JS: Port experimental jwtDecodeWithoutVerification to ConfigSig

asgerf · asgerf · commit 72e522631d32 · 2024-12-03T14:30:18.000+01:00
diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -11,30 +11,29 @@
  */
 
 import javascript
-import DataFlow::PathGraph
 import JWT
 
-class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
-  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
+module UnverifiedDecodeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
+  predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
 }
 
-class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
-  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
+module UnverifiedDecodeFlow = TaintTracking::Global<UnverifiedDecodeConfig>;
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+module VerifiedDecodeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+  predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
 }
 
-from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;
+
+import UnverifiedDecodeFlow::PathGraph
+
+from UnverifiedDecodeFlow::PathNode source, UnverifiedDecodeFlow::PathNode sink
 where
-  cfg.hasFlowPath(source, sink) and
-  not exists(ConfigurationVerifiedDecode cfg2 |
-    cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
-  )
+  UnverifiedDecodeFlow::flowPath(source, sink) and
+  not VerifiedDecodeFlow::flow(source.getNode(), _)
 select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
   "without signature verification"
diff --git a/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected b/javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.expected
@@ -1,157 +1,53 @@
-nodes
-| JsonWebToken.js:10:11:10:47 | UserToken |
-| JsonWebToken.js:10:23:10:47 | req.hea ... ization |
-| JsonWebToken.js:10:23:10:47 | req.hea ... ization |
-| JsonWebToken.js:13:28:13:36 | UserToken |
-| JsonWebToken.js:13:28:13:36 | UserToken |
-| JsonWebToken.js:17:11:17:47 | UserToken |
-| JsonWebToken.js:17:23:17:47 | req.hea ... ization |
-| JsonWebToken.js:17:23:17:47 | req.hea ... ization |
-| JsonWebToken.js:20:28:20:36 | UserToken |
-| JsonWebToken.js:20:28:20:36 | UserToken |
-| JsonWebToken.js:21:28:21:36 | UserToken |
-| JsonWebToken.js:21:28:21:36 | UserToken |
-| JsonWebToken.js:25:11:25:47 | UserToken |
-| JsonWebToken.js:25:23:25:47 | req.hea ... ization |
-| JsonWebToken.js:25:23:25:47 | req.hea ... ization |
-| JsonWebToken.js:28:28:28:36 | UserToken |
-| JsonWebToken.js:28:28:28:36 | UserToken |
-| JsonWebToken.js:32:11:32:47 | UserToken |
-| JsonWebToken.js:32:11:32:47 | UserToken |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization |
-| JsonWebToken.js:35:28:35:36 | UserToken |
-| JsonWebToken.js:35:28:35:36 | UserToken |
-| JsonWebToken.js:36:28:36:36 | UserToken |
-| JsonWebToken.js:36:28:36:36 | UserToken |
-| JsonWebToken.js:40:11:40:47 | UserToken |
-| JsonWebToken.js:40:11:40:47 | UserToken |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization |
-| JsonWebToken.js:43:28:43:36 | UserToken |
-| JsonWebToken.js:43:28:43:36 | UserToken |
-| JsonWebToken.js:44:28:44:36 | UserToken |
-| JsonWebToken.js:44:28:44:36 | UserToken |
-| jose.js:11:11:11:47 | UserToken |
-| jose.js:11:23:11:47 | req.hea ... ization |
-| jose.js:11:23:11:47 | req.hea ... ization |
-| jose.js:13:20:13:28 | UserToken |
-| jose.js:13:20:13:28 | UserToken |
-| jose.js:18:11:18:47 | UserToken |
-| jose.js:18:23:18:47 | req.hea ... ization |
-| jose.js:18:23:18:47 | req.hea ... ization |
-| jose.js:20:26:20:34 | UserToken |
-| jose.js:20:26:20:34 | UserToken |
-| jose.js:24:11:24:47 | UserToken |
-| jose.js:24:11:24:47 | UserToken |
-| jose.js:24:23:24:47 | req.hea ... ization |
-| jose.js:24:23:24:47 | req.hea ... ization |
-| jose.js:24:23:24:47 | req.hea ... ization |
-| jose.js:24:23:24:47 | req.hea ... ization |
-| jose.js:26:20:26:28 | UserToken |
-| jose.js:26:20:26:28 | UserToken |
-| jose.js:27:26:27:34 | UserToken |
-| jose.js:27:26:27:34 | UserToken |
-| jwtDecode.js:11:11:11:47 | UserToken |
-| jwtDecode.js:11:23:11:47 | req.hea ... ization |
-| jwtDecode.js:11:23:11:47 | req.hea ... ization |
-| jwtDecode.js:15:16:15:24 | UserToken |
-| jwtDecode.js:15:16:15:24 | UserToken |
-| jwtSimple.js:10:11:10:47 | UserToken |
-| jwtSimple.js:10:23:10:47 | req.hea ... ization |
-| jwtSimple.js:10:23:10:47 | req.hea ... ization |
-| jwtSimple.js:13:23:13:31 | UserToken |
-| jwtSimple.js:13:23:13:31 | UserToken |
-| jwtSimple.js:17:11:17:47 | UserToken |
-| jwtSimple.js:17:23:17:47 | req.hea ... ization |
-| jwtSimple.js:17:23:17:47 | req.hea ... ization |
-| jwtSimple.js:20:23:20:31 | UserToken |
-| jwtSimple.js:20:23:20:31 | UserToken |
-| jwtSimple.js:21:23:21:31 | UserToken |
-| jwtSimple.js:21:23:21:31 | UserToken |
-| jwtSimple.js:25:11:25:47 | UserToken |
-| jwtSimple.js:25:11:25:47 | UserToken |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization |
-| jwtSimple.js:28:23:28:31 | UserToken |
-| jwtSimple.js:28:23:28:31 | UserToken |
-| jwtSimple.js:29:23:29:31 | UserToken |
-| jwtSimple.js:29:23:29:31 | UserToken |
 edges
-| JsonWebToken.js:10:11:10:47 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken |
-| JsonWebToken.js:10:11:10:47 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken |
-| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:47 | UserToken |
-| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:47 | UserToken |
-| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:20:28:20:36 | UserToken |
-| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:20:28:20:36 | UserToken |
-| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
-| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken |
-| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:11:17:47 | UserToken |
-| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:11:17:47 | UserToken |
-| JsonWebToken.js:25:11:25:47 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
-| JsonWebToken.js:25:11:25:47 | UserToken | JsonWebToken.js:28:28:28:36 | UserToken |
-| JsonWebToken.js:25:23:25:47 | req.hea ... ization | JsonWebToken.js:25:11:25:47 | UserToken |
-| JsonWebToken.js:25:23:25:47 | req.hea ... ization | JsonWebToken.js:25:11:25:47 | UserToken |
-| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:35:28:35:36 | UserToken |
-| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:35:28:35:36 | UserToken |
-| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
-| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:36:28:36:36 | UserToken |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
-| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken |
-| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
-| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken |
-| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
-| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:44:28:44:36 | UserToken |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
-| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken |
-| jose.js:11:11:11:47 | UserToken | jose.js:13:20:13:28 | UserToken |
-| jose.js:11:11:11:47 | UserToken | jose.js:13:20:13:28 | UserToken |
-| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:11:11:47 | UserToken |
-| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:11:11:47 | UserToken |
-| jose.js:18:11:18:47 | UserToken | jose.js:20:26:20:34 | UserToken |
-| jose.js:18:11:18:47 | UserToken | jose.js:20:26:20:34 | UserToken |
-| jose.js:18:23:18:47 | req.hea ... ization | jose.js:18:11:18:47 | UserToken |
-| jose.js:18:23:18:47 | req.hea ... ization | jose.js:18:11:18:47 | UserToken |
-| jose.js:24:11:24:47 | UserToken | jose.js:26:20:26:28 | UserToken |
-| jose.js:24:11:24:47 | UserToken | jose.js:26:20:26:28 | UserToken |
-| jose.js:24:11:24:47 | UserToken | jose.js:27:26:27:34 | UserToken |
-| jose.js:24:11:24:47 | UserToken | jose.js:27:26:27:34 | UserToken |
-| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
-| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
-| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
-| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken |
-| jwtDecode.js:11:11:11:47 | UserToken | jwtDecode.js:15:16:15:24 | UserToken |
-| jwtDecode.js:11:11:11:47 | UserToken | jwtDecode.js:15:16:15:24 | UserToken |
-| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:11:11:47 | UserToken |
-| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:11:11:47 | UserToken |
-| jwtSimple.js:10:11:10:47 | UserToken | jwtSimple.js:13:23:13:31 | UserToken |
-| jwtSimple.js:10:11:10:47 | UserToken | jwtSimple.js:13:23:13:31 | UserToken |
-| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:11:10:47 | UserToken |
-| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:11:10:47 | UserToken |
-| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:20:23:20:31 | UserToken |
-| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:20:23:20:31 | UserToken |
-| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
-| jwtSimple.js:17:11:17:47 | UserToken | jwtSimple.js:21:23:21:31 | UserToken |
-| jwtSimple.js:17:23:17:47 | req.hea ... ization | jwtSimple.js:17:11:17:47 | UserToken |
-| jwtSimple.js:17:23:17:47 | req.hea ... ization | jwtSimple.js:17:11:17:47 | UserToken |
-| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
-| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
-| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
-| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:29:23:29:31 | UserToken |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
-| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken |
+| JsonWebToken.js:10:11:10:47 | UserToken | JsonWebToken.js:13:28:13:36 | UserToken | provenance |  |
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:11:10:47 | UserToken | provenance |  |
+| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:20:28:20:36 | UserToken | provenance |  |
+| JsonWebToken.js:17:11:17:47 | UserToken | JsonWebToken.js:21:28:21:36 | UserToken | provenance |  |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:11:17:47 | UserToken | provenance |  |
+| JsonWebToken.js:32:11:32:47 | UserToken | JsonWebToken.js:35:28:35:36 | UserToken | provenance |  |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization | JsonWebToken.js:32:11:32:47 | UserToken | provenance |  |
+| JsonWebToken.js:40:11:40:47 | UserToken | JsonWebToken.js:43:28:43:36 | UserToken | provenance |  |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization | JsonWebToken.js:40:11:40:47 | UserToken | provenance |  |
+| jose.js:11:11:11:47 | UserToken | jose.js:13:20:13:28 | UserToken | provenance |  |
+| jose.js:11:23:11:47 | req.hea ... ization | jose.js:11:11:11:47 | UserToken | provenance |  |
+| jose.js:24:11:24:47 | UserToken | jose.js:26:20:26:28 | UserToken | provenance |  |
+| jose.js:24:23:24:47 | req.hea ... ization | jose.js:24:11:24:47 | UserToken | provenance |  |
+| jwtDecode.js:11:11:11:47 | UserToken | jwtDecode.js:15:16:15:24 | UserToken | provenance |  |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization | jwtDecode.js:11:11:11:47 | UserToken | provenance |  |
+| jwtSimple.js:10:11:10:47 | UserToken | jwtSimple.js:13:23:13:31 | UserToken | provenance |  |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization | jwtSimple.js:10:11:10:47 | UserToken | provenance |  |
+| jwtSimple.js:25:11:25:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken | provenance |  |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization | jwtSimple.js:25:11:25:47 | UserToken | provenance |  |
+nodes
+| JsonWebToken.js:10:11:10:47 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:10:23:10:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| JsonWebToken.js:13:28:13:36 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:17:11:17:47 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:17:23:17:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| JsonWebToken.js:20:28:20:36 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:21:28:21:36 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:32:11:32:47 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:32:23:32:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| JsonWebToken.js:35:28:35:36 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:40:11:40:47 | UserToken | semmle.label | UserToken |
+| JsonWebToken.js:40:23:40:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| JsonWebToken.js:43:28:43:36 | UserToken | semmle.label | UserToken |
+| jose.js:11:11:11:47 | UserToken | semmle.label | UserToken |
+| jose.js:11:23:11:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| jose.js:13:20:13:28 | UserToken | semmle.label | UserToken |
+| jose.js:24:11:24:47 | UserToken | semmle.label | UserToken |
+| jose.js:24:23:24:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| jose.js:26:20:26:28 | UserToken | semmle.label | UserToken |
+| jwtDecode.js:11:11:11:47 | UserToken | semmle.label | UserToken |
+| jwtDecode.js:11:23:11:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| jwtDecode.js:15:16:15:24 | UserToken | semmle.label | UserToken |
+| jwtSimple.js:10:11:10:47 | UserToken | semmle.label | UserToken |
+| jwtSimple.js:10:23:10:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| jwtSimple.js:13:23:13:31 | UserToken | semmle.label | UserToken |
+| jwtSimple.js:25:11:25:47 | UserToken | semmle.label | UserToken |
+| jwtSimple.js:25:23:25:47 | req.hea ... ization | semmle.label | req.hea ... ization |
+| jwtSimple.js:28:23:28:31 | UserToken | semmle.label | UserToken |
+subpaths
 #select
 | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:10:23:10:47 | req.hea ... ization | JsonWebToken.js:13:28:13:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:13:28:13:36 | UserToken | without signature verification |
 | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:17:23:17:47 | req.hea ... ization | JsonWebToken.js:20:28:20:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:20:28:20:36 | UserToken | without signature verification |
