Skip to content

Commit 7166d54

Browse files
toufik-airanetoufik-airane
committed
add test file for CWE-347
Add a test file for CWE-347. The HS256 algorithm is safe, but the none algorithm is unsafe.
1 parent 8a2a334 commit 7166d54

File tree

1 file changed

+11
-0
lines changed
  • javascript/ql/src/experimental/Security/CWE-347/examples

1 file changed

+11
-0
lines changed

javascript/ql/src/experimental/Security/CWE-347/examples/index.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
const jwt = require("jsonwebtoken");
2+
3+
const secret = "buybtc";
4+
5+
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" }) // alg:HS256
6+
jwt.verify(token, secret, { algorithms: ["HS256", "none"] }) // pass
7+
8+
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" }) // alg:none (unsafe)
9+
jwt.verify(token, "", { algorithms: ["HS256", "none"] }) // detected
10+
jwt.verify(token, undefined, { algorithms: ["HS256", "none"] }) // detected
11+
jwt.verify(token, false, { algorithms: ["HS256", "none"] }) // detected

0 commit comments

Comments
 (0)