Add JWT Security Queries

Author: maikypedia

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -1250,3 +1250,92 @@ module LdapExecution {
     abstract DataFlow::Node getQuery();
   }
 }
+
+/**
+ * A data-flow node that encodes a Jwt token.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `JwtEncoding::Range` instead.
+ */
+class JwtEncoding extends DataFlow::Node instanceof JwtEncoding::Range {
+  /** Gets the argument containing the encoding payload. */
+  DataFlow::Node getPayload() { result = super.getPayload() }
+
+  /** Gets the argument containing the encoding algorithm. */
+  DataFlow::Node getAlgorithm() { result = super.getAlgorithm() }
+
+  /** Gets the argument containing the encoding key. */
+  DataFlow::Node getKey() { result = super.getKey() }
+
+  /** Checks if the payloads gets signed while encoding. */
+  predicate signs() { super.signs() }
+}
+
+/** Provides a class for modeling new Jwt token encoding APIs. */
+module JwtEncoding {
+  /**
+   * A data-flow node that encodes a Jwt token.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `JwtEncoding` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument containing the encoding payload. */
+    abstract DataFlow::Node getPayload();
+
+    /** Gets the argument containing the encoding algorithm. */
+    abstract DataFlow::Node getAlgorithm();
+
+    /** Gets the argument containing the encoding key. */
+    abstract DataFlow::Node getKey();
+
+    /** Checks if the payloads gets signed while encoding. */
+    abstract predicate signs();
+  }
+}
+
+/**
+ * A data-flow node that decodes a Jwt token.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `JwtDecoding::Range` instead.
+ */
+class JwtDecoding extends DataFlow::Node instanceof JwtDecoding::Range {
+  /** Gets the argument containing the encoding payload. */
+  DataFlow::Node getPayload() { result = super.getPayload() }
+
+  /** Gets the argument containing the encoding algorithm. */
+  DataFlow::Node getAlgorithm() { result = super.getAlgorithm() }
+
+  /** Gets the argument containing the encoding key. */
+  DataFlow::Node getOptions() { result = super.getOptions() }
+
+  /** Checks if the signature gets verified while decoding. */
+  predicate verifies() { super.verifies() }
+}
+
+/** Provides a class for modeling new Jwt token encoding APIs. */
+module JwtDecoding {
+  /**
+   * A data-flow node that encodes a Jwt token.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `JwtDecoding` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument containing the encoding payload. */
+    abstract DataFlow::Node getPayload();
+
+    /** Gets the argument containing the encoding algorithm. */
+    abstract DataFlow::Node getAlgorithm();
+
+    /** Gets the argument containing the encoding key. */
+    abstract DataFlow::Node getKey();
+
+    /** Gets the argument containing the encoding options. */
+    abstract DataFlow::Node getOptions();
+
+    /** Checks if the signature gets verified while decoding. */
+    abstract predicate verifies();
+  }
+}

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -37,3 +37,4 @@ private import codeql.ruby.frameworks.Pg
 private import codeql.ruby.frameworks.Yaml
 private import codeql.ruby.frameworks.Sequel
 private import codeql.ruby.frameworks.Ldap
+private import codeql.ruby.frameworks.Jwt

ruby/ql/lib/codeql/ruby/frameworks/Jwt.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides creation, verification and decoding JSON Web Tokens (JWT).
+ */
+
+private import ruby
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides creation, verification and decoding JSON Web Tokens (JWT).
+ */
+module Jwt {
+  /** A call to `JWT.encode`, considered as a JWT encoding. */
+  private class JwtEncode extends JwtEncoding::Range, DataFlow::CallNode {
+    JwtEncode() { this = API::getTopLevelMember("JWT").getAMethodCall("encode") }
+
+    override DataFlow::Node getPayload() { result = this.getArgument(0) }
+
+    override DataFlow::Node getAlgorithm() { result = this.getArgument(2) }
+
+    override DataFlow::Node getKey() { result = this.getArgument(1) }
+
+    override predicate signs() {
+      not (this.getKey().getConstantValue().isStringlikeValue("") or this.getKey().(DataFlow::ExprNode).getConstantValue().isNil())
+    }
+  }
+
+  /** A call to `JWT.decode`, considered as a JWT decoding. */
+  private class JwtDecode extends JwtDecoding::Range, DataFlow::CallNode {
+    JwtDecode() { this = API::getTopLevelMember("JWT").getAMethodCall("decode") }
+
+    override DataFlow::Node getPayload() { result = this.getArgument(0) }
+
+    override DataFlow::Node getAlgorithm() {
+      result.asExpr().getExpr() = this.getArgument(3).asExpr().getExpr().(Pair).getValue() or
+      result =
+        this.getArgument(3)
+            .(DataFlow::HashLiteralNode)
+            .getElementFromKey(any(Ast::ConstantValue cv | cv.isStringlikeValue("algorithm"))) or
+      result = this.getArgument(2)
+    }
+
+    override DataFlow::Node getKey() { result = this.getArgument(1) }
+
+    override DataFlow::Node getOptions() { result = this.getArgument(3) }
+
+    override predicate verifies() {
+      not this.getArgument(2).getConstantValue().isBoolean(false) and
+      not this.getAlgorithm().getConstantValue().isStringlikeValue("none")
+      or
+      this.getNumberOfArguments() < 3
+    }
+  }
+}

ruby/ql/src/experimental/cwe-347/EmptyJWTSecret.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Applications encoding a JSON Web Token (JWT) may be vulnerable when it's not verified or algorithm is <code>none</code>.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use non-empty nor <code>None</code> values while encoding JWT payloads.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the example below, the secret used is an empty string and none algorithm is used. This may allow a malicious actor to make changes to a JWT payload.
+</p>
+
+<sample src="examples/EmptyJWTSecretBad.rb" />
+
+<p>
+The following code fixes the problem by using a non-empty cryptographic secret or key to encode JWT payloads.
+</p>
+
+<sample src="examples/EmptyJWTSecretGood.rb" />
+</example>
+
+<references>
+<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/cwe-347/EmptyJWTSecret.ql

@@ -0,0 +1,15 @@
+/**
+ * @name JWT encoding using empty key or algorithm
+ * @description The application uses an empty secret or algorithm while encoding a JWT Token.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id rb/jwt-empty-secret-or-algorithm
+ * @tags security
+ */
+
+private import codeql.ruby.Concepts
+
+from JwtEncoding jwtEncoding
+where not jwtEncoding.signs()
+select jwtEncoding.getPayload(), "This JWT encoding uses empty key or none algorithm."

ruby/ql/src/experimental/cwe-347/MissingJWTVerification.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Applications decoding a JSON Web Token (JWT) may be vulnerable when the key isn't verified.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Calls to <code>verify()</code> functions should use a cryptographic secret or key to decode JWT payloads.</p>
+</recommendation>
+
+<example>
+<p>
+In the example below, false is used to disable the integrity enforcement of a JWT payload and none algorithm is used. This may allow a malicious actor to make changes to a JWT payload.
+</p>
+
+<sample src="examples/MissingJWTVerificationBad.rb" />
+
+<p>
+The following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.
+</p>
+
+<sample src="examples/MissingJWTVerificationGood.rb" />
+</example>
+
+<references>
+<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/cwe-347/MissingJWTVerification.ql

@@ -0,0 +1,16 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id rb/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+private import codeql.ruby.Concepts
+
+from JwtDecoding jwtDecoding
+where not jwtDecoding.verifies()
+select jwtDecoding.getPayload(), "is not verified with a cryptographic secret or public key."

ruby/ql/src/experimental/cwe-347/examples/EmptyJWTSecretBad.rb

@@ -0,0 +1,5 @@
+require 'jwt'
+
+token1 = JWT.encode({ foo: 'bar' }, "secret", 'none')
+
+token2 = JWT.encode({ foo: 'bar' }, nil, 'HS256')

ruby/ql/src/experimental/cwe-347/examples/EmptyJWTSecretGood.rb

@@ -0,0 +1,3 @@
+require 'jwt'
+
+token = JWT.encode({ foo: 'bar' }, "secret", 'HS256')

ruby/ql/src/experimental/cwe-347/examples/MissingJWTVerificationBad.rb

@@ -0,0 +1,7 @@
+require 'jwt'
+
+token = JWT.encode({ foo: 'bar' }, nil, 'none')
+
+decoded1 = JWT.decode(token, nil, false, algorithm: 'HS256')
+
+decoded2 = JWT.decode(token, "secret", true, algorithm: 'none')