Skip to content

Fix/jwt source #16141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix/jwt source #16141

wants to merge 2 commits into from

Conversation

intrigus-lgtm
Copy link
Contributor

Consider this code:

JwtParserBuilder parserBuilder = Jwts.parserBuilder();
parserBuilder.setSigningKey("someBase64EncodedKey");
JwtParser parser = parserBuilder.build();
return parser;

Previously setSigningKey (the method access) was considered the source.
However the return value of that call does not flow anywhere, the method
changes the qualifier instead. So this commit changes the source to the
qualifier instead.

NOTE:
I inlined all the good/bad methods, because otherwise I could not differentiate between the different sources.
This is probably an artifact of the changes in bc2370a by @atorralba

I'd guess that there is probably a way to avoid the inlining, but I'd really like to spend as little time on this pr as possible.
(I just want to take this problem off my mind after knowing about if for probably more than half a year^^)

@intrigus-lgtm
Add test for jwt non-builder usage.
14aaf9d
@intrigus-lgtm
fix: use qualifier as source instead of access
d3ac94d 
Consider this code:

```java
JwtParserBuilder parserBuilder = Jwts.parserBuilder();
parserBuilder.setSigningKey("someBase64EncodedKey");
JwtParser parser = parserBuilder.build();
return parser;
```

Previously `setSigningKey` (the method access) was considered the source.
However the return value of that call does not flow anywhere, the method
changes the qualifier instead. So this commit changes the source to the
qualifier instead.
@intrigus-lgtm intrigus-lgtm requested a review from a team as a code owner April 5, 2024 21:05
@github-actions github-actions bot added the Java label Apr 5, 2024
@intrigus-lgtm
Copy link
Contributor Author

intrigus-lgtm commented Apr 16, 2024
edited
Loading

@smowton @atorralba ping?
Or were you waiting for me to solve the failing change note check?

atorralba
atorralba reviewed Apr 16, 2024
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll review this soon-ish, but for the moment I've left a comment. Adding a change note is also necessary :)

java/ql/lib/semmle/code/java/security/JWT.qll
m.getDeclaringType().getAnAncestor() instanceof TypeJwtParserBuilder
|
this.asExpr() = ma and
this.asExpr() = ma.getQualifier() and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should keep the return value as well, since the call to setSigningKey returns the parser/builder:

Suggested change
this.asExpr() = ma.getQualifier() and
this.asExpr() = [ma, ma.getQualifier()] and

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@atorralba atorralba atorralba left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@intrigus-lgtm @atorralba