-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JS] - Enhancement to add jose decodeJWT to js/jwt-missing-verification #147
base: main
Are you sure you want to change the base?
Conversation
Add additional logic
and node = call.getArgument(1) | ||
and msg = "This argument disables the integrity enforcement of the token verification.") | ||
or | ||
(call = DataFlow::moduleMember("jose", "decodeJwt").getACall() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Calling jose.decodeJwt
method alone is not a fool proof detection as there is potential that the token is validated in another scenario ( jose.jwtVerify
). On that note should we consider dropping this into codeql repo or keep in this field pack?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keep in Field for now. Have you checked this against MRVA to see what % FPs this leads to? If it's significant it can't be hard to add "and not jose.jwtVerify used", right?
This repo has been merged with the Security Lab one into the new |
Add additional logic to JWT Verification query
js/jwt-missing-verification
decodeJWT
- not secure by itselfReproduction
Detections:
MRVA top 990 JS repos: