Semgrep jwt decode verify (#696)

* new semgrep jwt decode codemod

* refactor SAST Transformer

* remove -semgrep name prefix

* fix import

Author: clavedeluna

integration_tests/sonar/test_sonar_jwt_decode_verify.py

@@ -1,6 +1,6 @@
 from codemodder.codemods.test import SonarIntegrationTest
 from core_codemods.sonar.sonar_jwt_decode_verify import (
-    JwtDecodeVerifySonarTransformer,
+    JwtDecodeVerifySASTTransformer,
     SonarJwtDecodeVerify,
 )
 
@@ -22,4 +22,4 @@ class TestJwtDecodeVerify(SonarIntegrationTest):
     expected_diff = '--- \n+++ \n@@ -8,7 +8,7 @@\n \n encoded_jwt = jwt.encode(payload, SECRET_KEY, algorithm="HS256")\n \n-decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=False)\n-decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": False})\n+decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=True)\n+decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": True})\n \n var = "something"\n'
     expected_line_change = "11"
     num_changes = 2
-    change_description = JwtDecodeVerifySonarTransformer.change_description
+    change_description = JwtDecodeVerifySASTTransformer.change_description

src/codemodder/scripts/generate_docs.py

@@ -323,14 +323,13 @@ class DocMetadata:
 }
 
 SEMGREP_CODEMOD_NAMES = [
-    "enable-jinja2-autoescape-semgrep",
+    "enable-jinja2-autoescape",
+    "jwt-decode-verify",
 ]
 SEMGREP_CODEMODS = {
     name: DocMetadata(
-        importance=CORE_CODEMODS[
-            core_codemod_name := "-".join(name.split("-")[:-1])
-        ].importance,
-        guidance_explained=CORE_CODEMODS[core_codemod_name].guidance_explained,
+        importance=CORE_CODEMODS[name].importance,
+        guidance_explained=CORE_CODEMODS[name].guidance_explained,
         need_sarif="Yes (Semgrep)",
     )
     for name in SEMGREP_CODEMOD_NAMES

src/core_codemods/__init__.py

@@ -55,6 +55,7 @@
 from .secure_flask_session_config import SecureFlaskSessionConfig
 from .secure_random import SecureRandom
 from .semgrep.semgrep_enable_jinja2_autoescape import SemgrepEnableJinja2Autoescape
+from .semgrep.semgrep_jwt_decode_verify import SemgrepJwtDecodeVerify
 from .sonar.sonar_break_or_continue_out_of_loop import SonarBreakOrContinueOutOfLoop
 from .sonar.sonar_disable_graphql_introspection import SonarDisableGraphQLIntrospection
 from .sonar.sonar_django_json_response_type import SonarDjangoJsonResponseType
@@ -198,5 +199,6 @@
     origin="semgrep",
     codemods=[
         SemgrepEnableJinja2Autoescape,
+        SemgrepJwtDecodeVerify,
     ],
 )

src/core_codemods/jwt_decode_verify.py

@@ -7,6 +7,7 @@
     NewArg,
 )
 from codemodder.codemods.semgrep import SemgrepRuleDetector
+from codemodder.result import fuzzy_column_match, same_line
 from core_codemods.api import Metadata, Reference, ReviewGuidance
 from core_codemods.api.core_codemod import CoreCodemod
 
@@ -58,6 +59,29 @@ def on_result_found(self, original_node, updated_node):
         return self.update_arg_target(updated_node, new_args)
 
 
+class JwtDecodeVerifySASTTransformer(JwtDecodeVerifyTransformer):
+    def filter_by_result(self, node) -> bool:
+        """
+        Special case result-matching for this rule because the SAST
+        results returned have a start/end column for the verify keyword
+        within the `decode` call, not for the entire `decode` call.
+        """
+        match node:
+            case cst.Call():
+                pos_to_match = self.node_position(node)
+                return any(
+                    self.match_location(pos_to_match, result)
+                    for result in self.results or []
+                )
+        return False
+
+    def match_location(self, pos, result):
+        return any(
+            same_line(pos, location) and fuzzy_column_match(pos, location)
+            for location in result.locations
+        )
+
+
 def is_verify_keyword(element: cst.DictElement) -> bool:
     """Determine if DictElement is something like:
         DictElement(

src/core_codemods/semgrep/semgrep_enable_jinja2_autoescape.py

@@ -2,7 +2,7 @@
 from core_codemods.semgrep.api import SemgrepCodemod
 
 SemgrepEnableJinja2Autoescape = SemgrepCodemod.from_core_codemod(
-    name="enable-jinja2-autoescape-semgrep",
+    name="enable-jinja2-autoescape",
     other=EnableJinja2Autoescape,
     rule_id="python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2",
     rule_name="direct-use-of-jinja2",

src/core_codemods/semgrep/semgrep_jwt_decode_verify.py

@@ -0,0 +1,14 @@
+from codemodder.codemods.libcst_transformer import LibcstTransformerPipeline
+from core_codemods.jwt_decode_verify import (
+    JwtDecodeVerify,
+    JwtDecodeVerifySASTTransformer,
+)
+from core_codemods.semgrep.api import SemgrepCodemod
+
+SemgrepJwtDecodeVerify = SemgrepCodemod.from_core_codemod(
+    name="jwt-decode-verify",
+    other=JwtDecodeVerify,
+    rule_id="python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
+    rule_name="unverified-jwt-decode",
+    transformer=LibcstTransformerPipeline(JwtDecodeVerifySASTTransformer),
+)

src/core_codemods/sonar/sonar_jwt_decode_verify.py

@@ -1,38 +1,14 @@
-import libcst as cst
-
 from codemodder.codemods.libcst_transformer import LibcstTransformerPipeline
-from codemodder.result import fuzzy_column_match, same_line
-from core_codemods.jwt_decode_verify import JwtDecodeVerify, JwtDecodeVerifyTransformer
+from core_codemods.jwt_decode_verify import (
+    JwtDecodeVerify,
+    JwtDecodeVerifySASTTransformer,
+)
 from core_codemods.sonar.api import SonarCodemod
 
-
-class JwtDecodeVerifySonarTransformer(JwtDecodeVerifyTransformer):
-    def filter_by_result(self, node) -> bool:
-        """
-        Special case result-matching for this rule because the sonar
-        results returned have a start/end column for the verify keyword
-        within the `decode` call, not for the entire call like semgrep returns.
-        """
-        match node:
-            case cst.Call():
-                pos_to_match = self.node_position(node)
-                return any(
-                    self.match_location(pos_to_match, result)
-                    for result in self.results or []
-                )
-        return False
-
-    def match_location(self, pos, result):
-        return any(
-            same_line(pos, location) and fuzzy_column_match(pos, location)
-            for location in result.locations
-        )
-
-
 SonarJwtDecodeVerify = SonarCodemod.from_core_codemod(
     name="jwt-decode-verify-S5659",
     other=JwtDecodeVerify,
     rule_id="python:S5659",
     rule_name="JWT should be signed and verified",
-    transformer=LibcstTransformerPipeline(JwtDecodeVerifySonarTransformer),
+    transformer=LibcstTransformerPipeline(JwtDecodeVerifySASTTransformer),
 )

tests/codemods/semgrep/test_semgrep_enable_jinja2_autoescape.py

@@ -11,7 +11,7 @@ class TestEnableJinja2Autoescape(BaseSASTCodemodTest):
     tool = "semgrep"
 
     def test_name(self):
-        assert self.codemod.name == "enable-jinja2-autoescape-semgrep"
+        assert self.codemod.name == "enable-jinja2-autoescape"
 
     def test_import(self, tmpdir):
         input_code = """

tests/codemods/semgrep/test_semgrep_jwt_decode_verify.py

@@ -0,0 +1,64 @@
+import json
+
+from codemodder.codemods.test import BaseSASTCodemodTest
+from core_codemods.semgrep.semgrep_jwt_decode_verify import SemgrepJwtDecodeVerify
+
+
+class TestSemgrepJwtDecodeVerify(BaseSASTCodemodTest):
+    codemod = SemgrepJwtDecodeVerify
+    tool = "semgrep"
+
+    def test_name(self):
+        assert self.codemod.name == "jwt-decode-verify"
+
+    def test_import(self, tmpdir):
+        input_code = """
+        import jwt
+
+        jwt.decode(encoded_jwt, SECRET_KEY, algorithms=['HS256'],  options={"verify_signature": False})
+        """
+        expected_output = """
+        import jwt
+
+        jwt.decode(encoded_jwt, SECRET_KEY, algorithms=['HS256'],  options={"verify_signature": True})
+        """
+        results = {
+            "runs": [
+                {
+                    "results": [
+                        {
+                            "fingerprints": {"matchBasedId/v1": "123"},
+                            "locations": [
+                                {
+                                    "physicalLocation": {
+                                        "artifactLocation": {
+                                            "uri": "code.py",
+                                            "uriBaseId": "%SRCROOT%",
+                                        },
+                                        "region": {
+                                            "endColumn": 93,
+                                            "endLine": 4,
+                                            "snippet": {
+                                                "text": "jwt.decode(encoded_jwt, SECRET_KEY, algorithms=['HS256'], options={\"verify_signature\": False})"
+                                            },
+                                            "startColumn": 88,
+                                            "startLine": 4,
+                                        },
+                                    }
+                                }
+                            ],
+                            "message": {
+                                "text": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."
+                            },
+                            "ruleId": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode",
+                        }
+                    ]
+                }
+            ]
+        }
+        self.run_and_assert(
+            tmpdir,
+            input_code,
+            expected_output,
+            results=json.dumps(results),
+        )