Skip to content

Commit 7f607fb

Browse files
egregius313egregius313
authored
Merge pull request github#12032 from egregius313/egregius313/promote-hardcoded-jwt-credential
Java: Promote Hardcoded JWT credential query
2 parents 927c322 + ed1aac1 commit 7f607fb

File tree

11 files changed

+58
-253
lines changed

11 files changed

+58
-253
lines changed

java/ql/lib/change-notes/2023-02-17-add-hardcoded-secret-for-jwt-tokens.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added new sinks for `java/hardcoded-credential-api-call` to identify the use of hardcoded secrets in the creation and verification of JWT tokens using `com.auth0.jwt`. These sinks are from [an experimental query submitted by @luchua](https://github.com/github/codeql/pull/9036).

java/ql/lib/semmle/code/java/security/SensitiveApi.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -490,5 +490,11 @@ private predicate otherApiCallableCredentialParam(string s) {
490490
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;setPassword(String);0",
491491
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);0",
492492
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);1",
493+
"com.auth0.jwt.algorithms.Algorithm;HMAC256(String);0",
494+
"com.auth0.jwt.algorithms.Algorithm;HMAC256(byte[]);0",
495+
"com.auth0.jwt.algorithms.Algorithm;HMAC384(String);0",
496+
"com.auth0.jwt.algorithms.Algorithm;HMAC384(byte[]);0",
497+
"com.auth0.jwt.algorithms.Algorithm;HMAC512(String);0",
498+
"com.auth0.jwt.algorithms.Algorithm;HMAC512(byte[]);0"
493499
]
494500
}

java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.java

Lines changed: 0 additions & 26 deletions
This file was deleted.

java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.qhelp

Lines changed: 0 additions & 46 deletions
This file was deleted.

java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.ql

Lines changed: 0 additions & 20 deletions
This file was deleted.

java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.qll

Lines changed: 0 additions & 131 deletions
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.expected

Lines changed: 0 additions & 25 deletions
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-321/options

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-321/HardcodedJwtKey.java renamed to java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJwtKey.java

Lines changed: 47 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ public class HardcodedJwtKey {
1616

1717
// BAD: Get secret from hardcoded string then sign a JWT token
1818
public String accessTokenBad(String username) {
19-
Algorithm algorithm = Algorithm.HMAC256(SECRET);
19+
Algorithm algorithm = Algorithm.HMAC256(SECRET); // $ HardcodedCredentialsApiCall
2020

2121
return JWT.create()
2222
.withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
@@ -39,7 +39,7 @@ public String accessTokenGood(String username) {
3939

4040
// BAD: Get secret from hardcoded string then verify a JWT token
4141
public boolean verifyTokenBad(String token) {
42-
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET))
42+
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET)) // $ HardcodedCredentialsApiCall
4343
.withIssuer(ISSUER)
4444
.build();
4545
try {
@@ -62,4 +62,49 @@ public boolean verifyTokenGood(String token) {
6262
return false;
6363
}
6464
}
65+
66+
public String accessTokenBad384(String username) {
67+
Algorithm algorithm = Algorithm.HMAC384(SECRET); // $ HardcodedCredentialsApiCall
68+
69+
return JWT.create()
70+
.withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
71+
.withIssuer(ISSUER)
72+
.withClaim("username", username)
73+
.sign(algorithm);
74+
}
75+
76+
// GOOD: Get secret from system configuration then sign a token
77+
public String accessTokenGood384(String username) {
78+
String tokenSecret = System.getenv("SECRET_KEY");
79+
Algorithm algorithm = Algorithm.HMAC384(tokenSecret);
80+
81+
return JWT.create()
82+
.withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
83+
.withIssuer(ISSUER)
84+
.withClaim("username", username)
85+
.sign(algorithm);
86+
}
87+
88+
public String accessTokenBad512(String username) {
89+
Algorithm algorithm = Algorithm.HMAC512(SECRET); // $ HardcodedCredentialsApiCall
90+
91+
return JWT.create()
92+
.withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
93+
.withIssuer(ISSUER)
94+
.withClaim("username", username)
95+
.sign(algorithm);
96+
}
97+
98+
// GOOD: Get secret from system configuration then sign a token
99+
public String accessTokenGood512(String username) {
100+
String tokenSecret = System.getenv("SECRET_KEY");
101+
Algorithm algorithm = Algorithm.HMAC512(tokenSecret);
102+
103+
return JWT.create()
104+
.withExpiresAt(new Date(new Date().getTime() + ACCESS_EXPIRE_TIME))
105+
.withIssuer(ISSUER)
106+
.withClaim("username", username)
107+
.sign(algorithm);
108+
}
109+
65110
}

0 commit comments

Comments
 (0)