diff --git a/rules/csharp/security/jwt-decode-without-verify-csharp.yml b/rules/csharp/security/jwt-decode-without-verify-csharp.yml new file mode 100644 index 00000000..cc971d93 --- /dev/null +++ b/rules/csharp/security/jwt-decode-without-verify-csharp.yml @@ -0,0 +1,727 @@ +id: jwt-decode-without-verify-csharp +severity: warning +language: csharp +message: >- + Detected the decoding of a JWT token without a verify step. JWT tokens + must be verified before use, otherwise the token's integrity is unknown. + This means a malicious actor could forge a JWT token with any claims. + Validate the token before using it. +note: >- + [CWE-345] Insufficient Verification of Data Authenticity. + [REFERENCES] + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + +ast-grep-essentials: true + +utils: + (IJwtDecoder $D).Decode($X,verify-false,.): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + not: + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + regex: ^verify$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + kind: identifier + pattern: $INST + + (IJwtDecoder $D).Decode(false): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + has: + kind: boolean_literal + regex: ^false$ + any: + - nthChild: 2 + - nthChild: 3 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + kind: identifier + pattern: $INST + + $D.Decode($X,verify-false,.): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + not: + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + regex: ^verify$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + - kind: expression_statement + all: + - has: + kind: assignment_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + + ($D).Decode(false): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + has: + kind: boolean_literal + regex: ^false$ + any: + - nthChild: 2 + - nthChild: 3 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + - kind: expression_statement + all: + - has: + kind: assignment_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + + JwtBuilder..Decode(...): + kind: invocation_expression + all: + - not: + precedes: + stopBy: end + has: + stopBy: end + kind: member_access_expression + has: + kind: identifier + regex: ^MustVerifySignature$ + precedes: + kind: argument_list + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^JwtBuilder$ + - not: + has: + stopBy: end + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + has: + nthChild: 2 + kind: identifier + regex: ^MustVerifySignature$ + - has: + kind: argument_list + nthChild: 2 + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + + $B. ... .Decode(...): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $INST + - not: + has: + stopBy: end + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + has: + nthChild: 2 + kind: identifier + regex: ^MustVerifySignature$ + - has: + kind: argument_list + nthChild: 2 + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - any: + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + nthChild: 1 + - has: + kind: invocation_expression + pattern: JwtBuilder.Create() + - kind: local_declaration_statement + # not: + # precedes: + # stopBy: end + # has: + # stopBy: end + # kind: member_access_expression + # has: + # kind: identifier + # regex: ^MustVerifySignature$ + # precedes: + # kind: argument_list + has: + stopBy: end + kind: variable_declarator + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + stopBy: end + kind: invocation_expression + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + not: + precedes: + stopBy: end + has: + stopBy: end + kind: member_access_expression + has: + kind: identifier + regex: ^MustVerifySignature$ + precedes: + kind: argument_list + has: + kind: assignment_expression + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + stopBy: end + kind: invocation_expression + pattern: JwtBuilder.Create() + - not: + any: + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + any: + - has: + stopBy: end + pattern: MustVerifySignature() + - has: + stopBy: end + kind: member_access_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: identifier + regex: ^MustVerifySignature$ + precedes: + kind: argument_list + - inside: + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^MustVerifySignature$ + - precedes: + kind: argument_list + + new ValidationParameters() {..., ValidateSignature = false, ...}: + kind: object_creation_expression + all: + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - has: + kind: identifier + nthChild: 1 + regex: ^ValidationParameters$ + - has: + kind: initializer_expression + has: + kind: assignment_expression + pattern: ValidateSignature = false + + $V.ValidateSignature = false: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^ValidateSignature$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + + new JwtAuthenticationOptions() {..., VerifySignature = false, ...}: + kind: object_creation_expression + all: + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - has: + kind: identifier + nthChild: 1 + regex: ^JwtAuthenticationOptions$ + - has: + kind: initializer_expression + has: + kind: assignment_expression + pattern: VerifySignature = false + + $V.VerifySignature = false: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^VerifySignature$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + any: + - follows: + stopBy: end + any: + - kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + - inside: + stopBy: end + kind: argument_list + follows: + stopBy: end + kind: member_access_expression + has: + nthChild: 2 + kind: identifier + regex: ^AddJwt$ + + new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...}: + kind: object_creation_expression + all: + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - has: + kind: identifier + nthChild: 1 + regex: ^TokenValidationParameters$ + - has: + kind: initializer_expression + has: + kind: assignment_expression + pattern: ValidateIssuerSigningKey = false + + $V.ValidateIssuerSigningKey = false: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^ValidateIssuerSigningKey$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^TokenValidationParameters$ + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^TokenValidationParameters$ + +rule: + any: + - matches: (IJwtDecoder $D).Decode($X,verify-false,.) + - matches: (IJwtDecoder $D).Decode(false) + - matches: $D.Decode($X,verify-false,.) + - matches: ($D).Decode(false) + - matches: JwtBuilder..Decode(...) + - matches: $B. ... .Decode(...) + - matches: new ValidationParameters() {..., ValidateSignature = false, ...} + - matches: $V.ValidateSignature = false + - matches: new JwtAuthenticationOptions() {..., VerifySignature = false, ...} + - matches: $V.VerifySignature = false + - matches: new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...} + - matches: $V.ValidateIssuerSigningKey = false diff --git a/rules/csharp/security/jwt-hardcoded-secret-csharp.yml b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml new file mode 100644 index 00000000..6b52764a --- /dev/null +++ b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml @@ -0,0 +1,682 @@ +id: jwt-hardcoded-secret-csharp +severity: warning +language: csharp +message: >- + A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + +ast-grep-essentials: true + +utils: + (IJwtEncoder $D).Encode($X, "..."): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Encode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: string_literal + has: + kind: string_literal_content + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + + (IJwtDecoder $D).Decoder($X, "..."): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: string_literal + has: + kind: string_literal_content + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + + (IJwtEncoder $D).Encode($X, "...")_With_Instance: + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Encode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: identifier + pattern: $PASS + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + - follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + + (IJwtDecoder $D).Decoder($X, "...")_With_Instance: + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: identifier + pattern: $PASS + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + - follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + + $B. ... .WithSecret("..."): + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - any: + - has: + kind: member_access_expression + has: + stopBy: end + pattern: $INST + nthChild: 1 + - has: + stopBy: end + pattern: $INST + + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: string_literal + has: + kind: string_literal_content + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + any: + - kind: object_creation_expression + pattern: new JwtBuilder.Create() + - kind: invocation_expression + nthChild: 2 + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + nthChild: 1 + pattern: $INST + - has: + any: + - kind: object_creation_expression + pattern: new JwtBuilder.Create() + - kind: invocation_expression + nthChild: 2 + pattern: JwtBuilder.Create() + + (JwtBuilder $B). ... .WithSecret("..."): + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + regex: ^JwtBuilder$ + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: string_literal + has: + kind: string_literal_content + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + + $B. ... .WithSecret("...")_With_Instance: + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^(WithSecret)$ + - has: + kind: argument_list + nthChild: 2 + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: identifier + pattern: $PASS + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: invocation_expression + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + nthChild: 1 + pattern: $INST + - has: + kind: invocation_expression + nthChild: 2 + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + nthChild: 1 + - has: + nthChild: 2 + kind: string_literal + has: + kind: string_literal_content + + (JwtBuilder $B). ... .WithSecret("...")_With_Instance: + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + regex: ^JwtBuilder$ + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: identifier + pattern: $PASS + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + nthChild: 1 + - has: + nthChild: 2 + kind: string_literal + has: + kind: string_literal_content + + (JwtBuilder $B). ... .WithSecret("...")_With_Instance2: + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + pattern: $INST + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: string_literal + has: + kind: string_literal_content + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declaration + all: + - has: + nthChild: 1 + kind: identifier + regex: ^JwtBuilder$ + - has: + kind: variable_declarator + has: + kind: identifier + pattern: $INST + +rule: + any: + - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance2 + - matches: (IJwtEncoder $D).Encode($X, "...") + - matches: (IJwtDecoder $D).Decoder($X, "...") + - matches: (IJwtEncoder $D).Encode($X, "...")_With_Instance + - matches: (IJwtDecoder $D).Decoder($X, "...")_With_Instance + - matches: $B. ... .WithSecret("...") + - matches: (JwtBuilder $B). ... .WithSecret("...") + - matches: $B. ... .WithSecret("...")_With_Instance + - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance diff --git a/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml b/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml new file mode 100644 index 00000000..1207e061 --- /dev/null +++ b/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml @@ -0,0 +1,907 @@ +id: jwt-decode-without-verify-csharp +snapshots: + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json1 = decoder.Decode(token, verify: false); + } + } + } + : labels: + - source: 'decoder.Decode(token, verify: false)' + style: primary + start: 580 + end: 616 + - source: decoder + style: secondary + start: 580 + end: 587 + - source: Decode + style: secondary + start: 588 + end: 594 + - source: decoder.Decode + style: secondary + start: 580 + end: 594 + - source: verify + style: secondary + start: 602 + end: 608 + - source: 'false' + style: secondary + start: 610 + end: 615 + - source: 'verify: false' + style: secondary + start: 602 + end: 615 + - source: '(token, verify: false)' + style: secondary + start: 594 + end: 616 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: IJwtDecoder + style: secondary + start: 478 + end: 489 + - source: decoder + style: secondary + start: 490 + end: 497 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 490 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 478 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json2 = decoder.Decode(token, null, false); + Console.WriteLine(json); + } + } + } + : labels: + - source: decoder.Decode(token, null, false) + style: primary + start: 580 + end: 614 + - source: decoder + style: secondary + start: 580 + end: 587 + - source: Decode + style: secondary + start: 588 + end: 594 + - source: decoder.Decode + style: secondary + start: 580 + end: 594 + - source: 'false' + style: secondary + start: 608 + end: 613 + - source: 'false' + style: secondary + start: 608 + end: 613 + - source: (token, null, false) + style: secondary + start: 594 + end: 614 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: IJwtDecoder + style: secondary + start: 478 + end: 489 + - source: decoder + style: secondary + start: 490 + end: 497 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 490 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 478 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest10(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token) + style: primary + start: 214 + end: 342 + - source: builder + style: secondary + start: 214 + end: 221 + - source: Decode + style: secondary + start: 329 + end: 335 + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 214 + end: 335 + - source: (token) + style: secondary + start: 335 + end: 342 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 166 + end: 173 + - source: JwtBuilder.Create() + style: secondary + start: 176 + end: 195 + - source: builder = JwtBuilder.Create() + style: secondary + start: 166 + end: 195 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest11(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token, verify: false) + style: primary + start: 214 + end: 357 + - source: builder + style: secondary + start: 214 + end: 221 + - source: Decode + style: secondary + start: 329 + end: 335 + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 214 + end: 335 + - source: '(token, verify: false)' + style: secondary + start: 335 + end: 357 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 166 + end: 173 + - source: JwtBuilder.Create() + style: secondary + start: 176 + end: 195 + - source: builder = JwtBuilder.Create() + style: secondary + start: 166 + end: 195 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest13(){ + var validationParameters = new ValidationParameters + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + }; + } + } + } + : labels: + - source: |- + new ValidationParameters + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + } + style: primary + start: 189 + end: 373 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: ValidationParameters + style: secondary + start: 193 + end: 213 + - source: ValidateSignature = false + style: secondary + start: 232 + end: 257 + - source: |- + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + } + style: secondary + start: 220 + end: 373 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest15(){ + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + var json = builder.Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: builder.Decode(token) + style: primary + start: 293 + end: 314 + - source: builder + style: secondary + start: 293 + end: 300 + - source: Decode + style: secondary + start: 301 + end: 307 + - source: builder.Decode + style: secondary + start: 293 + end: 307 + - source: (token) + style: secondary + start: 307 + end: 314 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 166 + end: 173 + - source: JwtBuilder.Create() + style: secondary + start: 176 + end: 195 + - source: |- + builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + style: secondary + start: 166 + end: 274 + - source: |- + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + style: secondary + start: 162 + end: 275 + - source: |- + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + style: secondary + start: 162 + end: 275 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest17(){ + var options = new JwtAuthenticationOptions + { + VerifySignature = false + }; + Console.WriteLine("JWT Authentication setup with signature verification disabled."); + } + } + } + : labels: + - source: |- + new JwtAuthenticationOptions + { + VerifySignature = false + } + style: primary + start: 176 + end: 254 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: JwtAuthenticationOptions + style: secondary + start: 180 + end: 204 + - source: VerifySignature = false + style: secondary + start: 223 + end: 246 + - source: |- + { + VerifySignature = false + } + style: secondary + start: 211 + end: 254 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest18(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + var tokenHandler = new JwtSecurityTokenHandler(); + var json = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: primary + start: 189 + end: 345 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: TokenValidationParameters + style: secondary + start: 193 + end: 218 + - source: ValidateIssuerSigningKey = false + style: secondary + start: 237 + end: 269 + - source: |- + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: secondary + start: 225 + end: 345 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest19(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + Console.WriteLine("JWT decode with validation params where signature validation is disabled."); + } + } + } + : labels: + - source: |- + new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: primary + start: 189 + end: 345 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: TokenValidationParameters + style: secondary + start: 193 + end: 218 + - source: ValidateIssuerSigningKey = false + style: secondary + start: 237 + end: 269 + - source: |- + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: secondary + start: 225 + end: 345 + ? "using JWT;\nusing JWT.Builder;\nusing Microsoft.IdentityModel.Tokens;\nnamespace Example.Foobar\n{\n public class JwtTestPatterns{\n public void JwtTest19(){\n var validationParameters = new TokenValidationParameters\n {\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n };\n Console.WriteLine(\"JWT decode with validation params where signature validation is disabled.\");\n }\n }\n}\n" + : labels: + - source: "new TokenValidationParameters\n {\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n }" + style: primary + start: 189 + end: 346 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: TokenValidationParameters + style: secondary + start: 193 + end: 218 + - source: ValidateIssuerSigningKey = false + style: secondary + start: 237 + end: 269 + - source: "{\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n }" + style: secondary + start: 225 + end: 346 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest2(){ + var json = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token) + style: primary + start: 174 + end: 303 + - source: JwtBuilder + style: secondary + start: 174 + end: 184 + - source: Decode + style: secondary + start: 290 + end: 296 + - source: |- + JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 174 + end: 296 + - source: (token) + style: secondary + start: 296 + end: 303 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest3(){ + var builder = JwtBuilder.Create(); + var json = builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token) + style: primary + start: 213 + end: 324 + - source: builder + style: secondary + start: 213 + end: 220 + - source: Decode + style: secondary + start: 311 + end: 317 + - source: |- + builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 213 + end: 317 + - source: (token) + style: secondary + start: 317 + end: 324 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 165 + end: 172 + - source: JwtBuilder.Create() + style: secondary + start: 175 + end: 194 + - source: builder = JwtBuilder.Create() + style: secondary + start: 165 + end: 194 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 161 + end: 195 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 161 + end: 195 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest7(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + : labels: + - source: 'decoder.Decode(token, verify: false)' + style: primary + start: 579 + end: 615 + - source: decoder + style: secondary + start: 579 + end: 586 + - source: Decode + style: secondary + start: 587 + end: 593 + - source: decoder.Decode + style: secondary + start: 579 + end: 593 + - source: verify + style: secondary + start: 601 + end: 607 + - source: 'false' + style: secondary + start: 609 + end: 614 + - source: 'verify: false' + style: secondary + start: 601 + end: 614 + - source: '(token, verify: false)' + style: secondary + start: 593 + end: 615 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: IJwtDecoder + style: secondary + start: 478 + end: 489 + - source: decoder + style: secondary + start: 490 + end: 497 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 490 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 478 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest9(){ + var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + var json = decoder.Decode(token, null, false); // decode with no signature verification + Console.WriteLine(json); + } + } + } + : labels: + - source: decoder.Decode(token, null, false) + style: primary + start: 357 + end: 391 + - source: decoder + style: secondary + start: 357 + end: 364 + - source: Decode + style: secondary + start: 365 + end: 371 + - source: decoder.Decode + style: secondary + start: 357 + end: 371 + - source: 'false' + style: secondary + start: 385 + end: 390 + - source: 'false' + style: secondary + start: 385 + end: 390 + - source: (token, null, false) + style: secondary + start: 371 + end: 391 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: decoder + style: secondary + start: 165 + end: 172 + - source: JwtDecoder + style: secondary + start: 179 + end: 189 + - source: new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()) + style: secondary + start: 175 + end: 338 + - source: decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()) + style: secondary + start: 165 + end: 338 + - source: var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + style: secondary + start: 161 + end: 339 + - source: var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + style: secondary + start: 161 + end: 339 diff --git a/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml new file mode 100644 index 00000000..5794fa21 --- /dev/null +++ b/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml @@ -0,0 +1,468 @@ +id: jwt-hardcoded-secret-csharp +snapshots: + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest1(){ + var payload = new Dictionary + { + { "claim1", 0 }, + { "claim2", "claim2-value" } + }; + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + const string key = "razdvatri"; + var token = encoder.Encode(payload, key); + Console.WriteLine(token); + } + } + : labels: + - source: encoder.Encode(payload, key) + style: primary + start: 533 + end: 561 + - source: encoder + style: secondary + start: 533 + end: 540 + - source: Encode + style: secondary + start: 541 + end: 547 + - source: encoder.Encode + style: secondary + start: 533 + end: 547 + - source: key + style: secondary + start: 557 + end: 560 + - source: key + style: secondary + start: 557 + end: 560 + - source: (payload, key) + style: secondary + start: 547 + end: 561 + - source: IJwtEncoder + style: secondary + start: 408 + end: 419 + - source: encoder + style: secondary + start: 420 + end: 427 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 420 + end: 479 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 408 + end: 479 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 408 + end: 480 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 408 + end: 480 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: key + style: secondary + start: 498 + end: 501 + - source: razdvatri + style: secondary + start: 505 + end: 514 + - source: '"razdvatri"' + style: secondary + start: 504 + end: 515 + - source: key = "razdvatri" + style: secondary + start: 498 + end: 515 + - source: const string key = "razdvatri"; + style: secondary + start: 485 + end: 516 + - source: const string key = "razdvatri"; + style: secondary + start: 485 + end: 516 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest13(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987"); + Console.WriteLine(token); + } + } + : labels: + - source: |- + encoder.Encode(new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987") + style: primary + start: 374 + end: 527 + - source: encoder + style: secondary + start: 374 + end: 381 + - source: Encode + style: secondary + start: 382 + end: 388 + - source: encoder.Encode + style: secondary + start: 374 + end: 388 + - source: hardcodedJWTSecret987 + style: secondary + start: 504 + end: 525 + - source: '"hardcodedJWTSecret987"' + style: secondary + start: 503 + end: 526 + - source: '"hardcodedJWTSecret987"' + style: secondary + start: 503 + end: 526 + - source: |- + (new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987") + style: secondary + start: 388 + end: 527 + - source: IJwtEncoder + style: secondary + start: 285 + end: 296 + - source: encoder + style: secondary + start: 297 + end: 304 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 297 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 285 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest17(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024"); + + Console.WriteLine(token); + } + } + : labels: + - source: |- + encoder.Encode(new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024") + style: primary + start: 374 + end: 508 + - source: encoder + style: secondary + start: 374 + end: 381 + - source: Encode + style: secondary + start: 382 + end: 388 + - source: encoder.Encode + style: secondary + start: 374 + end: 388 + - source: secretkey2024 + style: secondary + start: 493 + end: 506 + - source: '"secretkey2024"' + style: secondary + start: 492 + end: 507 + - source: '"secretkey2024"' + style: secondary + start: 492 + end: 507 + - source: |- + (new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024") + style: secondary + start: 388 + end: 508 + - source: IJwtEncoder + style: secondary + start: 285 + end: 296 + - source: encoder + style: secondary + start: 297 + end: 304 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 297 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 285 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest2(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, "secret123"); + Console.WriteLine(json); + } + } + : labels: + - source: decoder.Decode(token, "secret123") + style: primary + start: 513 + end: 547 + - source: decoder + style: secondary + start: 513 + end: 520 + - source: Decode + style: secondary + start: 521 + end: 527 + - source: decoder.Decode + style: secondary + start: 513 + end: 527 + - source: secret123 + style: secondary + start: 536 + end: 545 + - source: '"secret123"' + style: secondary + start: 535 + end: 546 + - source: '"secret123"' + style: secondary + start: 535 + end: 546 + - source: (token, "secret123") + style: secondary + start: 527 + end: 547 + - source: IJwtDecoder + style: secondary + start: 414 + end: 425 + - source: decoder + style: secondary + start: 426 + end: 433 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 426 + end: 496 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 414 + end: 496 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 414 + end: 497 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 414 + end: 497 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest20(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987"); + Console.WriteLine(token); + } + } + : labels: + - source: |- + encoder.Encode(new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987") + style: primary + start: 374 + end: 516 + - source: encoder + style: secondary + start: 374 + end: 381 + - source: Encode + style: secondary + start: 382 + end: 388 + - source: encoder.Encode + style: secondary + start: 374 + end: 388 + - source: hardcodedTokenSecret987 + style: secondary + start: 491 + end: 514 + - source: '"hardcodedTokenSecret987"' + style: secondary + start: 490 + end: 515 + - source: '"hardcodedTokenSecret987"' + style: secondary + start: 490 + end: 515 + - source: |- + (new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987") + style: secondary + start: 388 + end: 516 + - source: IJwtEncoder + style: secondary + start: 285 + end: 296 + - source: encoder + style: secondary + start: 297 + end: 304 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 297 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 285 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 diff --git a/tests/csharp/jwt-decode-without-verify-csharp-test.yml b/tests/csharp/jwt-decode-without-verify-csharp-test.yml new file mode 100644 index 00000000..1d419c16 --- /dev/null +++ b/tests/csharp/jwt-decode-without-verify-csharp-test.yml @@ -0,0 +1,262 @@ +id: jwt-decode-without-verify-csharp +valid: + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void OkJwtTest2() + { + var json = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .MustVerifySignature() + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } +invalid: + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest7(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest9(){ + var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + var json = decoder.Decode(token, null, false); // decode with no signature verification + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest10(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest11(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest13(){ + var validationParameters = new ValidationParameters + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + }; + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest15(){ + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + var json = builder.Decode(token); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest17(){ + var options = new JwtAuthenticationOptions + { + VerifySignature = false + }; + Console.WriteLine("JWT Authentication setup with signature verification disabled."); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest18(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + var tokenHandler = new JwtSecurityTokenHandler(); + var json = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest19(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + Console.WriteLine("JWT decode with validation params where signature validation is disabled."); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest19(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + Console.WriteLine("JWT decode with validation params where signature validation is disabled."); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json1 = decoder.Decode(token, verify: false); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json2 = decoder.Decode(token, null, false); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest2(){ + var json = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest3(){ + var builder = JwtBuilder.Create(); + var json = builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } diff --git a/tests/csharp/jwt-hardcoded-secret-csharp-test.yml b/tests/csharp/jwt-hardcoded-secret-csharp-test.yml new file mode 100644 index 00000000..6cfdcae2 --- /dev/null +++ b/tests/csharp/jwt-hardcoded-secret-csharp-test.yml @@ -0,0 +1,105 @@ +id: jwt-hardcoded-secret-csharp +valid: + - | + public void OkJwtTest6(){ + string secret = GetSecretFromEnvironmentVariable(); + var token = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(secret) + .AddClaim("user", "george") + .AddClaim("permissions", "full_access") + .Encode(); + Console.WriteLine(token); + } +invalid: + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest13(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987"); + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest17(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024"); + + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest20(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987"); + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest1(){ + var payload = new Dictionary + { + { "claim1", 0 }, + { "claim2", "claim2-value" } + }; + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + const string key = "razdvatri"; + var token = encoder.Encode(payload, key); + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest2(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, "secret123"); + Console.WriteLine(json); + } + }