add keys used by jsonwebtoken as CredentialsExpr

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/JWT.qll

@@ -36,4 +36,19 @@ private module JsonWebToken {
       succ = this.getABoundCallbackParameter(2, 1)
     }
   }
+
+  /**
+   * The public/private key for a JWT as a `CredentialsExpr`.
+   */
+  private class JWTKey extends CredentialsExpr {
+    JWTKey() {
+      this =
+        DataFlow::moduleMember("jsonwebtoken", ["verify", "sign"])
+            .getACall()
+            .getArgument(1)
+            .asExpr()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
 }

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

@@ -208,6 +208,16 @@ nodes
 | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
 | HardcodedCredentials.js:237:47:237:54 | username |
 | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
+| HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -309,6 +319,14 @@ edges
 | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
 | HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
 | HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
+| HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -374,3 +392,5 @@ edges
 | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:249:23:249:31 | publicKey | The hard-coded value "myHardCodedPublicKey" is used as $@. | HardcodedCredentials.js:249:23:249:31 | publicKey | key |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

@@ -237,4 +237,16 @@
         Authorization: 'Basic ' + Buffer.from(username + ':' + password).toString('base64'),
       },
     });
-})
+})
+
+(function () {
+    import jwt from "jsonwebtoken";
+
+    var privateKey = "myHardCodedPrivateKey";
+    var token = jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256'});
+
+    var publicKey = "myHardCodedPublicKey";
+    jwt.verify(token, publicKey, function(err, decoded) {
+        console.log(decoded);
+    });
+})();