microsoft
diff --git a/‎go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll
Lines changed: 63 additions & 0 deletions b/‎go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll
Lines changed: 63 additions & 0 deletions
diff --git a/‎go/ql/test/experimental/CWE-321/HardcodedKeys.expected
Lines changed: 110 additions & 58 deletions b/‎go/ql/test/experimental/CWE-321/HardcodedKeys.expected
Lines changed: 110 additions & 58 deletions
diff --git a/‎go/ql/test/experimental/CWE-321/go.mod
Lines changed: 64 additions & 8 deletions b/‎go/ql/test/experimental/CWE-321/go.mod
Lines changed: 64 additions & 8 deletions
diff --git a/‎go/ql/test/experimental/CWE-321/main.go
Lines changed: 81 additions & 1 deletion b/‎go/ql/test/experimental/CWE-321/main.go
Lines changed: 81 additions & 1 deletion
diff --git a/‎go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go
Lines changed: 3 additions & 2 deletions b/‎go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎go/ql/test/experimental/CWE-321/vendor/github.com/gogf/gf-jwt/v2/stub.go
Lines changed: 90 additions & 0 deletions b/‎go/ql/test/experimental/CWE-321/vendor/github.com/gogf/gf-jwt/v2/stub.go
Lines changed: 90 additions & 0 deletions
@@ -79,6 +79,69 @@ module HardcodedKeys {
     }
   }
 
+  private class KatarasJwt extends Sink {
+    KatarasJwt() {
+      exists(string pkg |
+        pkg = package("github.com/kataras/jwt", "") and
+        (
+          exists(DataFlow::MethodCallNode m |
+            // Model the `Register` method of the type `Keys`
+            // func (keys Keys) Register(alg Alg, kid string, pubKey PublicKey, privKey PrivateKey)
+            m.getTarget().hasQualifiedName(pkg, "Keys", "Register")
+          |
+            this = m.getArgument(3)
+          )
+          or
+          exists(DataFlow::CallNode m, string names |
+            // Model the `Sign` method of the `SigningMethod` interface
+            // func Sign(alg Alg, key PrivateKey, claims interface{}, opts ...SignOption) ([]byte, error)
+            // func SignEncrypted(alg Alg, key PrivateKey, encrypt InjectFunc, claims interface{}, ...) ([]byte, error)
+            // func SignEncryptedWithHeader(alg Alg, key PrivateKey, encrypt InjectFunc, claims interface{}, ...) ([]byte, error)
+            // func SignWithHeader(alg Alg, key PrivateKey, claims interface{}, customHeader interface{}, ...) ([]byte, error)
+            m.getTarget().hasQualifiedName(pkg, names) and
+            names = ["Sign", "SignEncrypted", "SignEncryptedWithHeader", "SignWithHeader"]
+          |
+            this = m.getArgument(1)
+          )
+        )
+      )
+    }
+  }
+
+  private class IrisJwt extends Sink {
+    IrisJwt() {
+      exists(string pkg |
+        pkg = "github.com/kataras/iris/v12/middleware/jwt" and
+        (
+          exists(DataFlow::CallNode m |
+            //func NewSigner(signatureAlg Alg, signatureKey interface{}, maxAge time.Duration) *Signer
+            m.getTarget().hasQualifiedName(pkg, "NewSigner")
+          |
+            this = m.getArgument(1)
+          )
+          or
+          exists(Field f |
+            // Models the `key` field of the `Signer` type
+            // https://github.com/kataras/iris/blob/dccd57263617f5ca95d7621acfadf9dd37752dd6/middleware/jwt/signer.go#L17
+            f.hasQualifiedName(pkg, "Signer", "Key") and
+            f.getAWrite().getRhs() = this
+          )
+        )
+      )
+    }
+  }
+
+  private class GogfJwtSign extends Sink {
+    GogfJwtSign() {
+      exists(Field f, string pkg |
+        pkg = package("github.com/gogf/gf-jwt", "") and
+        // https://github.com/gogf/gf-jwt/blob/40503f05bc0a2bcd7aeba550163112afbb5c221f/auth_jwt.go#L27
+        f.hasQualifiedName(pkg, "GfJWTMiddleware", "Key") and
+        f.getAWrite().getRhs() = this
+      )
+    }
+  }
+
   private class GinJwtSign extends Sink {
     GinJwtSign() {
       exists(Field f |
 
@@ -6,36 +6,92 @@ require (
 	github.com/appleboy/gin-jwt/v2 v2.8.0
 	github.com/cristalhq/jwt/v3 v3.1.0
 	github.com/go-kit/kit v0.12.0
-	github.com/golang-jwt/jwt/v4 v4.4.1
+	github.com/gogf/gf-jwt/v2 v2.0.1
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/iris-contrib/middleware/jwt v0.0.0-20230311205048-b568fe9b470f
+	github.com/kataras/iris/v12 v12.2.0
+	github.com/kataras/jwt v0.1.8
 	github.com/lestrrat/go-jwx v0.9.1
 	github.com/square/go-jose/v3 v3.0.0-20200630053402-0a67ce9b0693
 	gopkg.in/square/go-jose.v2 v2.6.0
 )
 
 require (
+	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 // indirect
+	github.com/CloudyKit/jet/v6 v6.2.0 // indirect
+	github.com/Joker/jade v1.1.3 // indirect
+	github.com/Shopify/goreferrer v0.0.0-20220729165902-8cddb4f5de06 // indirect
+	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/clbanning/mxj/v2 v2.5.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385 // indirect
+	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
+	github.com/flosch/pongo2/v4 v4.0.2 // indirect
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/gin-gonic/gin v1.7.7 // indirect
 	github.com/go-kit/log v0.2.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-playground/locales v0.13.0 // indirect
 	github.com/go-playground/universal-translator v0.17.0 // indirect
 	github.com/go-playground/validator/v10 v10.4.1 // indirect
+	github.com/go-redis/redis/v8 v8.11.5 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/gogf/gf/v2 v2.0.0-rc3 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/css v1.0.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/grokify/html-strip-tags-go v0.0.1 // indirect
+	github.com/iris-contrib/schema v0.0.6 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kataras/blocks v0.0.7 // indirect
+	github.com/kataras/golog v0.1.8 // indirect
+	github.com/kataras/pio v0.0.11 // indirect
+	github.com/kataras/sitemap v0.0.6 // indirect
+	github.com/kataras/tunnel v0.0.4 // indirect
+	github.com/klauspost/compress v1.16.0 // indirect
 	github.com/leodido/go-urn v1.2.0 // indirect
 	github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mailgun/raymond/v2 v2.0.48 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.9 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/microcosm-cc/bluemonday v1.0.23 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/schollz/closestmatch v2.1.0+incompatible // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/tdewolff/minify/v2 v2.12.4 // indirect
+	github.com/tdewolff/parse/v2 v2.6.4 // indirect
 	github.com/ugorji/go/codec v1.1.7 // indirect
-	golang.org/x/crypto v0.0.0-20210915214749-c084706c2272 // indirect
-	golang.org/x/net v0.0.0-20210917221730-978cfadd31cf // indirect
-	golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	github.com/yosssi/ace v0.0.5 // indirect
+	go.opentelemetry.io/otel v1.0.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.0.0 // indirect
+	go.opentelemetry.io/otel/trace v1.0.0 // indirect
+	golang.org/x/crypto v0.7.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4 // indirect
 	google.golang.org/grpc v1.40.0 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/yaml.v2 v2.2.8 // indirect
+	google.golang.org/protobuf v1.29.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -1,21 +1,29 @@
 package main
 
 //go:generate depstubber -vendor github.com/appleboy/gin-jwt/v2 GinJWTMiddleware New
-//go:generate depstubber -vendor github.com/golang-jwt/jwt/v4 MapClaims,RegisteredClaims,SigningMethodRSA,SigningMethodHMAC,Token NewNumericDate,NewWithClaims
+//go:generate depstubber -vendor github.com/golang-jwt/jwt/v4 MapClaims,RegisteredClaims,SigningMethodRSA,SigningMethodHMAC,Token NewNumericDate,NewWithClaims,New
 //go:generate depstubber -vendor github.com/gin-gonic/gin Context New
 //go:generate depstubber -vendor github.com/go-kit/kit/auth/jwt "" NewSigner
 //go:generate depstubber -vendor github.com/lestrrat/go-jwx/jwk "" New
 //go:generate depstubber -vendor github.com/square/go-jose/v3 Recipient NewEncrypter,NewSigner
 //go:generate depstubber -vendor gopkg.in/square/go-jose.v2 Recipient NewEncrypter,NewSigner
 //go:generate depstubber -vendor github.com/cristalhq/jwt/v3 Signer NewSignerHS,HS256
+//go:generate depstubber -vendor github.com/iris-contrib/middleware/jwt "" NewToken,NewTokenWithClaims
+//go:generate depstubber -vendor github.com/kataras/iris/v12/middleware/jwt Signer,Verifier NewSigner,NewVerifier
+//go:generate depstubber -vendor github.com/kataras/jwt Keys,Alg Sign,SignEncrypted,SignEncryptedWithHeader,SignWithHeader
+//go:generate depstubber -vendor github.com/gogf/gf-jwt/v2 GfJWTMiddleware
 
 import (
 	"time"
 
 	jwt "github.com/appleboy/gin-jwt/v2"
 	cristal "github.com/cristalhq/jwt/v3"
 	gokit "github.com/go-kit/kit/auth/jwt"
+	gogf "github.com/gogf/gf-jwt/v2"
 	gjwt "github.com/golang-jwt/jwt/v4"
+	iris "github.com/iris-contrib/middleware/jwt"
+	iris12 "github.com/kataras/iris/v12/middleware/jwt"
+	kataras "github.com/kataras/jwt"
 	le "github.com/lestrrat/go-jwx/jwk"
 	jose_v3 "github.com/square/go-jose/v3"
 	jose_v2 "gopkg.in/square/go-jose.v2"
@@ -113,6 +121,78 @@ func lejwt2() (interface{}, error) {
 	return le.New(sharedKeyglobal) // BAD
 }
 
+func gogfjwt() interface{} {
+	return &gogf.GfJWTMiddleware{
+		Realm:           "test zone",
+		Key:             []byte("key11"),
+		Timeout:         time.Minute * 5,
+		MaxRefresh:      time.Minute * 5,
+		IdentityKey:     "id",
+		TokenLookup:     "header: Authorization, query: token, cookie: jwt",
+		TokenHeadName:   "Bearer",
+		TimeFunc:        time.Now,
+		Authenticator:   nil,
+		Unauthorized:    nil,
+		PayloadFunc:     nil,
+		IdentityHandler: nil,
+	}
+}
+
+func irisjwt() interface{} {
+	mySecret := []byte("key12")
+	token := iris.NewTokenWithClaims(nil, nil)
+	tokenString, _ := token.SignedString(mySecret)
+	return tokenString
+}
+
+func iris12jwt2() interface{} {
+	mySecret := []byte("key13")
+
+	s := &iris12.Signer{
+		Alg:    nil,
+		Key:    mySecret,
+		MaxAge: 3 * time.Second,
+	}
+	return s
+}
+
+func irisjwt3() interface{} {
+	secret := []byte("key14")
+	signer := iris12.NewSigner(nil, secret, 3*time.Second)
+	return signer
+}
+
+func katarasJwt() interface{} {
+	secret := []byte("key15")
+	token, _ := kataras.Sign(nil, secret, nil, nil)
+	return token
+}
+
+func katarasJwt2() interface{} {
+	secret := []byte("key16")
+	token, _ := kataras.SignEncrypted(nil, secret, nil, nil)
+	return token
+}
+
+func katarasJwt3() interface{} {
+	secret := []byte("key17")
+	token, _ := kataras.SignEncryptedWithHeader(nil, secret, nil, nil, nil)
+	return token
+}
+
+func katarasJwt4() interface{} {
+	secret := []byte("key18")
+	token, _ := kataras.SignWithHeader(nil, secret, nil, nil)
+	return token
+}
+
+func katarasJwt5() {
+	secret := []byte("key19")
+	var keys kataras.Keys
+	var alg kataras.Alg
+	keys.Register(alg, "api", nil, secret)
+}
+
 func main() {
 	return
 }