Add com.auth0.jwt.algorithm.Algorithm sinks

egregius313 · atorralba · commit fa6ac063d1cb · 2023-02-27T12:16:14.000+01:00
The HMAC* constructors of the com.auth0.jwt.algorithm.Algorithm class
take a secret as a parameter. Therefore, the arguments should be added
to be checked for hardcoded credentials.
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
@@ -490,5 +490,8 @@ private predicate otherApiCallableCredentialParam(string s) {
       "com.microsoft.sqlserver.jdbc.SQLServerDataSource;setPassword(String);0",
       "com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);0",
       "com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);1",
+      "com.auth0.jwt.algorithms.Algorithm;HMAC256(String);0",
+      "com.auth0.jwt.algorithms.Algorithm;HMAC384(String);0",
+      "com.auth0.jwt.algorithms.Algorithm;HMAC512(String);0"
     ]
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java b/java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java
@@ -22,7 +22,7 @@ public String accessTokenBad(String username) {
                 .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
                 .withIssuer(ISSUER)
                 .withClaim("username", username)
-                .sign(algorithm);
+                .sign(algorithm); // $ HardcodedCredentialsApiCall
     }
 
     // GOOD: Get secret from system configuration then sign a token
@@ -43,7 +43,7 @@ public boolean verifyTokenBad(String token) {
                 .withIssuer(ISSUER)
                 .build();
         try {
-            verifier.verify(token);
+            verifier.verify(token); // $ HardcodedCredentialsApiCall
             return true;
         } catch (JWTVerificationException e) {
             return false;
diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJwtKey.java b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJwtKey.java
@@ -0,0 +1,65 @@
+import java.util.Date;
+import java.util.Properties;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.JWTVerifier;
+
+public class HardcodedJwtKey {
+    // 15 minutes
+    private static final long ACCESS_EXPIRE_TIME = 1000 * 60 * 15;
+
+    private static final String ISSUER = "example_com";
+
+    private static final String SECRET = "hardcoded_secret";
+
+    // BAD: Get secret from hardcoded string then sign a JWT token
+    public String accessTokenBad(String username) {
+        Algorithm algorithm = Algorithm.HMAC256(SECRET); // $ HardcodedCredentialsApiCall
+
+        return JWT.create()
+                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
+                .withIssuer(ISSUER)
+                .withClaim("username", username)
+                .sign(algorithm);
+    }
+
+    // GOOD: Get secret from system configuration then sign a token
+    public String accessTokenGood(String username) {
+        String tokenSecret = System.getenv("SECRET_KEY");
+        Algorithm algorithm = Algorithm.HMAC256(tokenSecret);
+
+        return JWT.create()
+                .withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
+                .withIssuer(ISSUER)
+                .withClaim("username", username)
+                .sign(algorithm);
+    }
+
+    // BAD: Get secret from hardcoded string then verify a JWT token
+    public boolean verifyTokenBad(String token) {
+        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET)) // $ HardcodedCredentialsApiCall
+                .withIssuer(ISSUER)
+                .build();
+        try {
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException e) {
+            return false;
+        }
+    }
+
+    // GOOD: Get secret from environment variable then verify a JWT token
+    public boolean verifyTokenGood(String token) {
+        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(System.getenv("SECRET_KEY")))
+                .withIssuer(ISSUER)
+                .build();
+        try {
+            verifier.verify(token);
+            return true;
+        } catch (JWTVerificationException e) {
+            return false;
+        }
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3

Original file line number	Diff line number	Diff line change
`@@ -490,5 +490,8 @@ private predicate otherApiCallableCredentialParam(string s) {`
`490`	`490`	`"com.microsoft.sqlserver.jdbc.SQLServerDataSource;setPassword(String);0",`
`491`	`491`	`"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);0",`
`492`	`492`	`"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);1",`
	`493`	`+ "com.auth0.jwt.algorithms.Algorithm;HMAC256(String);0",`
	`494`	`+ "com.auth0.jwt.algorithms.Algorithm;HMAC384(String);0",`
	`495`	`+ "com.auth0.jwt.algorithms.Algorithm;HMAC512(String);0"`
`493`	`496`	`]`
`494`	`497`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0
	`1`	+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3