Java: convert MissingJWTSignatureCheck test to .qlref

d10c · d10c · commit 28694276e26a · 2025-06-24T16:42:06.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected
@@ -0,0 +1,55 @@
+#select
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) | JWT signing key |
+| MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | This parser sets a $@, but the signature is not verified. | MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | JWT signing key |
+edges
+| MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | provenance | Config |
+| MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | provenance |  |
+| MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | provenance |  |
+| MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | provenance |  |
+| MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | provenance | Config |
+| MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | provenance | Config |
+nodes
+| MissingJWTSignatureCheckTest.java:13:16:13:66 | setSigningKey(...) : JwtParser | semmle.label | setSigningKey(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:17:16:17:73 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder |
+| MissingJWTSignatureCheckTest.java:17:16:17:81 | build(...) : JwtParser | semmle.label | build(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:21:16:21:75 | setSigningKey(...) : JwtParser | semmle.label | setSigningKey(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:25:29:25:46 | getASignedParser(...) : JwtParser | semmle.label | getASignedParser(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:26:31:26:37 | parser1 : JwtParser | semmle.label | parser1 : JwtParser |
+| MissingJWTSignatureCheckTest.java:27:38:27:44 | parser1 : JwtParser | semmle.label | parser1 : JwtParser |
+| MissingJWTSignatureCheckTest.java:31:29:31:63 | getASignedParserFromParserBuilder(...) : JwtParser | semmle.label | getASignedParserFromParserBuilder(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:32:31:32:37 | parser2 : JwtParser | semmle.label | parser2 : JwtParser |
+| MissingJWTSignatureCheckTest.java:33:38:33:44 | parser2 : JwtParser | semmle.label | parser2 : JwtParser |
+| MissingJWTSignatureCheckTest.java:37:29:37:49 | getASignedNewParser(...) : JwtParser | semmle.label | getASignedNewParser(...) : JwtParser |
+| MissingJWTSignatureCheckTest.java:38:31:38:37 | parser3 : JwtParser | semmle.label | parser3 : JwtParser |
+| MissingJWTSignatureCheckTest.java:39:38:39:44 | parser3 : JwtParser | semmle.label | parser3 : JwtParser |
+| MissingJWTSignatureCheckTest.java:82:40:82:55 | parser : JwtParser | semmle.label | parser : JwtParser |
+| MissingJWTSignatureCheckTest.java:83:9:83:14 | parser | semmle.label | parser |
+| MissingJWTSignatureCheckTest.java:86:47:86:62 | parser : JwtParser | semmle.label | parser : JwtParser |
+| MissingJWTSignatureCheckTest.java:87:9:87:14 | parser | semmle.label | parser |
+| MissingJWTSignatureCheckTest.java:110:9:110:66 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder |
+| MissingJWTSignatureCheckTest.java:110:9:110:74 | build(...) | semmle.label | build(...) |
+| MissingJWTSignatureCheckTest.java:114:9:114:75 | setSigningKey(...) : DefaultJwtParserBuilder | semmle.label | setSigningKey(...) : DefaultJwtParserBuilder |
+| MissingJWTSignatureCheckTest.java:114:9:114:83 | build(...) | semmle.label | build(...) |
+| MissingJWTSignatureCheckTest.java:118:9:118:59 | setSigningKey(...) | semmle.label | setSigningKey(...) |
+subpaths
diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
@@ -10,15 +10,15 @@
 public class MissingJWTSignatureCheckTest {
 
     private JwtParser getASignedParser() {
-        return Jwts.parser().setSigningKey("someBase64EncodedKey");
+        return Jwts.parser().setSigningKey("someBase64EncodedKey"); // $ Source
     }
 
     private JwtParser getASignedParserFromParserBuilder() {
-        return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build();
+        return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build(); // $ Source
     }
 
     private JwtParser getASignedNewParser() {
-        return new DefaultJwtParser().setSigningKey("someBase64EncodedKey");
+        return new DefaultJwtParser().setSigningKey("someBase64EncodedKey"); // $ Source
     }
 
     private void callSignedParsers() {
@@ -80,11 +80,11 @@ private void signParserAfterParseCall() {
     }
 
     private void badJwtOnParserBuilder(JwtParser parser, String token) {
-        parser.parse(token); // $hasMissingJwtSignatureCheck
+        parser.parse(token); // $ Alert
     }
 
     private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
-        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck
+        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $ Alert
             @Override
             public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
                 return jwt;
@@ -107,15 +107,15 @@ public Jws<String> onPlaintextJws(Jws<String> jws) {
     }
 
     private void badJwtOnParserBuilder(String token) {
-        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
+        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert
     }
 
     private void badJwtOnDefaultParserBuilder(String token) {
-        new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
+        new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert
     }
 
     private void badJwtHandlerOnParser(String token) {
-        Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
+        Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $ Alert
                 new JwtHandlerAdapter<Jwt<Header, String>>() {
                     @Override
                     public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql
diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.qlref b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.qlref
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

Original file line number	Diff line number	Diff line change
`@@ -10,15 +10,15 @@`
`10`	`10`	`public class MissingJWTSignatureCheckTest {`
`11`	`11`
`12`	`12`	`private JwtParser getASignedParser() {`
`13`		`- return Jwts.parser().setSigningKey("someBase64EncodedKey");`
	`13`	`+ return Jwts.parser().setSigningKey("someBase64EncodedKey"); // $ Source`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`private JwtParser getASignedParserFromParserBuilder() {`
`17`		`- return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build();`
	`17`	`+ return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build(); // $ Source`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`private JwtParser getASignedNewParser() {`
`21`		`- return new DefaultJwtParser().setSigningKey("someBase64EncodedKey");`
	`21`	`+ return new DefaultJwtParser().setSigningKey("someBase64EncodedKey"); // $ Source`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`private void callSignedParsers() {`
`@@ -80,11 +80,11 @@ private void signParserAfterParseCall() {`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`private void badJwtOnParserBuilder(JwtParser parser, String token) {`
`83`		`- parser.parse(token); // $hasMissingJwtSignatureCheck`
	`83`	`+ parser.parse(token); // $ Alert`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {`
`87`		`- parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck`
	`87`	`+ parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $ Alert`
`88`	`88`	`@Override`
`89`	`89`	`public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {`
`90`	`90`	`return jwt;`
`@@ -107,15 +107,15 @@ public Jws<String> onPlaintextJws(Jws<String> jws) {`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`private void badJwtOnParserBuilder(String token) {`
`110`		`- Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck`
	`110`	`+ Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`private void badJwtOnDefaultParserBuilder(String token) {`
`114`		`- new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck`
	`114`	`+ new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $ Alert`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`private void badJwtHandlerOnParser(String token) {`
`118`		`- Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck`
	`118`	`+ Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $ Alert`
`119`	`119`	`new JwtHandlerAdapter<Jwt<Header, String>>() {`
`120`	`120`	`@Override`
`121`	`121`	`public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {`