From bb7b8e1ad0e345862980a163b688f4554ebc1df8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 13:09:06 +0000 Subject: [PATCH 1/6] removed missing-secure-java --- rules/java/security/missing-secure-java.yml | 70 ------------------- .../missing-secure-java-snapshot.yml | 32 --------- tests/java/missing-secure-java-test.yml | 15 ---- 3 files changed, 117 deletions(-) delete mode 100644 rules/java/security/missing-secure-java.yml delete mode 100644 tests/__snapshots__/missing-secure-java-snapshot.yml delete mode 100644 tests/java/missing-secure-java-test.yml diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 755e6660..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: '^SimpleCookie$|^Cookie$' - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); From 12bb3aab8d57915cd459d2e2ac04c42dfb2dca48 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 18:58:13 +0530 Subject: [PATCH 2/6] httponly-false-csharp --- rules/csharp/security/httponly-false-csharp | 48 +++++++++++++++++++++ tests/csharp/httponly-false-csharp-test.yml | 9 ++++ 2 files changed, 57 insertions(+) create mode 100644 rules/csharp/security/httponly-false-csharp create mode 100644 tests/csharp/httponly-false-csharp-test.yml diff --git a/rules/csharp/security/httponly-false-csharp b/rules/csharp/security/httponly-false-csharp new file mode 100644 index 00000000..af939938 --- /dev/null +++ b/rules/csharp/security/httponly-false-csharp @@ -0,0 +1,48 @@ +id: httponly-false-csharp +language: csharp +severity: warning +message: >- + "Detected a cookie where the `HttpOnly` flag is either missing or + disabled. The `HttpOnly` cookie flag instructs the browser to forbid + client-side JavaScript to read the cookie. If JavaScript interaction is + required, you can ignore this finding. However, set the `HttpOnly` flag to + `true` in all other cases. If this wasn't intentional, it's recommended to + set the HttpOnly flag to true so the cookie will not be accessible through + client-side scripts or to use the Cookie Policy Middleware to globally set + the HttpOnly flag. You can then use the CookieOptions class when + instantiating the cookie, which inherits these settings and will require + future developers to have to explicitly override them on a case-by-case + basis if needed. This approach ensures cookies are secure by default." +note: >- + [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" + [REFERENCES] + - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + + +ast-grep-essentials: true + +rule: + kind: boolean_literal + pattern: $LITERAL + follows: + regex: ^=$ + follows: + kind: member_access_expression + inside: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + regex: \.Cookie$ + - has: + kind: identifier + nthChild: 2 + regex: ^HttpOnly$ + +constraints: + LITERAL: + regex: ^false$ + diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml new file mode 100644 index 00000000..e29a7eab --- /dev/null +++ b/tests/csharp/httponly-false-csharp-test.yml @@ -0,0 +1,9 @@ +id: httponly-false-csharp +valid: + - | + myHttpOnlyCookie.HttpOnly = true; + - | + options.Cookie.HttpOnly = true; +invalid: + - | + options.Cookie.HttpOnly = false; From 2c5ea88476cdca70b993026ce65cb1435e602119 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 19:00:33 +0530 Subject: [PATCH 3/6] use-of-md5-digest-utils-java --- .../security/use-of-md5-digest-utils-java.yml | 42 +++++++++++++++++++ .../use-of-md5-digest-utils-java-snapshot.yml | 29 +++++++++++++ .../use-of-md5-digest-utils-java-test.yml | 7 ++++ 3 files changed, 78 insertions(+) create mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml create mode 100644 tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml create mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml new file mode 100644 index 00000000..553bac8a --- /dev/null +++ b/rules/java/security/use-of-md5-digest-utils-java.yml @@ -0,0 +1,42 @@ +id: use-of-md5-digest-utils-java +language: java +severity: warning +message: >- + 'Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead.' +note: >- + [CWE-328] Use of Weak Hash + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + +ast-grep-essentials: true + +rule: + kind: identifier + regex: ^getMd5Digest$ + nthChild: 2 + precedes: + nthChild: 3 + kind: argument_list + not: + has: + nthChild: 1 + inside: + kind: method_invocation + nthChild: 1 + inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 2 + regex: ^digest$ + - has: + kind: argument_list + nthChild: 3 + - not: + has: + stopBy: end + kind: ERROR + diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml new file mode 100644 index 00000000..2e74b70e --- /dev/null +++ b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml @@ -0,0 +1,29 @@ +id: use-of-md5-digest-utils-java +snapshots: + ? | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); + : labels: + - source: getMd5Digest + style: primary + start: 31 + end: 43 + - source: digest + style: secondary + start: 46 + end: 52 + - source: (password.getBytes()) + style: secondary + start: 52 + end: 73 + - source: DigestUtils.getMd5Digest().digest(password.getBytes()) + style: secondary + start: 19 + end: 73 + - source: DigestUtils.getMd5Digest() + style: secondary + start: 19 + end: 45 + - source: () + style: secondary + start: 43 + end: 45 diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml new file mode 100644 index 00000000..769a4b52 --- /dev/null +++ b/tests/java/use-of-md5-digest-utils-java-test.yml @@ -0,0 +1,7 @@ +id: use-of-md5-digest-utils-java +valid: + - | + byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); +invalid: + - | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From d3067f11ba31741fd738392f2d2efb1702116dcf Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 19:05:33 +0530 Subject: [PATCH 4/6] removing use-of-md5-digest-utils and httponly-false-csharp --- rules/csharp/security/httponly-false-csharp | 48 ------------------- .../security/use-of-md5-digest-utils-java.yml | 42 ---------------- tests/csharp/httponly-false-csharp-test.yml | 9 ---- .../use-of-md5-digest-utils-java-test.yml | 7 --- 4 files changed, 106 deletions(-) delete mode 100644 rules/csharp/security/httponly-false-csharp delete mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml delete mode 100644 tests/csharp/httponly-false-csharp-test.yml delete mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/csharp/security/httponly-false-csharp b/rules/csharp/security/httponly-false-csharp deleted file mode 100644 index af939938..00000000 --- a/rules/csharp/security/httponly-false-csharp +++ /dev/null @@ -1,48 +0,0 @@ -id: httponly-false-csharp -language: csharp -severity: warning -message: >- - "Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - `true` in all other cases. If this wasn't intentional, it's recommended to - set the HttpOnly flag to true so the cookie will not be accessible through - client-side scripts or to use the Cookie Policy Middleware to globally set - the HttpOnly flag. You can then use the CookieOptions class when - instantiating the cookie, which inherits these settings and will require - future developers to have to explicitly override them on a case-by-case - basis if needed. This approach ensures cookies are secure by default." -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" - [REFERENCES] - - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware - - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - - -ast-grep-essentials: true - -rule: - kind: boolean_literal - pattern: $LITERAL - follows: - regex: ^=$ - follows: - kind: member_access_expression - inside: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - regex: \.Cookie$ - - has: - kind: identifier - nthChild: 2 - regex: ^HttpOnly$ - -constraints: - LITERAL: - regex: ^false$ - diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml deleted file mode 100644 index 553bac8a..00000000 --- a/rules/java/security/use-of-md5-digest-utils-java.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: use-of-md5-digest-utils-java -language: java -severity: warning -message: >- - 'Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead.' -note: >- - [CWE-328] Use of Weak Hash - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - kind: identifier - regex: ^getMd5Digest$ - nthChild: 2 - precedes: - nthChild: 3 - kind: argument_list - not: - has: - nthChild: 1 - inside: - kind: method_invocation - nthChild: 1 - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 2 - regex: ^digest$ - - has: - kind: argument_list - nthChild: 3 - - not: - has: - stopBy: end - kind: ERROR - diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml deleted file mode 100644 index e29a7eab..00000000 --- a/tests/csharp/httponly-false-csharp-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: httponly-false-csharp -valid: - - | - myHttpOnlyCookie.HttpOnly = true; - - | - options.Cookie.HttpOnly = true; -invalid: - - | - options.Cookie.HttpOnly = false; diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml deleted file mode 100644 index 769a4b52..00000000 --- a/tests/java/use-of-md5-digest-utils-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: use-of-md5-digest-utils-java -valid: - - | - byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); -invalid: - - | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From 9786b9fceb889b207c912d4d20cbad64b68c46f1 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Mon, 31 Mar 2025 12:28:38 +0530 Subject: [PATCH 5/6] jwt-hardcoded-secret-csharp --- .../security/jwt-hardcoded-secret-csharp.yml | 682 ++++++++++++++++++ .../jwt-hardcoded-secret-csharp-snapshot.yml | 468 ++++++++++++ .../jwt-hardcoded-secret-csharp-test.yml | 105 +++ 3 files changed, 1255 insertions(+) create mode 100644 rules/csharp/security/jwt-hardcoded-secret-csharp.yml create mode 100644 tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml create mode 100644 tests/csharp/jwt-hardcoded-secret-csharp-test.yml diff --git a/rules/csharp/security/jwt-hardcoded-secret-csharp.yml b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml new file mode 100644 index 00000000..6b52764a --- /dev/null +++ b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml @@ -0,0 +1,682 @@ +id: jwt-hardcoded-secret-csharp +severity: warning +language: csharp +message: >- + A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + +ast-grep-essentials: true + +utils: + (IJwtEncoder $D).Encode($X, "..."): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Encode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: string_literal + has: + kind: string_literal_content + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + + (IJwtDecoder $D).Decoder($X, "..."): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: string_literal + has: + kind: string_literal_content + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + + (IJwtEncoder $D).Encode($X, "...")_With_Instance: + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Encode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: identifier + pattern: $PASS + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtEncoder|JwtEncoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + - follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + + (IJwtDecoder $D).Decoder($X, "...")_With_Instance: + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $IJWT + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + nthChild: + position: 2 + ofRule: + not: + kind: comment + kind: argument + has: + kind: identifier + pattern: $PASS + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + nthChild: 1 + pattern: $IJWT + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + - follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + - has: + kind: string_literal + has: + kind: string_literal_content + + $B. ... .WithSecret("..."): + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - any: + - has: + kind: member_access_expression + has: + stopBy: end + pattern: $INST + nthChild: 1 + - has: + stopBy: end + pattern: $INST + + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: string_literal + has: + kind: string_literal_content + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + any: + - kind: object_creation_expression + pattern: new JwtBuilder.Create() + - kind: invocation_expression + nthChild: 2 + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + nthChild: 1 + pattern: $INST + - has: + any: + - kind: object_creation_expression + pattern: new JwtBuilder.Create() + - kind: invocation_expression + nthChild: 2 + pattern: JwtBuilder.Create() + + (JwtBuilder $B). ... .WithSecret("..."): + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + regex: ^JwtBuilder$ + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: string_literal + has: + kind: string_literal_content + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + + $B. ... .WithSecret("...")_With_Instance: + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^(WithSecret)$ + - has: + kind: argument_list + nthChild: 2 + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: identifier + pattern: $PASS + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: invocation_expression + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + nthChild: 1 + pattern: $INST + - has: + kind: invocation_expression + nthChild: 2 + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + nthChild: 1 + - has: + nthChild: 2 + kind: string_literal + has: + kind: string_literal_content + + (JwtBuilder $B). ... .WithSecret("...")_With_Instance: + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + regex: ^JwtBuilder$ + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: identifier + pattern: $PASS + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASS + nthChild: 1 + - has: + nthChild: 2 + kind: string_literal + has: + kind: string_literal_content + + (JwtBuilder $B). ... .WithSecret("...")_With_Instance2: + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + stopBy: end + kind: identifier + pattern: $INST + - has: + nthChild: 2 + regex: ^WithSecret$ + - has: + kind: argument_list + has: + kind: argument + nthChild: 1 + not: + has: + nthChild: 2 + has: + kind: string_literal + has: + kind: string_literal_content + - has: + kind: argument_list + nthChild: 2 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declaration + all: + - has: + nthChild: 1 + kind: identifier + regex: ^JwtBuilder$ + - has: + kind: variable_declarator + has: + kind: identifier + pattern: $INST + +rule: + any: + - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance2 + - matches: (IJwtEncoder $D).Encode($X, "...") + - matches: (IJwtDecoder $D).Decoder($X, "...") + - matches: (IJwtEncoder $D).Encode($X, "...")_With_Instance + - matches: (IJwtDecoder $D).Decoder($X, "...")_With_Instance + - matches: $B. ... .WithSecret("...") + - matches: (JwtBuilder $B). ... .WithSecret("...") + - matches: $B. ... .WithSecret("...")_With_Instance + - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance diff --git a/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml new file mode 100644 index 00000000..5794fa21 --- /dev/null +++ b/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml @@ -0,0 +1,468 @@ +id: jwt-hardcoded-secret-csharp +snapshots: + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest1(){ + var payload = new Dictionary + { + { "claim1", 0 }, + { "claim2", "claim2-value" } + }; + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + const string key = "razdvatri"; + var token = encoder.Encode(payload, key); + Console.WriteLine(token); + } + } + : labels: + - source: encoder.Encode(payload, key) + style: primary + start: 533 + end: 561 + - source: encoder + style: secondary + start: 533 + end: 540 + - source: Encode + style: secondary + start: 541 + end: 547 + - source: encoder.Encode + style: secondary + start: 533 + end: 547 + - source: key + style: secondary + start: 557 + end: 560 + - source: key + style: secondary + start: 557 + end: 560 + - source: (payload, key) + style: secondary + start: 547 + end: 561 + - source: IJwtEncoder + style: secondary + start: 408 + end: 419 + - source: encoder + style: secondary + start: 420 + end: 427 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 420 + end: 479 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 408 + end: 479 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 408 + end: 480 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 408 + end: 480 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: key + style: secondary + start: 498 + end: 501 + - source: razdvatri + style: secondary + start: 505 + end: 514 + - source: '"razdvatri"' + style: secondary + start: 504 + end: 515 + - source: key = "razdvatri" + style: secondary + start: 498 + end: 515 + - source: const string key = "razdvatri"; + style: secondary + start: 485 + end: 516 + - source: const string key = "razdvatri"; + style: secondary + start: 485 + end: 516 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest13(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987"); + Console.WriteLine(token); + } + } + : labels: + - source: |- + encoder.Encode(new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987") + style: primary + start: 374 + end: 527 + - source: encoder + style: secondary + start: 374 + end: 381 + - source: Encode + style: secondary + start: 382 + end: 388 + - source: encoder.Encode + style: secondary + start: 374 + end: 388 + - source: hardcodedJWTSecret987 + style: secondary + start: 504 + end: 525 + - source: '"hardcodedJWTSecret987"' + style: secondary + start: 503 + end: 526 + - source: '"hardcodedJWTSecret987"' + style: secondary + start: 503 + end: 526 + - source: |- + (new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987") + style: secondary + start: 388 + end: 527 + - source: IJwtEncoder + style: secondary + start: 285 + end: 296 + - source: encoder + style: secondary + start: 297 + end: 304 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 297 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 285 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest17(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024"); + + Console.WriteLine(token); + } + } + : labels: + - source: |- + encoder.Encode(new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024") + style: primary + start: 374 + end: 508 + - source: encoder + style: secondary + start: 374 + end: 381 + - source: Encode + style: secondary + start: 382 + end: 388 + - source: encoder.Encode + style: secondary + start: 374 + end: 388 + - source: secretkey2024 + style: secondary + start: 493 + end: 506 + - source: '"secretkey2024"' + style: secondary + start: 492 + end: 507 + - source: '"secretkey2024"' + style: secondary + start: 492 + end: 507 + - source: |- + (new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024") + style: secondary + start: 388 + end: 508 + - source: IJwtEncoder + style: secondary + start: 285 + end: 296 + - source: encoder + style: secondary + start: 297 + end: 304 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 297 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 285 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest2(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, "secret123"); + Console.WriteLine(json); + } + } + : labels: + - source: decoder.Decode(token, "secret123") + style: primary + start: 513 + end: 547 + - source: decoder + style: secondary + start: 513 + end: 520 + - source: Decode + style: secondary + start: 521 + end: 527 + - source: decoder.Decode + style: secondary + start: 513 + end: 527 + - source: secret123 + style: secondary + start: 536 + end: 545 + - source: '"secret123"' + style: secondary + start: 535 + end: 546 + - source: '"secret123"' + style: secondary + start: 535 + end: 546 + - source: (token, "secret123") + style: secondary + start: 527 + end: 547 + - source: IJwtDecoder + style: secondary + start: 414 + end: 425 + - source: decoder + style: secondary + start: 426 + end: 433 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 426 + end: 496 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 414 + end: 496 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 414 + end: 497 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 414 + end: 497 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + ? | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest20(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987"); + Console.WriteLine(token); + } + } + : labels: + - source: |- + encoder.Encode(new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987") + style: primary + start: 374 + end: 516 + - source: encoder + style: secondary + start: 374 + end: 381 + - source: Encode + style: secondary + start: 382 + end: 388 + - source: encoder.Encode + style: secondary + start: 374 + end: 388 + - source: hardcodedTokenSecret987 + style: secondary + start: 491 + end: 514 + - source: '"hardcodedTokenSecret987"' + style: secondary + start: 490 + end: 515 + - source: '"hardcodedTokenSecret987"' + style: secondary + start: 490 + end: 515 + - source: |- + (new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987") + style: secondary + start: 388 + end: 516 + - source: IJwtEncoder + style: secondary + start: 285 + end: 296 + - source: encoder + style: secondary + start: 297 + end: 304 + - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 297 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) + style: secondary + start: 285 + end: 356 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + style: secondary + start: 285 + end: 357 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 + - source: using JWT.Builder; + style: secondary + start: 11 + end: 29 diff --git a/tests/csharp/jwt-hardcoded-secret-csharp-test.yml b/tests/csharp/jwt-hardcoded-secret-csharp-test.yml new file mode 100644 index 00000000..6cfdcae2 --- /dev/null +++ b/tests/csharp/jwt-hardcoded-secret-csharp-test.yml @@ -0,0 +1,105 @@ +id: jwt-hardcoded-secret-csharp +valid: + - | + public void OkJwtTest6(){ + string secret = GetSecretFromEnvironmentVariable(); + var token = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(secret) + .AddClaim("user", "george") + .AddClaim("permissions", "full_access") + .Encode(); + Console.WriteLine(token); + } +invalid: + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest13(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "user", "alice" }, + { "permissions", "read, write" } + }, "hardcodedJWTSecret987"); + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest17(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "sub", "user123" }, + { "scope", "admin" } + }, "secretkey2024"); + + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest20(){ + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + var token = encoder.Encode(new Dictionary + { + { "userId", "999" }, + { "role", "admin" } + }, "hardcodedTokenSecret987"); + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest1(){ + var payload = new Dictionary + { + { "claim1", 0 }, + { "claim2", "claim2-value" } + }; + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJsonSerializer serializer = new JsonNetSerializer(); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); + const string key = "razdvatri"; + var token = encoder.Encode(payload, key); + Console.WriteLine(token); + } + } + - | + using JWT; + using JWT.Builder; + namespace Example.Foobar; + public class Foobar{ + public void JwtTest2(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, "secret123"); + Console.WriteLine(json); + } + } From d78f4c7fa4ce18b0b331089bde378780daa973e0 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Mon, 31 Mar 2025 12:43:15 +0530 Subject: [PATCH 6/6] jwt-decode-without-verify-csharp --- .../jwt-decode-without-verify-csharp.yml | 727 ++++++++++++++ ...-decode-without-verify-csharp-snapshot.yml | 907 ++++++++++++++++++ .../jwt-decode-without-verify-csharp-test.yml | 262 +++++ 3 files changed, 1896 insertions(+) create mode 100644 rules/csharp/security/jwt-decode-without-verify-csharp.yml create mode 100644 tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml create mode 100644 tests/csharp/jwt-decode-without-verify-csharp-test.yml diff --git a/rules/csharp/security/jwt-decode-without-verify-csharp.yml b/rules/csharp/security/jwt-decode-without-verify-csharp.yml new file mode 100644 index 00000000..cc971d93 --- /dev/null +++ b/rules/csharp/security/jwt-decode-without-verify-csharp.yml @@ -0,0 +1,727 @@ +id: jwt-decode-without-verify-csharp +severity: warning +language: csharp +message: >- + Detected the decoding of a JWT token without a verify step. JWT tokens + must be verified before use, otherwise the token's integrity is unknown. + This means a malicious actor could forge a JWT token with any claims. + Validate the token before using it. +note: >- + [CWE-345] Insufficient Verification of Data Authenticity. + [REFERENCES] + - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures + +ast-grep-essentials: true + +utils: + (IJwtDecoder $D).Decode($X,verify-false,.): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + not: + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + regex: ^verify$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + kind: identifier + pattern: $INST + + (IJwtDecoder $D).Decode(false): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + has: + kind: boolean_literal + regex: ^false$ + any: + - nthChild: 2 + - nthChild: 3 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + kind: variable_declaration + all: + - has: + kind: identifier + regex: ^(IJwtDecoder|JwtDecoder)$ + - has: + kind: variable_declarator + has: + kind: identifier + pattern: $INST + + $D.Decode($X,verify-false,.): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + not: + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + regex: ^verify$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + - kind: expression_statement + all: + - has: + kind: assignment_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + + ($D).Decode(false): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + has: + kind: argument + has: + kind: boolean_literal + regex: ^false$ + any: + - nthChild: 2 + - nthChild: 3 + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + - kind: expression_statement + all: + - has: + kind: assignment_expression + all: + - has: + nthChild: 1 + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^JwtDecoder$ + + JwtBuilder..Decode(...): + kind: invocation_expression + all: + - not: + precedes: + stopBy: end + has: + stopBy: end + kind: member_access_expression + has: + kind: identifier + regex: ^MustVerifySignature$ + precedes: + kind: argument_list + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^JwtBuilder$ + - not: + has: + stopBy: end + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + has: + nthChild: 2 + kind: identifier + regex: ^MustVerifySignature$ + - has: + kind: argument_list + nthChild: 2 + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + + $B. ... .Decode(...): + kind: invocation_expression + all: + - has: + nthChild: 1 + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $INST + - not: + has: + stopBy: end + kind: invocation_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + has: + nthChild: 2 + kind: identifier + regex: ^MustVerifySignature$ + - has: + kind: argument_list + nthChild: 2 + - has: + nthChild: 2 + kind: identifier + regex: ^Decode$ + - has: + nthChild: 2 + kind: argument_list + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - any: + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + nthChild: 1 + - has: + kind: invocation_expression + pattern: JwtBuilder.Create() + - kind: local_declaration_statement + # not: + # precedes: + # stopBy: end + # has: + # stopBy: end + # kind: member_access_expression + # has: + # kind: identifier + # regex: ^MustVerifySignature$ + # precedes: + # kind: argument_list + has: + stopBy: end + kind: variable_declarator + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + stopBy: end + kind: invocation_expression + pattern: JwtBuilder.Create() + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + not: + precedes: + stopBy: end + has: + stopBy: end + kind: member_access_expression + has: + kind: identifier + regex: ^MustVerifySignature$ + precedes: + kind: argument_list + has: + kind: assignment_expression + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + stopBy: end + kind: invocation_expression + pattern: JwtBuilder.Create() + - not: + any: + - inside: + stopBy: end + follows: + stopBy: end + kind: expression_statement + any: + - has: + stopBy: end + pattern: MustVerifySignature() + - has: + stopBy: end + kind: member_access_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: identifier + regex: ^MustVerifySignature$ + precedes: + kind: argument_list + - inside: + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^MustVerifySignature$ + - precedes: + kind: argument_list + + new ValidationParameters() {..., ValidateSignature = false, ...}: + kind: object_creation_expression + all: + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - has: + kind: identifier + nthChild: 1 + regex: ^ValidationParameters$ + - has: + kind: initializer_expression + has: + kind: assignment_expression + pattern: ValidateSignature = false + + $V.ValidateSignature = false: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^ValidateSignature$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + + new JwtAuthenticationOptions() {..., VerifySignature = false, ...}: + kind: object_creation_expression + all: + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - has: + kind: identifier + nthChild: 1 + regex: ^JwtAuthenticationOptions$ + - has: + kind: initializer_expression + has: + kind: assignment_expression + pattern: VerifySignature = false + + $V.VerifySignature = false: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^VerifySignature$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + any: + - follows: + stopBy: end + any: + - kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^ValidationParameters$ + - inside: + stopBy: end + kind: argument_list + follows: + stopBy: end + kind: member_access_expression + has: + nthChild: 2 + kind: identifier + regex: ^AddJwt$ + + new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...}: + kind: object_creation_expression + all: + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - has: + kind: identifier + nthChild: 1 + regex: ^TokenValidationParameters$ + - has: + kind: initializer_expression + has: + kind: assignment_expression + pattern: ValidateIssuerSigningKey = false + + $V.ValidateIssuerSigningKey = false: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + all: + - has: + nthChild: 1 + kind: identifier + pattern: $INST + - has: + nthChild: 2 + kind: identifier + regex: ^ValidateIssuerSigningKey$ + - has: + nthChild: 2 + kind: boolean_literal + regex: ^false$ + - inside: + stopBy: end + follows: + stopBy: end + kind: using_directive + any: + - pattern: using JWT; + - pattern: using JWT.Builder; + - pattern: using Microsoft.IdentityModel.Tokens; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^TokenValidationParameters$ + - kind: expression_statement + has: + kind: assignment_expression + all: + - has: + kind: identifier + pattern: $INST + - has: + kind: object_creation_expression + has: + kind: identifier + regex: ^TokenValidationParameters$ + +rule: + any: + - matches: (IJwtDecoder $D).Decode($X,verify-false,.) + - matches: (IJwtDecoder $D).Decode(false) + - matches: $D.Decode($X,verify-false,.) + - matches: ($D).Decode(false) + - matches: JwtBuilder..Decode(...) + - matches: $B. ... .Decode(...) + - matches: new ValidationParameters() {..., ValidateSignature = false, ...} + - matches: $V.ValidateSignature = false + - matches: new JwtAuthenticationOptions() {..., VerifySignature = false, ...} + - matches: $V.VerifySignature = false + - matches: new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...} + - matches: $V.ValidateIssuerSigningKey = false diff --git a/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml b/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml new file mode 100644 index 00000000..1207e061 --- /dev/null +++ b/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml @@ -0,0 +1,907 @@ +id: jwt-decode-without-verify-csharp +snapshots: + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json1 = decoder.Decode(token, verify: false); + } + } + } + : labels: + - source: 'decoder.Decode(token, verify: false)' + style: primary + start: 580 + end: 616 + - source: decoder + style: secondary + start: 580 + end: 587 + - source: Decode + style: secondary + start: 588 + end: 594 + - source: decoder.Decode + style: secondary + start: 580 + end: 594 + - source: verify + style: secondary + start: 602 + end: 608 + - source: 'false' + style: secondary + start: 610 + end: 615 + - source: 'verify: false' + style: secondary + start: 602 + end: 615 + - source: '(token, verify: false)' + style: secondary + start: 594 + end: 616 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: IJwtDecoder + style: secondary + start: 478 + end: 489 + - source: decoder + style: secondary + start: 490 + end: 497 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 490 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 478 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json2 = decoder.Decode(token, null, false); + Console.WriteLine(json); + } + } + } + : labels: + - source: decoder.Decode(token, null, false) + style: primary + start: 580 + end: 614 + - source: decoder + style: secondary + start: 580 + end: 587 + - source: Decode + style: secondary + start: 588 + end: 594 + - source: decoder.Decode + style: secondary + start: 580 + end: 594 + - source: 'false' + style: secondary + start: 608 + end: 613 + - source: 'false' + style: secondary + start: 608 + end: 613 + - source: (token, null, false) + style: secondary + start: 594 + end: 614 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: IJwtDecoder + style: secondary + start: 478 + end: 489 + - source: decoder + style: secondary + start: 490 + end: 497 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 490 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 478 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest10(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token) + style: primary + start: 214 + end: 342 + - source: builder + style: secondary + start: 214 + end: 221 + - source: Decode + style: secondary + start: 329 + end: 335 + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 214 + end: 335 + - source: (token) + style: secondary + start: 335 + end: 342 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 166 + end: 173 + - source: JwtBuilder.Create() + style: secondary + start: 176 + end: 195 + - source: builder = JwtBuilder.Create() + style: secondary + start: 166 + end: 195 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest11(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token, verify: false) + style: primary + start: 214 + end: 357 + - source: builder + style: secondary + start: 214 + end: 221 + - source: Decode + style: secondary + start: 329 + end: 335 + - source: |- + builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 214 + end: 335 + - source: '(token, verify: false)' + style: secondary + start: 335 + end: 357 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 166 + end: 173 + - source: JwtBuilder.Create() + style: secondary + start: 176 + end: 195 + - source: builder = JwtBuilder.Create() + style: secondary + start: 166 + end: 195 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 162 + end: 196 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest13(){ + var validationParameters = new ValidationParameters + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + }; + } + } + } + : labels: + - source: |- + new ValidationParameters + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + } + style: primary + start: 189 + end: 373 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: ValidationParameters + style: secondary + start: 193 + end: 213 + - source: ValidateSignature = false + style: secondary + start: 232 + end: 257 + - source: |- + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + } + style: secondary + start: 220 + end: 373 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest15(){ + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + var json = builder.Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: builder.Decode(token) + style: primary + start: 293 + end: 314 + - source: builder + style: secondary + start: 293 + end: 300 + - source: Decode + style: secondary + start: 301 + end: 307 + - source: builder.Decode + style: secondary + start: 293 + end: 307 + - source: (token) + style: secondary + start: 307 + end: 314 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 166 + end: 173 + - source: JwtBuilder.Create() + style: secondary + start: 176 + end: 195 + - source: |- + builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + style: secondary + start: 166 + end: 274 + - source: |- + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + style: secondary + start: 162 + end: 275 + - source: |- + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + style: secondary + start: 162 + end: 275 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest17(){ + var options = new JwtAuthenticationOptions + { + VerifySignature = false + }; + Console.WriteLine("JWT Authentication setup with signature verification disabled."); + } + } + } + : labels: + - source: |- + new JwtAuthenticationOptions + { + VerifySignature = false + } + style: primary + start: 176 + end: 254 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: JwtAuthenticationOptions + style: secondary + start: 180 + end: 204 + - source: VerifySignature = false + style: secondary + start: 223 + end: 246 + - source: |- + { + VerifySignature = false + } + style: secondary + start: 211 + end: 254 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest18(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + var tokenHandler = new JwtSecurityTokenHandler(); + var json = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: primary + start: 189 + end: 345 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: TokenValidationParameters + style: secondary + start: 193 + end: 218 + - source: ValidateIssuerSigningKey = false + style: secondary + start: 237 + end: 269 + - source: |- + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: secondary + start: 225 + end: 345 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest19(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + Console.WriteLine("JWT decode with validation params where signature validation is disabled."); + } + } + } + : labels: + - source: |- + new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: primary + start: 189 + end: 345 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: TokenValidationParameters + style: secondary + start: 193 + end: 218 + - source: ValidateIssuerSigningKey = false + style: secondary + start: 237 + end: 269 + - source: |- + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + } + style: secondary + start: 225 + end: 345 + ? "using JWT;\nusing JWT.Builder;\nusing Microsoft.IdentityModel.Tokens;\nnamespace Example.Foobar\n{\n public class JwtTestPatterns{\n public void JwtTest19(){\n var validationParameters = new TokenValidationParameters\n {\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n };\n Console.WriteLine(\"JWT decode with validation params where signature validation is disabled.\");\n }\n }\n}\n" + : labels: + - source: "new TokenValidationParameters\n {\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n }" + style: primary + start: 189 + end: 346 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: TokenValidationParameters + style: secondary + start: 193 + end: 218 + - source: ValidateIssuerSigningKey = false + style: secondary + start: 237 + end: 269 + - source: "{\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n }" + style: secondary + start: 225 + end: 346 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest2(){ + var json = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token) + style: primary + start: 174 + end: 303 + - source: JwtBuilder + style: secondary + start: 174 + end: 184 + - source: Decode + style: secondary + start: 290 + end: 296 + - source: |- + JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 174 + end: 296 + - source: (token) + style: secondary + start: 296 + end: 303 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest3(){ + var builder = JwtBuilder.Create(); + var json = builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + : labels: + - source: |- + builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token) + style: primary + start: 213 + end: 324 + - source: builder + style: secondary + start: 213 + end: 220 + - source: Decode + style: secondary + start: 311 + end: 317 + - source: |- + builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode + style: secondary + start: 213 + end: 317 + - source: (token) + style: secondary + start: 317 + end: 324 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: builder + style: secondary + start: 165 + end: 172 + - source: JwtBuilder.Create() + style: secondary + start: 175 + end: 194 + - source: builder = JwtBuilder.Create() + style: secondary + start: 165 + end: 194 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 161 + end: 195 + - source: var builder = JwtBuilder.Create(); + style: secondary + start: 161 + end: 195 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest7(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + : labels: + - source: 'decoder.Decode(token, verify: false)' + style: primary + start: 579 + end: 615 + - source: decoder + style: secondary + start: 579 + end: 586 + - source: Decode + style: secondary + start: 587 + end: 593 + - source: decoder.Decode + style: secondary + start: 579 + end: 593 + - source: verify + style: secondary + start: 601 + end: 607 + - source: 'false' + style: secondary + start: 609 + end: 614 + - source: 'verify: false' + style: secondary + start: 601 + end: 614 + - source: '(token, verify: false)' + style: secondary + start: 593 + end: 615 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: IJwtDecoder + style: secondary + start: 478 + end: 489 + - source: decoder + style: secondary + start: 490 + end: 497 + - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 490 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) + style: secondary + start: 478 + end: 560 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + style: secondary + start: 478 + end: 561 + ? | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest9(){ + var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + var json = decoder.Decode(token, null, false); // decode with no signature verification + Console.WriteLine(json); + } + } + } + : labels: + - source: decoder.Decode(token, null, false) + style: primary + start: 357 + end: 391 + - source: decoder + style: secondary + start: 357 + end: 364 + - source: Decode + style: secondary + start: 365 + end: 371 + - source: decoder.Decode + style: secondary + start: 357 + end: 371 + - source: 'false' + style: secondary + start: 385 + end: 390 + - source: 'false' + style: secondary + start: 385 + end: 390 + - source: (token, null, false) + style: secondary + start: 371 + end: 391 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: using Microsoft.IdentityModel.Tokens; + style: secondary + start: 30 + end: 67 + - source: decoder + style: secondary + start: 165 + end: 172 + - source: JwtDecoder + style: secondary + start: 179 + end: 189 + - source: new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()) + style: secondary + start: 175 + end: 338 + - source: decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()) + style: secondary + start: 165 + end: 338 + - source: var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + style: secondary + start: 161 + end: 339 + - source: var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + style: secondary + start: 161 + end: 339 diff --git a/tests/csharp/jwt-decode-without-verify-csharp-test.yml b/tests/csharp/jwt-decode-without-verify-csharp-test.yml new file mode 100644 index 00000000..1d419c16 --- /dev/null +++ b/tests/csharp/jwt-decode-without-verify-csharp-test.yml @@ -0,0 +1,262 @@ +id: jwt-decode-without-verify-csharp +valid: + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void OkJwtTest2() + { + var json = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .MustVerifySignature() + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } +invalid: + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest7(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json = decoder.Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest9(){ + var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); + var json = decoder.Decode(token, null, false); // decode with no signature verification + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest10(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest11(){ + var builder = JwtBuilder.Create(); + var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token, verify: false); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest13(){ + var validationParameters = new ValidationParameters + { + ValidateSignature = false, + ValidateExpirationTime = false, + ValidateIssuedTime = false, + TimeMargin = 100 + }; + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest15(){ + var builder = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key); + var json = builder.Decode(token); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest17(){ + var options = new JwtAuthenticationOptions + { + VerifySignature = false + }; + Console.WriteLine("JWT Authentication setup with signature verification disabled."); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest18(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + var tokenHandler = new JwtSecurityTokenHandler(); + var json = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest19(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + Console.WriteLine("JWT decode with validation params where signature validation is disabled."); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest19(){ + var validationParameters = new TokenValidationParameters + { + ValidateIssuerSigningKey = false, + ValidateIssuer = true, + ValidateAudience = true + }; + Console.WriteLine("JWT decode with validation params where signature validation is disabled."); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json1 = decoder.Decode(token, verify: false); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest1(){ + IJsonSerializer serializer = new JsonNetSerializer(); + IDateTimeProvider provider = new UtcDateTimeProvider(); + IJwtValidator validator = new JwtValidator(serializer, provider); + IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); + IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); + IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); + var json2 = decoder.Decode(token, null, false); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest2(){ + var json = JwtBuilder.Create() + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + } + - | + using JWT; + using JWT.Builder; + using Microsoft.IdentityModel.Tokens; + namespace Example.Foobar + { + public class JwtTestPatterns{ + public void JwtTest3(){ + var builder = JwtBuilder.Create(); + var json = builder + .WithAlgorithm(new HMACSHA256Algorithm()) + .WithSecret(key) + .Decode(token); + Console.WriteLine(json); + } + } + }