Merge pull request github#12852 from egregius313/egregius313/java/webgoat/model-jwsheader

Java: Model `io.jsonwebtoken.SigningKeyResolverAdapter` and `io.jsonwebtoken.JwsHeader`

Author: egregius313

java/ql/lib/change-notes/2023-04-20-create-model-for-io-jsonwebtoken.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added models for the `io.jsonwebtoken` library.
+

java/ql/lib/ext/io.jsonwebtoken.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["io.jsonwebtoken", "JwsHeader", True, "getAlgorithm", "", "", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.algorithm]", "ReturnValue", "taint", "manual"]
+      - ["io.jsonwebtoken", "JwsHeader", True, "setAlgorithm", "", "", "Argument[0]", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.algorithm]", "taint", "manual"]
+      - ["io.jsonwebtoken", "JwsHeader", True, "getKeyId", "", "", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.keyId]", "ReturnValue", "taint", "manual"]
+      - ["io.jsonwebtoken", "JwsHeader", True, "setKeyId", "", "", "Argument[0]", "Argument[this].SyntheticField[io.jsonwebtoken.JwsHeader.keyId]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["io.jsonwebtoken", "SigningKeyResolver", True, "resolveSigningKey", "", "", "Parameter[0]", "remote", "manual"]
+      - ["io.jsonwebtoken", "SigningKeyResolverAdapter", True, "resolveSigningKeyBytes", "", "", "Parameter[0]", "remote", "manual"]

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -18,6 +18,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.Guice
+  private import semmle.code.java.frameworks.IoJsonWebToken
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.Properties
   private import semmle.code.java.frameworks.Protobuf

java/ql/lib/semmle/code/java/frameworks/IoJsonWebToken.qll

@@ -0,0 +1,11 @@
+/** Predicates and classes to reason about the `io.jsonwebtoken` library. */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
+
+private class JwsHeaderFieldsInheritTaint extends DataFlow::SyntheticFieldContent,
+  TaintInheritingContent
+{
+  JwsHeaderFieldsInheritTaint() { this.getField().matches("io.jsonwebtoken.JwsHeader.%") }
+}

java/ql/test/library-tests/dataflow/taintsources/JwsSigningKeyResolverAdapter.java

@@ -0,0 +1,34 @@
+import java.security.Key;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
+
+public class JwsSigningKeyResolverAdapter extends SigningKeyResolverAdapter {
+    private void sink(Object o) {
+    }
+
+    @Override
+    public Key resolveSigningKey(JwsHeader header, Claims claims) {
+        final String keyId = header.getKeyId();
+        String example = "example:" + keyId;
+        sink(example); // $ hasRemoteTaintFlow
+        return null;
+    }
+
+    @Override
+    public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+        final String keyId = header.getKeyId();
+        String example = "example:" + keyId;
+
+        sink(example); // $ hasRemoteTaintFlow
+
+        final String algorithm = header.getAlgorithm();
+        sink("algo:" + algorithm); // $ hasRemoteTaintFlow
+
+        final String random = (String)header.get("random");
+        sink("random:" + random) ; // $ hasRemoteTaintFlow
+
+        return new byte[0];
+    }
+}

java/ql/test/library-tests/dataflow/taintsources/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2