From 2a3fc598d451c4a2ff9cc29ea4e8e2f2e5319cf3 Mon Sep 17 00:00:00 2001
From: Chad Bentz <1760475+felickz@users.noreply.github.com>
Date: Fri, 19 May 2023 10:59:11 -0400
Subject: [PATCH] Create MissingJWTKeyVerification.ql

Add additional logic
---
 .../CWE-347/MissingJWTKeyVerification.ql      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 javascript/CWE-347/MissingJWTKeyVerification.ql

diff --git a/javascript/CWE-347/MissingJWTKeyVerification.ql b/javascript/CWE-347/MissingJWTKeyVerification.ql
new file mode 100644
index 0000000000..107e4c0e9c
--- /dev/null
+++ b/javascript/CWE-347/MissingJWTKeyVerification.ql
@@ -0,0 +1,27 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.0
+ * @precision high
+ * @id js/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+ import javascript
+ import DataFlow
+ import semmle.javascript.RestrictedLocations
+ 
+ from DataFlow::CallNode call, Node node, string msg
+ where
+   (call = DataFlow::moduleMember("jsonwebtoken", "verify").getACall() and
+   call.getArgument(1).analyze().getTheBooleanValue() = false
+   and node = call.getArgument(1)
+   and msg = "This argument disables the integrity enforcement of the token verification.")
+   or 
+   (call = DataFlow::moduleMember("jose", "decodeJwt").getACall() 
+   and node = call
+   and msg = "This does not validate the JWS Signature..")
+ select node, msg