Try to finish the PR

toufik-airane · toufik-airane · commit 4853b8a281e1 · 2020-06-22T13:26:13.000+02:00
- Add help documentation
- Empty qll file
- rename examples
diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+
+<p>The featured CodeQL query warns using of none algorithm in verify() functions imported from jsonwebtoken package developed by the auth0 organization.</p>
+
+<p>Backend JavaScript applications handling JWT could be affected by the none algorithm misconfiguration due to misusing verify() functions imported by jsonwebtoken package.
+Providing an empty string or a false value, instead of a secret or a key, enable the none algorithm to decode JWT payloads without signature verification.
+Misconfigured backend JavaScript on a production environment could be impacted by exploitation violating the integration of a JWT.</p>
+</overview>
+
+<recommendation>
+<p>
+verify() functions should use a secret or a key to decode JWT payloads.
+</p>
+<p>
+Use a a secret or a key to decode JWT payloads.
+</p>
+<p>
+</p>
+
+</recommendation>
+
+<example>
+<p>The example starts with a secret signing an object using the HS256 algorithm.
+In the second case an empty string is provided, then an undefined value, and finally a false value.
+These three misconfigued verify() functions is detected to be potentially a cybersecurity vulnerability.
+</p>
+<sample src="examples/JWTMissingSecretOrPublicKeyVerification.js" />
+
+</example>
+
+<references>
+<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll
@@ -1 +0,0 @@
-
diff --git a/javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js b/javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js
@@ -1,10 +1,10 @@
 const jwt = require("jsonwebtoken");
 
 const secret = "buybtc";
-
+// #1
 var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" }) // alg:HS256
 jwt.verify(token, secret, { algorithms: ["HS256", "none"] }) // pass
-
+// #2
 var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" }) // alg:none (unsafe)
 jwt.verify(token, "", { algorithms: ["HS256", "none"] }) // detected
 jwt.verify(token, undefined, { algorithms: ["HS256", "none"] }) // detected
