Skip to content

Commit f476437

Browse files
am0o0am0o0
committed
update tests to contain the new source, delete query with local sources
1 parent d88b310 commit f476437

File tree

9 files changed

+85
-116
lines changed

9 files changed

+85
-116
lines changed

java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifierLocalSource.ql

Lines changed: 0 additions & 67 deletions
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.expected

Lines changed: 27 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,31 @@
11
edges
2-
| JwtNoVerifier.java:42:28:42:55 | getParameter(...) : String | JwtNoVerifier.java:43:39:43:47 | JwtToken2 : String | provenance | Src:MaD:44684 |
3-
| JwtNoVerifier.java:43:39:43:47 | JwtToken2 : String | JwtNoVerifier.java:72:38:72:55 | token : String | provenance | |
4-
| JwtNoVerifier.java:72:38:72:55 | token : String | JwtNoVerifier.java:73:37:73:41 | token : String | provenance | |
5-
| JwtNoVerifier.java:73:26:73:42 | decode(...) : DecodedJWT | JwtNoVerifier.java:74:28:74:30 | jwt : DecodedJWT | provenance | |
6-
| JwtNoVerifier.java:73:37:73:41 | token : String | JwtNoVerifier.java:73:26:73:42 | decode(...) : DecodedJWT | provenance | Config |
7-
| JwtNoVerifier.java:74:16:74:31 | of(...) : Optional [<element>] : DecodedJWT | JwtNoVerifier.java:74:37:74:40 | item : DecodedJWT | provenance | MaD:43977 |
8-
| JwtNoVerifier.java:74:28:74:30 | jwt : DecodedJWT | JwtNoVerifier.java:74:16:74:31 | of(...) : Optional [<element>] : DecodedJWT | provenance | MaD:43979 |
9-
| JwtNoVerifier.java:74:37:74:40 | item : DecodedJWT | JwtNoVerifier.java:74:45:74:48 | item : DecodedJWT | provenance | |
10-
| JwtNoVerifier.java:74:45:74:48 | item : DecodedJWT | JwtNoVerifier.java:74:45:74:69 | getClaim(...) | provenance | Config |
2+
| JwtNoVerifier.java:44:28:44:55 | getParameter(...) : String | JwtNoVerifier.java:45:39:45:47 | JwtToken1 : String | provenance | Src:MaD:44685 |
3+
| JwtNoVerifier.java:45:39:45:47 | JwtToken1 : String | JwtNoVerifier.java:89:38:89:55 | token : String | provenance | |
4+
| JwtNoVerifier.java:58:28:58:62 | (...)... : String | JwtNoVerifier.java:59:32:59:40 | JwtToken3 : String | provenance | |
5+
| JwtNoVerifier.java:58:37:58:62 | getCredentials(...) : Object | JwtNoVerifier.java:58:28:58:62 | (...)... : String | provenance | Src:MaD:2352 |
6+
| JwtNoVerifier.java:59:32:59:40 | JwtToken3 : String | JwtNoVerifier.java:89:38:89:55 | token : String | provenance | |
7+
| JwtNoVerifier.java:89:38:89:55 | token : String | JwtNoVerifier.java:90:37:90:41 | token : String | provenance | |
8+
| JwtNoVerifier.java:90:26:90:42 | decode(...) : DecodedJWT | JwtNoVerifier.java:91:28:91:30 | jwt : DecodedJWT | provenance | |
9+
| JwtNoVerifier.java:90:37:90:41 | token : String | JwtNoVerifier.java:90:26:90:42 | decode(...) : DecodedJWT | provenance | Config |
10+
| JwtNoVerifier.java:91:16:91:31 | of(...) : Optional [<element>] : DecodedJWT | JwtNoVerifier.java:91:37:91:40 | item : DecodedJWT | provenance | MaD:43978 |
11+
| JwtNoVerifier.java:91:28:91:30 | jwt : DecodedJWT | JwtNoVerifier.java:91:16:91:31 | of(...) : Optional [<element>] : DecodedJWT | provenance | MaD:43980 |
12+
| JwtNoVerifier.java:91:37:91:40 | item : DecodedJWT | JwtNoVerifier.java:91:45:91:48 | item : DecodedJWT | provenance | |
13+
| JwtNoVerifier.java:91:45:91:48 | item : DecodedJWT | JwtNoVerifier.java:91:45:91:69 | getClaim(...) | provenance | Config |
1114
nodes
12-
| JwtNoVerifier.java:42:28:42:55 | getParameter(...) : String | semmle.label | getParameter(...) : String |
13-
| JwtNoVerifier.java:43:39:43:47 | JwtToken2 : String | semmle.label | JwtToken2 : String |
14-
| JwtNoVerifier.java:72:38:72:55 | token : String | semmle.label | token : String |
15-
| JwtNoVerifier.java:73:26:73:42 | decode(...) : DecodedJWT | semmle.label | decode(...) : DecodedJWT |
16-
| JwtNoVerifier.java:73:37:73:41 | token : String | semmle.label | token : String |
17-
| JwtNoVerifier.java:74:16:74:31 | of(...) : Optional [<element>] : DecodedJWT | semmle.label | of(...) : Optional [<element>] : DecodedJWT |
18-
| JwtNoVerifier.java:74:28:74:30 | jwt : DecodedJWT | semmle.label | jwt : DecodedJWT |
19-
| JwtNoVerifier.java:74:37:74:40 | item : DecodedJWT | semmle.label | item : DecodedJWT |
20-
| JwtNoVerifier.java:74:45:74:48 | item : DecodedJWT | semmle.label | item : DecodedJWT |
21-
| JwtNoVerifier.java:74:45:74:69 | getClaim(...) | semmle.label | getClaim(...) |
15+
| JwtNoVerifier.java:44:28:44:55 | getParameter(...) : String | semmle.label | getParameter(...) : String |
16+
| JwtNoVerifier.java:45:39:45:47 | JwtToken1 : String | semmle.label | JwtToken1 : String |
17+
| JwtNoVerifier.java:58:28:58:62 | (...)... : String | semmle.label | (...)... : String |
18+
| JwtNoVerifier.java:58:37:58:62 | getCredentials(...) : Object | semmle.label | getCredentials(...) : Object |
19+
| JwtNoVerifier.java:59:32:59:40 | JwtToken3 : String | semmle.label | JwtToken3 : String |
20+
| JwtNoVerifier.java:89:38:89:55 | token : String | semmle.label | token : String |
21+
| JwtNoVerifier.java:90:26:90:42 | decode(...) : DecodedJWT | semmle.label | decode(...) : DecodedJWT |
22+
| JwtNoVerifier.java:90:37:90:41 | token : String | semmle.label | token : String |
23+
| JwtNoVerifier.java:91:16:91:31 | of(...) : Optional [<element>] : DecodedJWT | semmle.label | of(...) : Optional [<element>] : DecodedJWT |
24+
| JwtNoVerifier.java:91:28:91:30 | jwt : DecodedJWT | semmle.label | jwt : DecodedJWT |
25+
| JwtNoVerifier.java:91:37:91:40 | item : DecodedJWT | semmle.label | item : DecodedJWT |
26+
| JwtNoVerifier.java:91:45:91:48 | item : DecodedJWT | semmle.label | item : DecodedJWT |
27+
| JwtNoVerifier.java:91:45:91:69 | getClaim(...) | semmle.label | getClaim(...) |
2228
subpaths
2329
#select
24-
| JwtNoVerifier.java:74:45:74:69 | getClaim(...) | JwtNoVerifier.java:42:28:42:55 | getParameter(...) : String | JwtNoVerifier.java:74:45:74:69 | getClaim(...) | This parses a $@, but the signature is not verified. | JwtNoVerifier.java:42:28:42:55 | getParameter(...) | JWT |
30+
| JwtNoVerifier.java:91:45:91:69 | getClaim(...) | JwtNoVerifier.java:44:28:44:55 | getParameter(...) : String | JwtNoVerifier.java:91:45:91:69 | getClaim(...) | This parses a $@, but the signature is not verified. | JwtNoVerifier.java:44:28:44:55 | getParameter(...) | JWT |
31+
| JwtNoVerifier.java:91:45:91:69 | getClaim(...) | JwtNoVerifier.java:58:37:58:62 | getCredentials(...) : Object | JwtNoVerifier.java:91:45:91:69 | getClaim(...) | This parses a $@, but the signature is not verified. | JwtNoVerifier.java:58:37:58:62 | getCredentials(...) | JWT |

java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifierLocalSource.expected

Lines changed: 0 additions & 24 deletions
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifierLocalSource.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@
1111
import com.auth0.jwt.algorithms.Algorithm;
1212
import com.auth0.jwt.exceptions.JWTVerificationException;
1313
import com.auth0.jwt.interfaces.DecodedJWT;
14+
import org.apache.shiro.authc.AuthenticationToken;
15+
import org.apache.shiro.authc.BearerToken;
1416

1517
public class JwtNoVerifier extends HttpServlet {
1618

@@ -39,18 +41,33 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
3941
PrintWriter out = response.getWriter();
4042

4143
// NOT OK: only decode, no verification
42-
String JwtToken2 = request.getParameter("JWT2");
43-
String userName = decodeToken(JwtToken2);
44+
String JwtToken1 = request.getParameter("JWT2");
45+
String userName = decodeToken(JwtToken1);
4446
if (Objects.equals(userName, "Admin")) {
4547
out.println("<html><body>");
4648
out.println("<h1>" + "heyyy Admin" + "</h1>");
4749
out.println("</body></html>");
4850
}
4951

52+
AuthenticationToken authToken = new BearerToken("admin", "admin");
5053
// OK: no clue of the use of unsafe decoded JWT return value
51-
JwtToken2 = request.getParameter("JWT2");
54+
String JwtToken2 = request.getParameter("JWT2");
5255
JWT.decode(JwtToken2);
5356

57+
// NOT OK: only decode, no verification
58+
String JwtToken3 = (String) authToken.getCredentials();
59+
userName = decodeToken(JwtToken3);
60+
if (Objects.equals(userName, "Admin")) {
61+
out.println("<html><body>");
62+
out.println("<h1>" + "heyyy Admin" + "</h1>");
63+
out.println("</body></html>");
64+
}
65+
66+
// OK: no clue of the use of unsafe decoded JWT return value
67+
String JwtToken4 = (String) authToken.getCredentials();
68+
JWT.decode(JwtToken4);
69+
70+
5471

5572
out.println("<html><body>");
5673
out.println("<h1>" + "heyyy Nobody" + "</h1>");

java/ql/test/experimental/query-tests/security/CWE-347/options

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/auth0-java-jwt-4.4.0:${testdir}/../../../../stubs/javax-servlet-2.5
1+
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/auth0-java-jwt-4.4.0:${testdir}/../../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/org-apache-shiro-authc-2.0.1

java/ql/test/experimental/stubs/org-apache-shiro-authc-2.0.1/org/apache/shiro/authc/AuthenticationToken.java

Lines changed: 11 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/experimental/stubs/org-apache-shiro-authc-2.0.1/org/apache/shiro/authc/BearerToken.java

Lines changed: 16 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/experimental/stubs/org-apache-shiro-authc-2.0.1/org/apache/shiro/authc/HostAuthenticationToken.java

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)