V1

Author: am0o0

javascript/ql/src/experimental/Security/CWE-321-HardCodedKey/Example.js

@@ -0,0 +1,49 @@
+const express = require('express')
+const jwtJsonwebtoken = require("jsonwebtoken");
+const jose = require("jose");
+const jwt_simple = require("jwt-simple");
+const app = express()
+const port = 3000
+
+function getSecret() {
+    return "secret"
+}
+
+async function startSymmetric(token) {
+    const {payload, protectedHeader} = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
+    return {
+        payload, protectedHeader
+    }
+}
+
+async function startRSA(token) {
+    const spki = `-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9
+    SeKiNUqKQH0zTKN1+6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4H
+    HHsrYCf2+FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS/Yv4hRvWfQPcc2Gc3+/fQ
+    OOW57zVy+rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj
+    +KgDPjymkMGoJlO3aKppsjfbt/AH6GGdRghYRLOUwQU+h+ofWHR3lbYiKtXPn5dN
+    24kiHy61e3VAQ9/YAZlwXC/99GGtw/NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZA
+    SwIDAQAB
+    -----END PUBLIC KEY-----`
+    const publicKey = await jose.importSPKI(spki, 'RS256')
+    const {payload, protectedHeader} = await jose.jwtVerify(token, publicKey, {
+        issuer: 'urn:example:issuer',
+        audience: 'urn:example:audience',
+    })
+    console.log(protectedHeader)
+    console.log(payload)
+}
+
+app.get('/', (req, res) => {
+    const UserToken = req.headers.authorization;
+    startSymmetric(UserToken).then()
+    startRSA(UserToken).then()
+    jwt_simple.decode(UserToken, getSecret());
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+    res.send('Hello World!')
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})

javascript/ql/src/experimental/Security/CWE-321-HardCodedKey/jwtConstantKey.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+     <overview>
+          <p>
+               A JSON Web Token (JWT) is used for authenticating and managing users in an application.
+          </p>
+          <p>
+               Decoding JWTs with a Constant hardcoded secret key can lead to security vulnerabilities.
+          </p>
+
+     </overview>
+     <recommendation>
+
+          <p>
+               Generate seceret key in application startup with secure randome generators.
+          </p>
+
+     </recommendation>
+     <example>
+
+          <p>
+               The following code you can see an Example from a popular Library.
+          </p>
+
+          <sample src="Example.go" />
+
+     </example>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-321-HardCodedKey/jwtConstantKey.ql

@@ -0,0 +1,75 @@
+/**
+ * @name Usage of Constant Secret key for decoding JWT
+ * @description Hardcoded Secrets leakage can lead to authentication or authorization bypass
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id javascript/jwt-hardcodedkey
+ * @tags security
+ *       experimental
+ *       external/cwe/CWE-321
+ */
+
+import javascript
+import DataFlow::PathGraph
+import DataFlow
+
+class JWTDecodeConfig extends TaintTracking::Configuration {
+  JWTDecodeConfig() { this = "JWTConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof StringLiteral or source.asExpr() instanceof TemplateLiteral
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    // any() or
+    sink = API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink() or
+    sink = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink() or
+    sink = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() or
+    sink = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink() or
+    sink = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink() or
+    sink =
+      API::moduleImport("express-jwt")
+          .getMember("expressjwt")
+          .getParameter(0)
+          .getMember("secret")
+          .asSink() or
+    sink =
+      API::moduleImport("passport-jwt")
+          .getMember("Strategy")
+          .getParameter(0)
+          .getMember("secretOrKey")
+          .asSink()
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode n, DataFlow::NewNode nn |
+      n.getCalleeName() = "encode" and
+      nn.flowsTo(n.getReceiver()) and
+      nn.getCalleeName() = "TextEncoder"
+    |
+      pred = n.getArgument(0) and
+      succ = n
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("jose").getMember("importSPKI") |
+      pred = n.getACall().getArgument(0) and
+      succ = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("jose").getMember("base64url").getMember("decode") |
+      pred = n.getACall().getArgument(0) and
+      succ = n.getACall()
+    )
+    or
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      pred = n.getArgument(0) and
+      succ = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+  }
+}
+
+from JWTDecodeConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "this $@. is used as a secret key", source.getNode(),
+  "Constant"

javascript/ql/src/experimental/Security/CWE-321-noVerification/Example.js

@@ -0,0 +1,45 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const {getSecret} = require('./Config.js');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+async function startSymmetric(token) {
+    const {payload, protectedHeader} = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
+    return {
+        payload, protectedHeader
+    }
+}
+
+app.get('/', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no verification
+    jwtJsonwebtoken.decode(UserToken)
+    // GOOD: use verify alone or use as a check,
+    // sometimes it seems some coders use both for same token
+    const UserToken2 = req.headers.authorization;
+    jwtJsonwebtoken.decode(UserToken2)
+    jwtJsonwebtoken.verify(UserToken2, getSecret())
+    // jwt-decode
+    // BAD: no verification
+    jwt_decode(UserToken)
+    // jose
+    // BAD: no verification
+    jose.decodeJwt(UserToken)
+    // GOOD
+    startSymmetric(UserToken).then(result => console.log(result))
+    // jwt-simple
+    // no verification
+    jwt_simple.decode(UserToken, getSecret(), true);
+    // GOOD
+    jwt_simple.decode(UserToken, getSecret(), false);
+    jwt_simple.decode(UserToken, getSecret());
+    res.send('Hello World!')
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})

javascript/ql/src/experimental/Security/CWE-321-noVerification/jwtNoVerification.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+     <overview>
+          <p>
+               A JSON Web Token (JWT) is used for authenticating and managing users in an application.
+          </p>
+          <p>
+               Only Decoding JWTs without checking if they have a valid signature or not can lead to security vulnerabilities.
+          </p>
+
+     </overview>
+     <recommendation>
+
+          <p>
+               Don't use methods that only decode JWT, Instead use methods that verify the signature of JWT.
+          </p>
+
+     </recommendation>
+     <example>
+
+          <p>
+               The following code you can see an Example from a popular Library.
+          </p>
+
+          <sample src="Example.go" />
+
+     </example>
+     <references>
+          <li>
+               <a href="https://www.ghostccamm.com/blog/multi_strapi_vulns/#cve-2023-22893-authentication-bypass-for-aws-cognito-login-provider-in-strapi-versions-456">JWT claim had not been verified</a>
+          </li>
+     </references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-321-noVerification/jwtNoVerification.ql

@@ -0,0 +1,27 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.0
+ * @precision high
+ * @id js/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+
+from DataFlow::Node sink
+where
+  sink = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
+  or
+  sink = API::moduleImport("jwt-decode").getParameter(0).asSink()
+  or
+  sink = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
+  or
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
+    sink = n.getParameter(0).asSink()
+  )
+select sink, "This Token is Decoded in without signature validatoin"