Skip to content

Commit a1f48db

Browse files
committed
Make verifiesSignature() a predicate
1 parent 4079e53 commit a1f48db

3 files changed

Lines changed: 15 additions & 19 deletions

File tree

python/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ import python
1313
import experimental.semmle.python.Concepts
1414

1515
from JWTDecoding jwtDecoding
16-
where jwtDecoding.verifiesSignature() = false
17-
select jwtDecoding, "does not verify the JWT payload with a cryptographic secret or public key."
16+
where not jwtDecoding.verifiesSignature()
17+
select jwtDecoding.getPayload(), "is not verified with a cryptographic secret or public key."

python/ql/src/experimental/semmle/python/Concepts.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -247,7 +247,7 @@ module JWTDecoding {
247247
/**
248248
* Checks if the signature gets verified while decoding.
249249
*/
250-
abstract boolean verifiesSignature();
250+
abstract predicate verifiesSignature();
251251
}
252252
}
253253

@@ -290,5 +290,5 @@ class JWTDecoding extends DataFlow::Node {
290290
/**
291291
* Checks if the signature gets verified while decoding.
292292
*/
293-
boolean verifiesSignature() { result = range.verifiesSignature() }
293+
predicate verifiesSignature() { range.verifiesSignature() }
294294
}

python/ql/src/experimental/semmle/python/frameworks/JWT.qll

Lines changed: 11 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -72,23 +72,19 @@ private module JWT {
7272
result in [this.getArg(3), this.getArgByName("options")]
7373
}
7474

75-
override boolean verifiesSignature() {
75+
override predicate verifiesSignature() {
7676
// jwt.decode(token, "key", "HS256")
77-
not exists(this.getArgByName("verify")) and not exists(this.getOptions()) and result = true
77+
not exists(this.getArgByName("verify")) and not exists(this.getOptions())
7878
or
79-
(
80-
// not -> jwt.decode(token, verify=False)
81-
isFalse(this.getArgByName("verify"))
82-
or
83-
// not -> jwt.decode(token, key, options={"verify_signature": False})
84-
exists(KeyValuePair optionsDict, NameConstant falseName |
85-
falseName.getId() = "False" and
86-
optionsDict = this.getArgByName("options").asExpr().(Dict).getItems().getAnItem() and
87-
optionsDict.getKey().(Str_).getS().matches("%verify%") and
88-
falseName = optionsDict.getValue()
89-
)
90-
) and
91-
result = false
79+
// jwt.decode(token, verify=False)
80+
not isFalse(this.getArgByName("verify")) and
81+
// not -> jwt.decode(token, key, options={"verify_signature": False})
82+
not exists(KeyValuePair optionsDict, NameConstant falseName |
83+
falseName.getId() = "False" and
84+
optionsDict = this.getArgByName("options").asExpr().(Dict).getItems().getAnItem() and
85+
optionsDict.getKey().(Str_).getS().matches("%verify%") and
86+
falseName = optionsDict.getValue()
87+
)
9288
}
9389
}
9490
}

0 commit comments

Comments
 (0)