finilize tests

Author: am0o0

java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.expected

@@ -0,0 +1,24 @@
+edges
+| JwtNoVerifier.java:43:28:43:55 | getParameter(...) : String | JwtNoVerifier.java:44:39:44:47 | JwtToken2 : String |
+| JwtNoVerifier.java:44:39:44:47 | JwtToken2 : String | JwtNoVerifier.java:73:38:73:55 | token : String |
+| JwtNoVerifier.java:73:38:73:55 | token : String | JwtNoVerifier.java:74:37:74:41 | token : String |
+| JwtNoVerifier.java:74:26:74:42 | decode(...) : DecodedJWT | JwtNoVerifier.java:75:28:75:30 | jwt : DecodedJWT |
+| JwtNoVerifier.java:74:37:74:41 | token : String | JwtNoVerifier.java:74:26:74:42 | decode(...) : DecodedJWT |
+| JwtNoVerifier.java:75:16:75:31 | of(...) : Optional [<element>] : DecodedJWT | JwtNoVerifier.java:75:37:75:40 | item : DecodedJWT |
+| JwtNoVerifier.java:75:28:75:30 | jwt : DecodedJWT | JwtNoVerifier.java:75:16:75:31 | of(...) : Optional [<element>] : DecodedJWT |
+| JwtNoVerifier.java:75:37:75:40 | item : DecodedJWT | JwtNoVerifier.java:75:45:75:48 | item : DecodedJWT |
+| JwtNoVerifier.java:75:45:75:48 | item : DecodedJWT | JwtNoVerifier.java:75:45:75:69 | getClaim(...) |
+nodes
+| JwtNoVerifier.java:43:28:43:55 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JwtNoVerifier.java:44:39:44:47 | JwtToken2 : String | semmle.label | JwtToken2 : String |
+| JwtNoVerifier.java:73:38:73:55 | token : String | semmle.label | token : String |
+| JwtNoVerifier.java:74:26:74:42 | decode(...) : DecodedJWT | semmle.label | decode(...) : DecodedJWT |
+| JwtNoVerifier.java:74:37:74:41 | token : String | semmle.label | token : String |
+| JwtNoVerifier.java:75:16:75:31 | of(...) : Optional [<element>] : DecodedJWT | semmle.label | of(...) : Optional [<element>] : DecodedJWT |
+| JwtNoVerifier.java:75:28:75:30 | jwt : DecodedJWT | semmle.label | jwt : DecodedJWT |
+| JwtNoVerifier.java:75:37:75:40 | item : DecodedJWT | semmle.label | item : DecodedJWT |
+| JwtNoVerifier.java:75:45:75:48 | item : DecodedJWT | semmle.label | item : DecodedJWT |
+| JwtNoVerifier.java:75:45:75:69 | getClaim(...) | semmle.label | getClaim(...) |
+subpaths
+#select
+| JwtNoVerifier.java:75:45:75:69 | getClaim(...) | JwtNoVerifier.java:43:28:43:55 | getParameter(...) : String | JwtNoVerifier.java:75:45:75:69 | getClaim(...) | This parses a $@, but the signature is not verified. | JwtNoVerifier.java:43:28:43:55 | getParameter(...) | JWT |

java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java

@@ -0,0 +1,121 @@
+import java.io.*;
+import java.security.NoSuchAlgorithmException;
+import java.util.Objects;
+import java.util.Optional;
+import javax.crypto.KeyGenerator;
+import javax.servlet.http.*;
+import javax.servlet.annotation.*;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+
+@WebServlet(description = "", displayName = "", largeIcon = "", name = "JwtTest1", smallIcon = "", urlPatterns = {}, value = "/Auth", initParams = {}, asyncSupported = false, loadOnStartup = 0)
+public class JwtNoVerifier extends HttpServlet {
+
+    public void doPost(HttpServletRequest request, HttpServletResponse response) {
+        response.setContentType("text/html");
+        PrintWriter out = response.getWriter();
+
+        // OK: first decode without signature verification
+        // and then verify with signature verification
+        String JwtToken1 = request.getParameter("JWT1");
+        String userName = decodeToken(JwtToken1);
+        verifyToken(JwtToken1, "A Securely generated Key");
+        if (Objects.equals(userName, "Admin")) {
+            out.println("<html><body>");
+            out.println("<h1>" + "heyyy Admin" + "</h1>");
+            out.println("</body></html>");
+        }
+
+        out.println("<html><body>");
+        out.println("<h1>" + "heyyy Nobody" + "</h1>");
+        out.println("</body></html>");
+    }
+
+    public void doGet(HttpServletRequest request, HttpServletResponse response) {
+        response.setContentType("text/html");
+        PrintWriter out = response.getWriter();
+
+        // NOT OK:  only decode, no verification
+        String JwtToken2 = request.getParameter("JWT2");
+        String userName = decodeToken(JwtToken2);
+        if (Objects.equals(userName, "Admin")) {
+            out.println("<html><body>");
+            out.println("<h1>" + "heyyy Admin" + "</h1>");
+            out.println("</body></html>");
+        }
+
+        // OK:  no clue of the use of unsafe decoded JWT return value
+        JwtToken2 = request.getParameter("JWT2");
+        JWT.decode(JwtToken2);
+
+
+        out.println("<html><body>");
+        out.println("<h1>" + "heyyy Nobody" + "</h1>");
+        out.println("</body></html>");
+    }
+
+    public static boolean verifyToken(final String token, final String key) {
+        try {
+            JWTVerifier verifier = JWT.require(Algorithm.HMAC256(key)).build();
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException e) {
+            System.out.printf("jwt decode fail, token: %s", e);
+        }
+        return false;
+    }
+
+
+    public static String decodeToken(final String token) {
+        DecodedJWT jwt = JWT.decode(token);
+        return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse("");
+    }
+
+
+    private static String getSecureRandomKey() throws NoSuchAlgorithmException {
+        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+        keyGen.init(256); // for example
+        return keyGen.generateKey().toString();
+    }
+
+    static final String JWT_KEY = "KEY";
+
+    public static void NoNeedForTest(HttpServletRequest request) {
+        // constant key
+        String JwtToken3 = request.getParameter("JWT3");
+        verifyToken(JwtToken3, JWT_KEY);
+
+        // none algorithm
+        String JwtToken4 = request.getParameter("JWT4");
+        try {
+            verifyTokenNoneAlg(JwtToken4, getSecureRandomKey());
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+
+    }
+
+    public static String generateToken(final String userName, final String key) {
+        try {
+            return JWT.create().withClaim("userName", userName).sign(Algorithm.HMAC256(key));
+        } catch (IllegalArgumentException e) {
+            System.out.printf("JWTToken generate fail %s", e);
+        }
+        return "";
+    }
+
+    public static boolean verifyTokenNoneAlg(final String token, final String key) {
+        try {
+            JWTVerifier verifier = JWT.require(Algorithm.none()).build();
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException e) {
+            System.out.printf("jwt decode fail, token: %s", e);
+        }
+        return false;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-347/Test.java

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/auth0-jwt-4.4.0/:${testdir}/../../../../stubs/javax-servlet-2.5/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/auth0-java-jwt-4.4.0:${testdir}/../../../stubs/javax.servlet-api-4.0.1