[JS] - Enhancement to add jose decodeJWT to js/jwt-missing-verification

[felickz]

Add additional logic to JWT Verification query js/jwt-missing-verification

• https://www.npmjs.com/package/jose
  • decodeJWT - not secure by itself

Reproduction

• https://github.com/vulna-felickz/ts-jose-jwtdecode/blob/main/src/index.ts#L4

Detections:

• Potential TP: https://github.com/backstage/backstage/blob/6c0867be8dacd8c8a87ac3aa222327ac98f2d370/plugins/auth-backend/src/providers/azure-easyauth/provider.ts#L88-L88
• Potential FP based on combination of other methods used: https://github.com/abnamro/repository-scanner/blob/cdec8aac14d4bb24da49e6c920a36741839b48db/components/resc-frontend/src/services/auth-service.js#L176

MRVA top 990 JS repos:

[felickz]

Calling jose.decodeJwt method alone is not a fool proof detection as there is potential that the token is validated in another scenario ( jose.jwtVerify ). On that note should we consider dropping this into codeql repo or keep in this field pack?

[aegilops]

Keep in Field for now. Have you checked this against MRVA to see what % FPs this leads to? If it's significant it can't be hard to add "and not jose.jwtVerify used", right?

[pwntester]

This repo has been merged with the Security Lab one into the new community-codeql-packs repo which we plan to make public and promote soon. If you would like this PR to be applied to the new repo, please open a new PR there so it can get merged in the new QLPacks.