update example to include more logical vulnerable pattern, add documentations for ql classes

am0o0 · am0o0 · commit 97eb7b7b7257 · 2023-11-22T09:27:55.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
@@ -27,20 +27,29 @@ module JwtAuth0 {
     JWTVerifierType() { this.hasQualifiedName("com.auth0.jwt", "JWTVerifier") }
   }
 
+  /**
+   * A Method that returns a Decoded Claim of JWT
+   */
   class GetPayload extends MethodAccess {
     GetPayload() {
       this.getCallee().getDeclaringType() instanceof PayloadType and
       this.getCallee().hasName(["getClaim", "getIssuedAt"])
     }
   }
 
+  /**
+   * A Method that Decode JWT without signature verification
+   */
   class Decode extends MethodAccess {
     Decode() {
       this.getCallee().getDeclaringType() instanceof JWTType and
       this.getCallee().hasName("decode")
     }
   }
 
+  /**
+   * A Method that Decode JWT with signature verification
+   */
   class Verify extends MethodAccess {
     Verify() {
       this.getCallee().getDeclaringType() instanceof JWTVerifierType and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/Example.java b/java/ql/src/experimental/Security/CWE/CWE-347/Example.java
@@ -2,6 +2,7 @@
 
 import java.io.*;
 import java.security.NoSuchAlgorithmException;
+import java.util.Objects;
 import java.util.Optional;
 import javax.crypto.KeyGenerator;
 import javax.servlet.http.*;
@@ -13,32 +14,50 @@
 import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.interfaces.DecodedJWT;
 
-@WebServlet(name = "Jwt", value = "/Auth")
+@WebServlet(name = "JwtTest1", value = "/Auth")
 public class auth0 extends HttpServlet {
 
-  public void doPost(HttpServletRequest request, HttpServletResponse response) {}
+  public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    response.setContentType("text/html");
+    PrintWriter out = response.getWriter();
+
+    // OK: first decode without signature verification
+    // and then verify with signature verification
+    String JwtToken1 = request.getParameter("JWT1");
+    String userName =  decodeToken(JwtToken1);
+    verifyToken(JwtToken1, "A Securely generated Key");
+    if (Objects.equals(userName, "Admin")) {
+      out.println("<html><body>");
+      out.println("<h1>" + "heyyy Admin" + "</h1>");
+      out.println("</body></html>");
+    }
 
-  final String JWT_KEY = "KEY";
+    out.println("<html><body>");
+    out.println("<h1>" + "heyyy Nobody" + "</h1>");
+    out.println("</body></html>");
+  }
 
   public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    response.setContentType("text/html");
+    PrintWriter out = response.getWriter();
 
-    // OK
-    String JwtToken1 = request.getParameter("JWT1");
-    decodeToken(JwtToken1);
-    try {
-      verifyToken(JwtToken1, getSecureRandomKey());
-    } catch (NoSuchAlgorithmException e) {
-      throw new RuntimeException(e);
+    // NOT OK:  only decode, no verification
+    String JwtToken2 = request.getParameter("JWT2");
+    String userName = decodeToken(JwtToken2);
+    if (Objects.equals(userName, "Admin")) {
+      out.println("<html><body>");
+      out.println("<h1>" + "heyyy Admin" + "</h1>");
+      out.println("</body></html>");
     }
 
-    // only decode, no verification
-    String JwtToken2 = request.getParameter("JWT2");
-    decodeToken(JwtToken2);
+    // OK:  no clue of the use of unsafe decoded JWT return value
+    JwtToken2 = request.getParameter("JWT2");
+    JWT.decode(JwtToken2);
 
 
-    response.setContentType("text/html");
-    PrintWriter out = response.getWriter();
-    out.println("<html><body>heyyy</body></html>");
+    out.println("<html><body>");
+    out.println("<h1>" + "heyyy Nobody" + "</h1>");
+    out.println("</body></html>");
   }
 
   public static boolean verifyToken(final String token, final String key) {
@@ -52,8 +71,10 @@ public static boolean verifyToken(final String token, final String key) {
     return false;
   }
 
+
   public static String decodeToken(final String token) {
     DecodedJWT jwt = JWT.decode(token);
     return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse("");
   }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -27,20 +27,29 @@ module JwtAuth0 {`
`27`	`27`	`JWTVerifierType() { this.hasQualifiedName("com.auth0.jwt", "JWTVerifier") }`
`28`	`28`	`}`
`29`	`29`
	`30`	`+ /**`
	`31`	`+ * A Method that returns a Decoded Claim of JWT`
	`32`	`+ */`
`30`	`33`	`class GetPayload extends MethodAccess {`
`31`	`34`	`GetPayload() {`
`32`	`35`	`this.getCallee().getDeclaringType() instanceof PayloadType and`
`33`	`36`	`this.getCallee().hasName(["getClaim", "getIssuedAt"])`
`34`	`37`	`}`
`35`	`38`	`}`
`36`	`39`
	`40`	`+ /**`
	`41`	`+ * A Method that Decode JWT without signature verification`
	`42`	`+ */`
`37`	`43`	`class Decode extends MethodAccess {`
`38`	`44`	`Decode() {`
`39`	`45`	`this.getCallee().getDeclaringType() instanceof JWTType and`
`40`	`46`	`this.getCallee().hasName("decode")`
`41`	`47`	`}`
`42`	`48`	`}`
`43`	`49`
	`50`	`+ /**`
	`51`	`+ * A Method that Decode JWT with signature verification`
	`52`	`+ */`
`44`	`53`	`class Verify extends MethodAccess {`
`45`	`54`	`Verify() {`
`46`	`55`	`this.getCallee().getDeclaringType() instanceof JWTVerifierType and`