JWT Missing Secret Or Public Key Verification

toufik-airane · toufik-airane · commit b0aaca0e1c41 · 2020-06-20T16:54:41.000+02:00
Add an experimental CodeQL query.
diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql
@@ -0,0 +1,19 @@
+/**
+ * @name JWT Missing Secret Or Public Key Verification
+ * @description The software does not verify the JWT token with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/jwt-missing-secret-or-public-key-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow
+
+from CallNode call
+where
+  call = moduleMember("jsonwebtoken", "verify").getACall() and
+  call.getArgument(1).analyze().getABooleanValue() = false
+select call
diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll
@@ -0,0 +1 @@
+
