stash

Author: am0o0

java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql

java/ql/test/experimental/query-tests/security/CWE-347/Test.java

@@ -0,0 +1,92 @@
+package com.example.JwtTest;
+
+import java.io.*;
+import java.security.NoSuchAlgorithmException;
+import java.util.Objects;
+import java.util.Optional;
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTCreationException;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class Test extends HttpServlet {
+
+  protected void doGet(HttpServletRequest request, HttpServletResponse response)
+          throws ServletException, IOException {
+      try {
+        response.setContentType("text/html");
+        PrintWriter out = response.getWriter();
+
+        // OK: first decode without signature verification
+        // and then verify with signature verification
+        String JwtToken1 = request.getParameter("JWT1");
+        String userName =  decodeToken(JwtToken1);
+        verifyToken(JwtToken1, "A Securely generated Key");
+        if (Objects.equals(userName, "Admin")) {
+          out.println("<html><body>");
+          out.println("<h1>" + "heyyy Admin" + "</h1>");
+          out.println("</body></html>");
+        }
+
+        out.println("<html><body>");
+        out.println("<h1>" + "heyyy Nobody" + "</h1>");
+        out.println("</body></html>");
+      } catch (Exception e) {
+          // TODO: handle exception
+      }
+  }
+
+  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException  {
+    response.setContentType("text/html");
+    PrintWriter out = response.getWriter();
+
+    // NOT OK:  only decode, no verification
+    String JwtToken2 = request.getParameter("JWT2");
+    String userName = decodeToken(JwtToken2);
+    if (Objects.equals(userName, "Admin")) {
+      out.println("<html><body>");
+      out.println("<h1>" + "heyyy Admin" + "</h1>");
+      out.println("</body></html>");
+    }
+
+    // OK:  no clue of the use of unsafe decoded JWT return value
+    JwtToken2 = request.getParameter("JWT2");
+    JWT.decode(JwtToken2);
+
+
+    out.println("<html><body>");
+    out.println("<h1>" + "heyyy Nobody" + "</h1>");
+    out.println("</body></html>");
+  }
+
+  public static boolean verifyToken(final String token, final String key) {
+    try {
+      JWTVerifier verifier = JWT.require(Algorithm.HMAC256(key)).build();
+      verifier.verify(token);
+      return true;
+    } catch (JWTVerificationException e) {
+      System.out.printf("jwt decode fail, token: %s", e);
+    }
+    return false;
+  }
+
+
+  public static String decodeToken(final String token) {
+    DecodedJWT jwt = JWT.decode(token);
+    return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse("");
+  }
+
+
+  private static String getSecureRandomKey() throws NoSuchAlgorithmException {
+    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+    keyGen.init(256); // for example
+    return keyGen.generateKey().toString();
+  }
+  static final String JWT_KEY = "KEY";
+}

java/ql/test/experimental/query-tests/security/CWE-347/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/auth0-jwt-4.4.0/:${testdir}/../../../../stubs/javax-servlet-2.5/

java/ql/test/experimental/query-tests/security/CWE-347/pom.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example</groupId>
+    <artifactId>JwtTest</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <name>JwtTest</name>
+    <packaging>war</packaging>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.target>11</maven.compiler.target>
+        <maven.compiler.source>11</maven.compiler.source>
+        <junit.version>5.9.2</junit.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.4.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>4.0.1</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-war-plugin</artifactId>
+                <version>3.3.2</version>
+            </plugin>
+        </plugins>
+    </build>
+</project>