add jsonWebToken library file to remove duplicate predicate declrations

am0o0 · am0o0 · commit f905ac10c4e8 · 2024-05-25T13:28:13.000+02:00
diff --git a/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebToken.ql b/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebToken.ql
@@ -12,35 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-
-DataFlow::Node unverifiedDecode() {
-  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
-  or
-  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
-    verify
-        .getParameter(2)
-        .getMember("algorithms")
-        .getUnknownMember()
-        .asSink()
-        .mayHaveStringValue("none") and
-    result = verify.getParameter(0).asSink()
-  )
-}
-
-DataFlow::Node verifiedDecode() {
-  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
-    (
-      not verify
-          .getParameter(2)
-          .getMember("algorithms")
-          .getUnknownMember()
-          .asSink()
-          .mayHaveStringValue("none") or
-      not exists(verify.getParameter(2).getMember("algorithms"))
-    ) and
-    result = verify.getParameter(0).asSink()
-  )
-}
+import jsonWebToken
 
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "jsonwebtoken without any signature verification" }
diff --git a/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenLocalSource.ql b/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenLocalSource.ql
@@ -12,35 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-
-DataFlow::Node unverifiedDecode() {
-  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
-  or
-  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
-    verify
-        .getParameter(2)
-        .getMember("algorithms")
-        .getUnknownMember()
-        .asSink()
-        .mayHaveStringValue("none") and
-    result = verify.getParameter(0).asSink()
-  )
-}
-
-DataFlow::Node verifiedDecode() {
-  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
-    (
-      not verify
-          .getParameter(2)
-          .getMember("algorithms")
-          .getUnknownMember()
-          .asSink()
-          .mayHaveStringValue("none") or
-      not exists(verify.getParameter(2).getMember("algorithms"))
-    ) and
-    result = verify.getParameter(0).asSink()
-  )
-}
+import jsonWebToken
 
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "jsonwebtoken without any signature verification" }
diff --git a/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql b/javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql
@@ -12,35 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-
-DataFlow::Node unverifiedDecode() {
-  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
-  or
-  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
-    verify
-        .getParameter(2)
-        .getMember("algorithms")
-        .getUnknownMember()
-        .asSink()
-        .mayHaveStringValue("none") and
-    result = verify.getParameter(0).asSink()
-  )
-}
-
-DataFlow::Node verifiedDecode() {
-  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
-    (
-      not verify
-          .getParameter(2)
-          .getMember("algorithms")
-          .getUnknownMember()
-          .asSink()
-          .mayHaveStringValue("none") or
-      not exists(verify.getParameter(2).getMember("algorithms"))
-    ) and
-    result = verify.getParameter(0).asSink()
-  )
-}
+import jsonWebToken
 
 class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
   ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
diff --git a/javascript/ql/src/experimental/Security/CWE-347-noVerification/jsonWebToken.qll b/javascript/ql/src/experimental/Security/CWE-347-noVerification/jsonWebToken.qll
@@ -0,0 +1,30 @@
+import javascript
+
+DataFlow::Node unverifiedDecode() {
+  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
+  or
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    verify
+        .getParameter(2)
+        .getMember("algorithms")
+        .getUnknownMember()
+        .asSink()
+        .mayHaveStringValue("none") and
+    result = verify.getParameter(0).asSink()
+  )
+}
+
+DataFlow::Node verifiedDecode() {
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    (
+      not verify
+          .getParameter(2)
+          .getMember("algorithms")
+          .getUnknownMember()
+          .asSink()
+          .mayHaveStringValue("none") or
+      not exists(verify.getParameter(2).getMember("algorithms"))
+    ) and
+    result = verify.getParameter(0).asSink()
+  )
+}
