[DIFF-INFORMED] JS: decodeJwtWithoutVerification

d10c · d10c · commit 272a97d3b606 · 2025-07-17T10:56:13.000+02:00
diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -27,6 +27,10 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // used as secondary config
+  }
 }
 
 module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,10 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {`
`27`	`27`	`predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }`
`28`	`28`
`29`	`29`	`predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }`
	`30`	`+`
	`31`	`+ predicate observeDiffInformedIncrementalMode() {`
	`32`	`+ none() // used as secondary config`
	`33`	`+ }`
`30`	`34`	`}`
`31`	`35`
`32`	`36`	`module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;`