microsoft
diff --git a/‎javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
Lines changed: 103 additions & 3 deletions b/‎javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
Lines changed: 103 additions & 3 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/frameworks/Next.qll
Lines changed: 16 additions & 0 deletions b/‎javascript/ql/lib/semmle/javascript/frameworks/Next.qll
Lines changed: 16 additions & 0 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
Lines changed: 5 additions & 0 deletions b/‎javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
Lines changed: 5 additions & 0 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
Lines changed: 38 additions & 0 deletions b/‎javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
Lines changed: 38 additions & 0 deletions
@@ -12,7 +12,7 @@ import javascript
 abstract class CredentialsNode extends DataFlow::Node {
   /**
    * Gets a description of the kind of credential this expression is used as,
-   * such as `"user name"`, `"password"`, `"key"`.
+   * such as `"user name"`, `"password"`, `"key"`, `"jwt key"`.
    */
   abstract string getCredentialsKind();
 }
 
@@ -40,11 +40,111 @@ private module JsonWebToken {
   }
 
   /**
-   * The private key for a JWT as a `CredentialsNode`.
+   * The secret or PrivateKey for a JWT as a `CredentialsNode`.
    */
   private class JwtKey extends CredentialsNode {
-    JwtKey() { this = DataFlow::moduleMember("jsonwebtoken", "sign").getACall().getArgument(1) }
+    JwtKey() {
+      this =
+        API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jose` library.
+ */
+private module Jose {
+  /**
+   * The asymmetric key or symmetric secret for verifying a JWT as a `CredentialsNode`.
+   */
+  private class JwtVerifyKey extends CredentialsNode {
+    JwtVerifyKey() {
+      this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jwt-simple` library.
+ */
+private module JwtSimple {
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `koa-jwt` library.
+ */
+private module KoaJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `express-jwt` library.
+ */
+private module ExpressJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this =
+        API::moduleImport("express-jwt")
+            .getMember("expressjwt")
+            .getParameter(0)
+            .getMember("secret")
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `passport-jwt` library.
+ */
+private module PassportJwt {
+  /**
+   * The secret (symmetric) or PEM-encoded public key (asymmetric) for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() {
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKey")
+            .asSink()
+      or
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKeyProvider")
+            .getParameter(2)
+            .getParameter(1)
+            .asSink()
+    }
 
-    override string getCredentialsKind() { result = "key" }
+    override string getCredentialsKind() { result = "jwt key" }
   }
 }
@@ -255,4 +255,20 @@ module NextJS {
           .getMember("router")
           .asSource()
   }
+
+  /**
+   * Provides classes and predicates modeling the `next-auth` library.
+   */
+  private module NextAuth {
+    /**
+     * A random string used to hash tokens, sign cookies and generate cryptographic keys as a `CredentialsNode`.
+     */
+    private class SecretKey extends CredentialsNode {
+      SecretKey() {
+        this = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink()
+      }
+
+      override string getCredentialsKind() { result = "jwt key" }
+    }
+  }
 }
@@ -4,6 +4,7 @@
  * own.
  */
 
+import semmle.javascript.filters.ClassifyFiles
 import javascript
 private import semmle.javascript.security.SensitiveActions
 
@@ -38,5 +39,9 @@ module HardcodedCredentials {
    */
   class DefaultCredentialsSink extends Sink instanceof CredentialsNode {
     override string getKind() { result = super.getCredentialsKind() }
+
+    DefaultCredentialsSink() {
+      not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
+    }
   }
 }
@@ -35,5 +35,43 @@ class Configuration extends DataFlow::Configuration {
       trg = bufferFrom and
       src = bufferFrom.getArgument(0)
     )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("jose").getMember("importJWK") |
+      src = n.getParameter(0).getMember(["x", "y", "n"]).asSink() and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(DataFlow::CallNode n |
+      n = DataFlow::globalVarRef("TextEncoder").getAnInstantiation().getAMemberCall("encode")
+    |
+      src = n.getArgument(0) and
+      trg = n
+    )
+    or
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      src = n.getArgument(0) and
+      trg = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getACall()
+    )
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import javascript`
`12`	`12`	`abstract class CredentialsNode extends DataFlow::Node {`
`13`	`13`	`/**`
`14`	`14`	`* Gets a description of the kind of credential this expression is used as,`
`15`		- * such as `"user name"`, `"password"`, `"key"`.
	`15`	+ * such as `"user name"`, `"password"`, `"key"`, `"jwt key"`.
`16`	`16`	`*/`
`17`	`17`	`abstract string getCredentialsKind();`
`18`	`18`	`}`