update the remote flow based query thanks to @erik-krogh, update tests and separate the local and remote query tests

Author: am0o0

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql

@@ -14,24 +14,27 @@ import javascript
 import DataFlow::PathGraph
 import JWT
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "jsonwebtoken without any signature verification" }
+class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
+  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink = unverifiedDecode()
-    or
-    sink = verifiedDecode()
-  }
+  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
 }
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
+  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+}
+
+from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where
   cfg.hasFlowPath(source, sink) and
-  sink.getNode() = unverifiedDecode() and
-  not exists(Configuration cfg2 |
-    cfg2.hasFlowPath(source, any(DataFlow::SinkPathNode n | n.getNode() = verifiedDecode()))
+  not exists(ConfigurationVerifiedDecode cfg2 |
+    cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
   )
 select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
   "without signature verification"

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationDoesNotWork.ql

@@ -0,0 +1,53 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())  // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)  // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret())  // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
+})();

javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.expected

@@ -0,0 +1,141 @@
+nodes
+| JsonWebToken.js:18:11:18:28 | UserToken |
+| JsonWebToken.js:18:23:18:28 | aJwt() |
+| JsonWebToken.js:18:23:18:28 | aJwt() |
+| JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:25:11:25:28 | UserToken |
+| JsonWebToken.js:25:23:25:28 | aJwt() |
+| JsonWebToken.js:25:23:25:28 | aJwt() |
+| JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:29:28:29:36 | UserToken |
+| JsonWebToken.js:29:28:29:36 | UserToken |
+| JsonWebToken.js:33:11:33:28 | UserToken |
+| JsonWebToken.js:33:23:33:28 | aJwt() |
+| JsonWebToken.js:33:23:33:28 | aJwt() |
+| JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:40:11:40:28 | UserToken |
+| JsonWebToken.js:40:23:40:28 | aJwt() |
+| JsonWebToken.js:40:23:40:28 | aJwt() |
+| JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:48:11:48:28 | UserToken |
+| JsonWebToken.js:48:23:48:28 | aJwt() |
+| JsonWebToken.js:48:23:48:28 | aJwt() |
+| JsonWebToken.js:51:28:51:36 | UserToken |
+| JsonWebToken.js:51:28:51:36 | UserToken |
+| JsonWebToken.js:52:28:52:36 | UserToken |
+| JsonWebToken.js:52:28:52:36 | UserToken |
+| jose.js:18:11:18:28 | UserToken |
+| jose.js:18:23:18:28 | aJwt() |
+| jose.js:18:23:18:28 | aJwt() |
+| jose.js:21:20:21:28 | UserToken |
+| jose.js:21:20:21:28 | UserToken |
+| jose.js:25:11:25:28 | UserToken |
+| jose.js:25:23:25:28 | aJwt() |
+| jose.js:25:23:25:28 | aJwt() |
+| jose.js:28:20:28:28 | UserToken |
+| jose.js:28:20:28:28 | UserToken |
+| jose.js:29:26:29:34 | UserToken |
+| jose.js:29:26:29:34 | UserToken |
+| jose.js:33:11:33:28 | UserToken |
+| jose.js:33:23:33:28 | aJwt() |
+| jose.js:33:23:33:28 | aJwt() |
+| jose.js:36:26:36:34 | UserToken |
+| jose.js:36:26:36:34 | UserToken |
+| jwtDecode.js:18:11:18:28 | UserToken |
+| jwtDecode.js:18:23:18:28 | aJwt() |
+| jwtDecode.js:18:23:18:28 | aJwt() |
+| jwtDecode.js:22:16:22:24 | UserToken |
+| jwtDecode.js:22:16:22:24 | UserToken |
+| jwtSimple.js:18:11:18:28 | UserToken |
+| jwtSimple.js:18:23:18:28 | aJwt() |
+| jwtSimple.js:18:23:18:28 | aJwt() |
+| jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:25:11:25:28 | UserToken |
+| jwtSimple.js:25:23:25:28 | aJwt() |
+| jwtSimple.js:25:23:25:28 | aJwt() |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:33:11:33:28 | UserToken |
+| jwtSimple.js:33:23:33:28 | aJwt() |
+| jwtSimple.js:33:23:33:28 | aJwt() |
+| jwtSimple.js:36:23:36:31 | UserToken |
+| jwtSimple.js:36:23:36:31 | UserToken |
+| jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:37:23:37:31 | UserToken |
+edges
+| JsonWebToken.js:18:11:18:28 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:18:11:18:28 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
+| JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:18:11:18:28 | UserToken |
+| JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:18:11:18:28 | UserToken |
+| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
+| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:29:28:29:36 | UserToken |
+| JsonWebToken.js:25:11:25:28 | UserToken | JsonWebToken.js:29:28:29:36 | UserToken |
+| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:11:25:28 | UserToken |
+| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:11:25:28 | UserToken |
+| JsonWebToken.js:33:11:33:28 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:33:11:33:28 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
+| JsonWebToken.js:33:23:33:28 | aJwt() | JsonWebToken.js:33:11:33:28 | UserToken |
+| JsonWebToken.js:33:23:33:28 | aJwt() | JsonWebToken.js:33:11:33:28 | UserToken |
+| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
+| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:40:11:40:28 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
+| JsonWebToken.js:40:23:40:28 | aJwt() | JsonWebToken.js:40:11:40:28 | UserToken |
+| JsonWebToken.js:40:23:40:28 | aJwt() | JsonWebToken.js:40:11:40:28 | UserToken |
+| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:51:28:51:36 | UserToken |
+| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:51:28:51:36 | UserToken |
+| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:52:28:52:36 | UserToken |
+| JsonWebToken.js:48:11:48:28 | UserToken | JsonWebToken.js:52:28:52:36 | UserToken |
+| JsonWebToken.js:48:23:48:28 | aJwt() | JsonWebToken.js:48:11:48:28 | UserToken |
+| JsonWebToken.js:48:23:48:28 | aJwt() | JsonWebToken.js:48:11:48:28 | UserToken |
+| jose.js:18:11:18:28 | UserToken | jose.js:21:20:21:28 | UserToken |
+| jose.js:18:11:18:28 | UserToken | jose.js:21:20:21:28 | UserToken |
+| jose.js:18:23:18:28 | aJwt() | jose.js:18:11:18:28 | UserToken |
+| jose.js:18:23:18:28 | aJwt() | jose.js:18:11:18:28 | UserToken |
+| jose.js:25:11:25:28 | UserToken | jose.js:28:20:28:28 | UserToken |
+| jose.js:25:11:25:28 | UserToken | jose.js:28:20:28:28 | UserToken |
+| jose.js:25:11:25:28 | UserToken | jose.js:29:26:29:34 | UserToken |
+| jose.js:25:11:25:28 | UserToken | jose.js:29:26:29:34 | UserToken |
+| jose.js:25:23:25:28 | aJwt() | jose.js:25:11:25:28 | UserToken |
+| jose.js:25:23:25:28 | aJwt() | jose.js:25:11:25:28 | UserToken |
+| jose.js:33:11:33:28 | UserToken | jose.js:36:26:36:34 | UserToken |
+| jose.js:33:11:33:28 | UserToken | jose.js:36:26:36:34 | UserToken |
+| jose.js:33:23:33:28 | aJwt() | jose.js:33:11:33:28 | UserToken |
+| jose.js:33:23:33:28 | aJwt() | jose.js:33:11:33:28 | UserToken |
+| jwtDecode.js:18:11:18:28 | UserToken | jwtDecode.js:22:16:22:24 | UserToken |
+| jwtDecode.js:18:11:18:28 | UserToken | jwtDecode.js:22:16:22:24 | UserToken |
+| jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:18:11:18:28 | UserToken |
+| jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:18:11:18:28 | UserToken |
+| jwtSimple.js:18:11:18:28 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:18:11:18:28 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
+| jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:18:11:18:28 | UserToken |
+| jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:18:11:18:28 | UserToken |
+| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:25:11:25:28 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
+| jwtSimple.js:25:23:25:28 | aJwt() | jwtSimple.js:25:11:25:28 | UserToken |
+| jwtSimple.js:25:23:25:28 | aJwt() | jwtSimple.js:25:11:25:28 | UserToken |
+| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:36:23:36:31 | UserToken |
+| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:36:23:36:31 | UserToken |
+| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:33:11:33:28 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:33:23:33:28 | aJwt() | jwtSimple.js:33:11:33:28 | UserToken |
+| jwtSimple.js:33:23:33:28 | aJwt() | jwtSimple.js:33:11:33:28 | UserToken |
+#select
+| JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:18:23:18:28 | aJwt() | JsonWebToken.js:21:28:21:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:21:28:21:36 | UserToken | without signature verification |
+| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:28:28:28:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:28:28:28:36 | UserToken | without signature verification |
+| JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:25:23:25:28 | aJwt() | JsonWebToken.js:29:28:29:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:29:28:29:36 | UserToken | without signature verification |
+| jose.js:18:23:18:28 | aJwt() | jose.js:18:23:18:28 | aJwt() | jose.js:21:20:21:28 | UserToken | Decoding JWT $@. | jose.js:21:20:21:28 | UserToken | without signature verification |
+| jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:18:23:18:28 | aJwt() | jwtDecode.js:22:16:22:24 | UserToken | Decoding JWT $@. | jwtDecode.js:22:16:22:24 | UserToken | without signature verification |
+| jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:18:23:18:28 | aJwt() | jwtSimple.js:21:23:21:31 | UserToken | Decoding JWT $@. | jwtSimple.js:21:23:21:31 | UserToken | without signature verification |

javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js

@@ -0,0 +1,37 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // no signature verification
+    jose.decodeJwt(UserToken) // NOT OK
+})();
+
+(async function () {
+    const UserToken = aJwt()
+
+    // first without signature verification then with signature verification for same UserToken
+    jose.decodeJwt(UserToken)  // OK
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))  // OK
+})();
+
+(async function () {
+    const UserToken = aJwt()
+
+    // with signature verification
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))  // OK
+})();

javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.expected

@@ -0,0 +1,23 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // jwt-decode
+    // no signature verification
+    jwt_decode(UserToken) // NOT OK
+})();

javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.qlref renamed to javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref

@@ -0,0 +1,38 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: all with with signature verification
+    jwt_simple.decode(UserToken, getSecret(), false); // OK
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwt_simple.decode(UserToken, getSecret(), true); // OK
+    jwt_simple.decode(UserToken, getSecret()); // OK
+})();