Add missing subtype test

atorralba · atorralba · commit 34a55e77ef1a · 2021-05-18T09:38:35.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
@@ -1,11 +1,11 @@
-import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.JwtParser;
-import io.jsonwebtoken.Jwt;
-import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.Header;
-import io.jsonwebtoken.JwtParserBuilder;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtHandlerAdapter;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.DefaultJwtParser;
+import io.jsonwebtoken.impl.DefaultJwtParserBuilder;
 
 public class MissingJWTSignatureCheckTest {
 
@@ -110,6 +110,10 @@ private void badJwtOnParserBuilder(String token) {
         Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
     }
 
+    private void badJwtOnDefaultParserBuilder(String token) {
+        new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
+    }
+
     private void badJwtHandlerOnParser(String token) {
         Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
                 new JwtHandlerAdapter<Jwt<Header, String>>() {
diff --git a/java/ql/test/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java b/java/ql/test/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java
@@ -0,0 +1,49 @@
+
+/*
+ * Copyright (C) 2019 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package io.jsonwebtoken.impl;
+
+import java.security.Key;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.JwtParserBuilder;
+import io.jsonwebtoken.SigningKeyResolver;
+
+
+public class DefaultJwtParserBuilder implements JwtParserBuilder {
+
+    @Override
+    public JwtParserBuilder setSigningKey(byte[] key) {
+        return this;
+    }
+
+    @Override
+    public JwtParserBuilder setSigningKey(String base64EncodedSecretKey) {
+        return this;
+    }
+
+    @Override
+    public JwtParserBuilder setSigningKey(Key key) {
+        return this;
+    }
+
+    @Override
+    public JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
+        return this;
+    }
+
+    @Override
+    public JwtParser build() {
+        return null;
+    }
+}
