Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: JWT decoding without verification [smowton fork] #17020

Closed
wants to merge 7 commits into from
Closed

Java: JWT decoding without verification [smowton fork] #17020

wants to merge 7 commits into from

Conversation

smowton
Copy link
Contributor

@smowton smowton commented Jul 19, 2024

This is a polishing/stabilisation fork of #14089 -- discussion should happen there

@smowton smowton requested a review from a team as a code owner July 19, 2024 10:07
@github-actions GitHub Actions
Copy link
Contributor

QHelp previews:

java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp

errors/warnings:

/home/runner/work/codeql/codeql/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp: Invalid link target: CVE-2021-37580
A fatal error occurred: 1 qhelp files could not be processed.

@smowton smowton mentioned this pull request Jul 19, 2024
Merged
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 19, 2024
View reviewed changes
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
PayloadType() { this.hasQualifiedName("com.auth0.jwt.interfaces", "Payload") }
}

class JWTType extends RefType {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in JWTType should be PascalCase/camelCase.
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
JWTType() { this.hasQualifiedName("com.auth0.jwt", "JWT") }
}

class JWTVerifierType extends RefType {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in JWTVerifierType should be PascalCase/camelCase.
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
*/

import java
import semmle.code.java.dataflow.DataFlow

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
semmle.code.java.dataflow.FlowSources
Loading
.
@smowton
Copy link
Contributor Author

smowton commented Aug 21, 2024

Original PR now merged.

@smowton smowton closed this Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@smowton @am0o0