Merge pull request #14061 from maikypedia/maikypedia/ruby-jwt

Ruby: JWT Security Queries (CWE-347)

Author: alexrford

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -1281,3 +1281,92 @@ module LdapBind {
     abstract predicate usesSsl();
   }
 }
+
+/**
+ * A data-flow node that encodes a Jwt token.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `JwtEncoding::Range` instead.
+ */
+class JwtEncoding extends DataFlow::Node instanceof JwtEncoding::Range {
+  /** Gets the argument containing the encoding payload. */
+  DataFlow::Node getPayload() { result = super.getPayload() }
+
+  /** Gets the argument containing the encoding algorithm. */
+  DataFlow::Node getAlgorithm() { result = super.getAlgorithm() }
+
+  /** Gets the argument containing the encoding key. */
+  DataFlow::Node getKey() { result = super.getKey() }
+
+  /** Checks if the payloads gets signed while encoding. */
+  predicate signsPayload() { super.signsPayload() }
+}
+
+/** Provides a class for modeling new Jwt token encoding APIs. */
+module JwtEncoding {
+  /**
+   * A data-flow node that encodes a Jwt token.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `JwtEncoding` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument containing the encoding payload. */
+    abstract DataFlow::Node getPayload();
+
+    /** Gets the argument containing the encoding algorithm. */
+    abstract DataFlow::Node getAlgorithm();
+
+    /** Gets the argument containing the encoding key. */
+    abstract DataFlow::Node getKey();
+
+    /** Checks if the payloads gets signed while encoding. */
+    abstract predicate signsPayload();
+  }
+}
+
+/**
+ * A data-flow node that decodes a Jwt token.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `JwtDecoding::Range` instead.
+ */
+class JwtDecoding extends DataFlow::Node instanceof JwtDecoding::Range {
+  /** Gets the argument containing the encoding payload. */
+  DataFlow::Node getPayload() { result = super.getPayload() }
+
+  /** Gets the argument containing the encoding algorithm. */
+  DataFlow::Node getAlgorithm() { result = super.getAlgorithm() }
+
+  /** Gets the argument containing the encoding key. */
+  DataFlow::Node getOptions() { result = super.getOptions() }
+
+  /** Checks if the signature gets verified while decoding. */
+  predicate verifiesSignature() { super.verifiesSignature() }
+}
+
+/** Provides a class for modeling new Jwt token encoding APIs. */
+module JwtDecoding {
+  /**
+   * A data-flow node that encodes a Jwt token.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `JwtDecoding` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument containing the encoding payload. */
+    abstract DataFlow::Node getPayload();
+
+    /** Gets the argument containing the encoding algorithm. */
+    abstract DataFlow::Node getAlgorithm();
+
+    /** Gets the argument containing the encoding key. */
+    abstract DataFlow::Node getKey();
+
+    /** Gets the argument containing the encoding options. */
+    abstract DataFlow::Node getOptions();
+
+    /** Checks if the signature gets verified while decoding. */
+    abstract predicate verifiesSignature();
+  }
+}

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -37,3 +37,4 @@ private import codeql.ruby.frameworks.Pg
 private import codeql.ruby.frameworks.Yaml
 private import codeql.ruby.frameworks.Sequel
 private import codeql.ruby.frameworks.Ldap
+private import codeql.ruby.frameworks.Jwt

ruby/ql/lib/codeql/ruby/frameworks/Jwt.qll

@@ -0,0 +1,58 @@
+/**
+ * Provides creation, verification and decoding JSON Web Tokens (JWT).
+ */
+
+private import ruby
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+
+/**
+ * Provides creation, verification and decoding JSON Web Tokens (JWT).
+ */
+module Jwt {
+  /** A call to `JWT.encode`, considered as a JWT encoding. */
+  private class JwtEncode extends JwtEncoding::Range, DataFlow::CallNode {
+    JwtEncode() { this = API::getTopLevelMember("JWT").getAMethodCall("encode") }
+
+    override DataFlow::Node getPayload() { result = this.getArgument(0) }
+
+    override DataFlow::Node getAlgorithm() { result = this.getArgument(2) }
+
+    override DataFlow::Node getKey() { result = this.getArgument(1) }
+
+    override predicate signsPayload() {
+      not (
+        this.getKey().getConstantValue().isStringlikeValue("") or
+        this.getKey().(DataFlow::ExprNode).getConstantValue().isNil()
+      )
+    }
+  }
+
+  /** A call to `JWT.decode`, considered as a JWT decoding. */
+  private class JwtDecode extends JwtDecoding::Range, DataFlow::CallNode {
+    JwtDecode() { this = API::getTopLevelMember("JWT").getAMethodCall("decode") }
+
+    override DataFlow::Node getPayload() { result = this.getArgument(0) }
+
+    override DataFlow::Node getAlgorithm() {
+      result = this.getArgument(3).(DataFlow::PairNode).getValue() or
+      result =
+        this.getArgument(3)
+            .(DataFlow::HashLiteralNode)
+            .getElementFromKey(any(Ast::ConstantValue cv | cv.isStringlikeValue("algorithm"))) or
+      result = this.getArgument(2)
+    }
+
+    override DataFlow::Node getKey() { result = this.getArgument(1) }
+
+    override DataFlow::Node getOptions() { result = this.getArgument(3) }
+
+    override predicate verifiesSignature() {
+      not this.getArgument(2).getConstantValue().isBoolean(false) and
+      not this.getAlgorithm().getConstantValue().isStringlikeValue("none")
+      or
+      this.getNumberOfArguments() < 3
+    }
+  }
+}

ruby/ql/src/change-notes/2023-09-16-jwt-security-query.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* Added a new experimental query, `rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
+* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.

ruby/ql/src/experimental/cwe-347/EmptyJWTSecret.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Applications encoding a JSON Web Token (JWT) may be vulnerable when it's not verified or algorithm is <code>none</code>.
+</p>
+</overview>
+
+<recommendation>
+<p>
+JSON Web Tokens should be signed using a strong cryptographic algorithm and non-empty secret.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the example below, the secret used is an empty string and none algorithm is used. This may allow a malicious actor to make changes to a JWT payload.
+</p>
+
+<sample src="examples/EmptyJWTSecretBad.rb" />
+
+<p>
+The following code fixes the problem by using a non-empty cryptographic secret or key to encode JWT payloads.
+</p>
+
+<sample src="examples/EmptyJWTSecretGood.rb" />
+</example>
+
+<references>
+<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/cwe-347/EmptyJWTSecret.ql

@@ -0,0 +1,15 @@
+/**
+ * @name JWT encoding using empty key or algorithm
+ * @description The application uses an empty secret or algorithm while encoding a JWT Token.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id rb/jwt-empty-secret-or-algorithm
+ * @tags security
+ */
+
+private import codeql.ruby.Concepts
+
+from JwtEncoding jwtEncoding
+where not jwtEncoding.signsPayload()
+select jwtEncoding.getPayload(), "This JWT encoding uses an empty key or none algorithm."

ruby/ql/src/experimental/cwe-347/MissingJWTVerification.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Applications decoding a JSON Web Token (JWT) may be vulnerable when the key isn't verified.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Calls to <code>verify()</code> functions should use a cryptographic secret or key to decode JWT payloads.</p>
+</recommendation>
+
+<example>
+<p>
+In the example below, false is used to disable the integrity enforcement of a JWT payload and none algorithm is used. This may allow a malicious actor to make changes to a JWT payload.
+</p>
+
+<sample src="examples/MissingJWTVerificationBad.rb" />
+
+<p>
+The following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.
+</p>
+
+<sample src="examples/MissingJWTVerificationGood.rb" />
+</example>
+
+<references>
+<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+</references>
+</qhelp>

ruby/ql/src/experimental/cwe-347/MissingJWTVerification.ql

@@ -0,0 +1,16 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id rb/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+private import codeql.ruby.Concepts
+
+from JwtDecoding jwtDecoding
+where not jwtDecoding.verifiesSignature()
+select jwtDecoding.getPayload(), "is not verified with a cryptographic secret or public key."

ruby/ql/src/experimental/cwe-347/examples/EmptyJWTSecretBad.rb

@@ -0,0 +1,5 @@
+require 'jwt'
+
+token1 = JWT.encode({ foo: 'bar' }, "secret", 'none')
+
+token2 = JWT.encode({ foo: 'bar' }, nil, 'HS256')

ruby/ql/src/experimental/cwe-347/examples/EmptyJWTSecretGood.rb

@@ -0,0 +1,3 @@
+require 'jwt'
+
+token = JWT.encode({ foo: 'bar' }, "secret", 'HS256')