forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdecodeJwtWithoutVerification.ql
More file actions
45 lines (34 loc) · 1.45 KB
/
decodeJwtWithoutVerification.ql
File metadata and controls
45 lines (34 loc) · 1.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/**
* @name JWT missing secret or public key verification
* @description The application does not verify the JWT payload with a cryptographic secret or public key.
* @kind path-problem
* @problem.severity error
* @security-severity 8.0
* @precision high
* @id js/decode-jwt-without-verification
* @tags security
* external/cwe/cwe-347
*/
import javascript
import JWT
module UnverifiedDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
predicate observeDiffInformedIncrementalMode() { any() }
}
module UnverifiedDecodeFlow = TaintTracking::Global<UnverifiedDecodeConfig>;
module VerifiedDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
predicate observeDiffInformedIncrementalMode() {
none() // used as secondary config
}
}
module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;
import UnverifiedDecodeFlow::PathGraph
from UnverifiedDecodeFlow::PathNode source, UnverifiedDecodeFlow::PathNode sink
where
UnverifiedDecodeFlow::flowPath(source, sink) and
not VerifiedDecodeFlow::flow(source.getNode(), _)
select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
"without signature verification"