move to new CWE-321 directory, make saparate query files for each JWT pkg, create a path query for jsonwebtoken package which is not work correctly

Author: am0o0

javascript/ql/src/Security/CWE-321-noVerification/JsonWebToken.ql

@@ -0,0 +1,47 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.0
+ * @precision high
+ * @id js/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-321
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+DataFlow::Node unverifiedDecode() {
+  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
+}
+
+DataFlow::Node verifiedDecode() {
+  result = API::moduleImport("jsonwebtoken").getMember("verify").getParameter(0).asSink()
+}
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "jsonwebtoken constant secret key" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = unverifiedDecode()
+    or
+    sink = verifiedDecode()
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  sink.getNode() = unverifiedDecode() and
+  not isSafe(source.getNode())
+select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
+  "without signature verification"
+
+// Holds if the source has a flow to a JWT decoding function with signature verification
+predicate isSafe(DataFlow::Node source) {
+  exists(Configuration cfg | cfg.hasFlow(source, verifiedDecode()))
+}

javascript/ql/src/Security/CWE-321-noVerification/jose.ql

@@ -0,0 +1,17 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.0
+ * @precision high
+ * @id js/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+
+from DataFlow::Node sink
+where sink = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
+select sink, "This Token is Decoded in without signature validation"

javascript/ql/src/Security/CWE-321-noVerification/jwtDecode.ql

@@ -0,0 +1,19 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.0
+ * @precision high
+ * @id js/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+
+from DataFlow::Node sink
+where
+  // I must somehow check that following is implemented in server not browser
+  sink = API::moduleImport("jwt-decode").getParameter(0).asSink()
+select sink, "This Token is Decoded in without signature validation"

javascript/ql/src/Security/CWE-321-noVerification/jwtNoVerification.ql renamed to javascript/ql/src/Security/CWE-321-noVerification/jwtSimple.ql

@@ -14,14 +14,8 @@ import javascript
 
 from DataFlow::Node sink
 where
-  sink = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
-  or
-  sink = API::moduleImport("jwt-decode").getParameter(0).asSink()
-  or
-  sink = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
-  or
   exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
     n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
     sink = n.getParameter(0).asSink()
   )
-select sink, "This Token is Decoded in without signature validatoin"
+select sink, "This Token is Decoded in without signature validation"

javascript/ql/test/query-tests/Security/CWE-321-noVerification/NoVerification.js

@@ -1,44 +1,90 @@
 const express = require('express')
 const app = express()
 const jwtJsonwebtoken = require('jsonwebtoken');
-const {getSecret} = require('./Config.js');
+const { getSecret } = require('./Config.js');
 const jwt_decode = require('jwt-decode');
 const jwt_simple = require('jwt-simple');
 const jose = require('jose')
 const port = 3000
 
 async function startSymmetric(token) {
-    const {payload, protectedHeader} = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
+    const { payload, protectedHeader } = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
     return {
         payload, protectedHeader
     }
 }
 
-app.get('/', (req, res) => {
+app.get('/jose', (req, res) => {
     const UserToken = req.headers.authorization;
-    // BAD: no verification
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, false, {algorithms: ["HS256", "none"]})
-    // GOOD: use verify alone or use as a check,
-    // sometimes it seems some coders use both for same token
-    const UserToken2 = req.headers.authorization;
-    jwtJsonwebtoken.decode(UserToken2)
-    jwtJsonwebtoken.verify(UserToken2, getSecret())
-    // jwt-decode
-    // BAD: no verification
-    jwt_decode(UserToken)
+
     // jose
-    // BAD: no verification
+    // BAD: no signature verification
     jose.decodeJwt(UserToken)
-    // GOOD
+    // GOOD: with signature verification
     startSymmetric(UserToken).then(result => console.log(result))
+
+
+})
+
+
+app.get('/jwtDecode', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-decode
+    // BAD: no signature verification
+    jwt_decode(UserToken)
+})
+
+app.get('/jwtSimple', (req, res) => {
+    const UserToken = req.headers.authorization;
+
     // jwt-simple
-    // no verification
+    // jwt.decode(token, key, noVerify, algorithm)
+    // BAD: no signature verification
     jwt_simple.decode(UserToken, getSecret(), true);
-    // GOOD
+})
+
+app.get('/jwtSimple2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    // GOOD: with signature verification
     jwt_simple.decode(UserToken, getSecret(), false);
     jwt_simple.decode(UserToken, getSecret());
-    res.send('Hello World!')
+})
+
+app.get('/jwtSimple3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    // GOOD: first decode without signature verification and then verify the signature later
+    jwt_simple.decode(UserToken, getSecret(), true);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.get('/jwtJsonwebtoken', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, false, { algorithms: ["HS256", "none"] })
+})
+
+app.get('/jwtJsonwebtoken2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+app.get('/jwtJsonwebtoken3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: first decode without signature verification and then verify the signature later
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, getSecret())
 })
 
 app.listen(port, () => {

javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.expected

@@ -1,5 +1,38 @@
-| NoVerification.js:20:28:20:36 | UserToken | This Token is Decoded in without signature validatoin |
-| NoVerification.js:25:28:25:37 | UserToken2 | This Token is Decoded in without signature validatoin |
-| NoVerification.js:29:16:29:24 | UserToken | This Token is Decoded in without signature validatoin |
-| NoVerification.js:32:20:32:28 | UserToken | This Token is Decoded in without signature validatoin |
-| NoVerification.js:37:23:37:31 | UserToken | This Token is Decoded in without signature validatoin |
+nodes
+| NoVerification.js:68:11:68:47 | UserToken |
+| NoVerification.js:68:23:68:47 | req.hea ... ization |
+| NoVerification.js:68:23:68:47 | req.hea ... ization |
+| NoVerification.js:71:28:71:36 | UserToken |
+| NoVerification.js:71:28:71:36 | UserToken |
+| NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken |
+| NoVerification.js:76:23:76:47 | req.hea ... ization |
+| NoVerification.js:76:23:76:47 | req.hea ... ization |
+| NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:83:11:83:47 | UserToken |
+| NoVerification.js:83:23:83:47 | req.hea ... ization |
+| NoVerification.js:83:23:83:47 | req.hea ... ization |
+| NoVerification.js:86:28:86:36 | UserToken |
+| NoVerification.js:86:28:86:36 | UserToken |
+| NoVerification.js:87:28:87:36 | UserToken |
+| NoVerification.js:87:28:87:36 | UserToken |
+edges
+| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:71:28:71:36 | UserToken |
+| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:71:28:71:36 | UserToken |
+| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
+| NoVerification.js:68:23:68:47 | req.hea ... ization | NoVerification.js:68:11:68:47 | UserToken |
+| NoVerification.js:68:23:68:47 | req.hea ... ization | NoVerification.js:68:11:68:47 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
+| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
+| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
+| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:86:28:86:36 | UserToken |
+| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:86:28:86:36 | UserToken |
+| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:87:28:87:36 | UserToken |
+| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:87:28:87:36 | UserToken |
+| NoVerification.js:83:23:83:47 | req.hea ... ization | NoVerification.js:83:11:83:47 | UserToken |
+| NoVerification.js:83:23:83:47 | req.hea ... ization | NoVerification.js:83:11:83:47 | UserToken |
+#select

javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.qlref

@@ -1 +1 @@
-Security/CWE-321-noVerification/jwtNoVerification.ql
+Security/CWE-321-noVerification/JsonWebToken.ql