowPath(source, _))
65+
select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
66+
"without signature verification"

javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebTokenNotWorking.expected

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
nodes
2+
| JsonWebToken.js:13:11:13:47 | UserToken |
3+
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
4+
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
5+
| JsonWebToken.js:16:28:16:36 | UserToken |
6+
| JsonWebToken.js:16:28:16:36 | UserToken |
7+
| JsonWebToken.js:20:11:20:47 | UserToken |
8+
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
9+
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
10+
| JsonWebToken.js:23:28:23:36 | UserToken |
11+
| JsonWebToken.js:23:28:23:36 | UserToken |
12+
| JsonWebToken.js:24:28:24:36 | UserToken |
13+
| JsonWebToken.js:24:28:24:36 | UserToken |
14+
| JsonWebToken.js:28:11:28:47 | UserToken |
15+
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
16+
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
17+
| JsonWebToken.js:31:28:31:36 | UserToken |
18+
| JsonWebToken.js:31:28:31:36 | UserToken |
19+
| JsonWebToken.js:35:11:35:47 | UserToken |
20+
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
21+
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
22+
| JsonWebToken.js:38:28:38:36 | UserToken |
23+
| JsonWebToken.js:38:28:38:36 | UserToken |
24+
| JsonWebToken.js:39:28:39:36 | UserToken |
25+
| JsonWebToken.js:39:28:39:36 | UserToken |
26+
| JsonWebToken.js:43:11:43:47 | UserToken |
27+
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
28+
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
29+
| JsonWebToken.js:46:28:46:36 | UserToken |
30+
| JsonWebToken.js:46:28:46:36 | UserToken |
31+
| JsonWebToken.js:47:28:47:36 | UserToken |
32+
| JsonWebToken.js:47:28:47:36 | UserToken |
33+
edges
34+
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
35+
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
36+
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
37+
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
38+
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
39+
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
40+
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
41+
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
42+
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
43+
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
44+
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
45+
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
46+
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
47+
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
48+
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
49+
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
50+
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
51+
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
52+
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
53+
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
54+
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
55+
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
56+
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
57+
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
58+
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
59+
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
60+
#select

javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebTokenNotWorking.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql

0 commit comments

Comments
 (0)