update tests, add test cases for query with local sources

Author: am0o0

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql

@@ -18,12 +18,7 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "jsonwebtoken without any signature verification" }
 
   override predicate isSource(DataFlow::Node source) {
-    source =
-      API::moduleImport("jsonwebtoken")
-          .getMember("decode")
-          .getParameter(0)
-          .asSink()
-          .getALocalSource()
+    source = [unverifiedDecode(), verifiedDecode()].getALocalSource()
   }
 
   override predicate isSink(DataFlow::Node sink) {

javascript/ql/test/experimental/Security/CWE-347/JsonWebToken.js

@@ -13,40 +13,83 @@ app.get('/jwtJsonwebtoken1', (req, res) => {
     const UserToken = req.headers.authorization;
 
     // BAD: no signature verification
-    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
 })
 
 app.get('/jwtJsonwebtoken2', (req, res) => {
     const UserToken = req.headers.authorization;
 
     // BAD: no signature verification
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] })
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
 })
 
 app.get('/jwtJsonwebtoken3', (req, res) => {
     const UserToken = req.headers.authorization;
 
     // GOOD: with signature verification
-    jwtJsonwebtoken.verify(UserToken, getSecret())
+    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
 })
 
 app.get('/jwtJsonwebtoken4', (req, res) => {
     const UserToken = req.headers.authorization;
 
     // GOOD: first without signature verification then with signature verification for same UserToken
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, getSecret())
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
 })
 
 app.get('/jwtJsonwebtoken5', (req, res) => {
     const UserToken = req.headers.authorization;
 
     // GOOD: first without signature verification then with signature verification for same UserToken
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] })
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
 })
 
 app.listen(port, () => {
     console.log(`Example app listening on port ${port}`)
 })
+
+
+function aJWT() {
+    return "A JWT provided by user"
+}
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken) // NOT OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())  // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)  // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret())  // OK
+})();
+
+(function () {
+    const UserToken = aJwt()
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken) // OK
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
+})();

javascript/ql/test/experimental/Security/CWE-347/JsonWebToken.qlref

@@ -0,0 +1,141 @@
+nodes
+| JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+| jose.js:14:11:14:47 | UserToken |
+| jose.js:14:23:14:47 | req.hea ... ization |
+| jose.js:14:23:14:47 | req.hea ... ization |
+| jose.js:16:20:16:28 | UserToken |
+| jose.js:16:20:16:28 | UserToken |
+| jose.js:21:11:21:47 | UserToken |
+| jose.js:21:23:21:47 | req.hea ... ization |
+| jose.js:21:23:21:47 | req.hea ... ization |
+| jose.js:23:26:23:34 | UserToken |
+| jose.js:23:26:23:34 | UserToken |
+| jose.js:27:11:27:47 | UserToken |
+| jose.js:27:23:27:47 | req.hea ... ization |
+| jose.js:27:23:27:47 | req.hea ... ization |
+| jose.js:29:20:29:28 | UserToken |
+| jose.js:29:20:29:28 | UserToken |
+| jose.js:30:26:30:34 | UserToken |
+| jose.js:30:26:30:34 | UserToken |
+| jwtDecode.js:14:11:14:47 | UserToken |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization |
+| jwtDecode.js:18:16:18:24 | UserToken |
+| jwtDecode.js:18:16:18:24 | UserToken |
+| jwtSimple.js:13:11:13:47 | UserToken |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization |
+| jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization |
+| jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization |
+| jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:38:23:38:31 | UserToken |
+| jwtSimple.js:38:23:38:31 | UserToken |
+edges
+| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
+| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
+| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
+| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
+| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
+| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
+| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
+| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
+| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
+| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
+| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
+| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
+| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
+| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
+#select
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification |
+| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:23:14:47 | req.hea ... ization | jose.js:16:20:16:28 | UserToken | Decoding JWT $@. | jose.js:16:20:16:28 | UserToken | without signature verification |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:18:16:18:24 | UserToken | Decoding JWT $@. | jwtDecode.js:18:16:18:24 | UserToken | without signature verification |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:18:23:18:31 | UserToken | Decoding JWT $@. | jwtSimple.js:18:23:18:31 | UserToken | without signature verification |

javascript/ql/test/experimental/Security/CWE-347/JsonWebTokenNotWorking.expected

@@ -0,0 +1 @@
+experimental/Security/CWE-347/decodeJwtWithoutVerification.ql