New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Java] JWT without signature check. #5597
Conversation
16cb52f
to
885044e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a pretty neat query!
I have left some review comments regarding documentation and naming, but feel free to ignore those. The maintainers will probably give you more valuable feedback.
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
0b4dd06
to
8d11bc9
Compare
Hey @intrigus-lgtm, |
I always thought that this should not be done in |
I also had doubts and asked Java CodeQL team for advise and we decided to add the filtering for now, it can be removed later if the query is promoted from experimental. |
Hi @tamasvajk it looks like you have been assigned to review this. I hope that the PR is in a state in which it needs few changes :) |
@intrigus-lgtm The corresponding issue is in SecLab review stage, so I have asked for the changes. It will take time to rerun the LGTM query. Not sure about the PR. |
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
Co-authored-by: Chris Smowton <smowton@github.com>
java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I note the stubs are not in fact stubs -- they largely have method bodies etc
You're right. |
Private fields, nontrivial field initialisers, any imports and classes that are no longer necessary after stubbing |
This query detects cases where a signing key is for a
JwtParser
, but a parsing method is used that does not verify the signature using the signing key.