Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Golang : Add query to detect JWT signing vulnerabilities #705

Closed
ghost wants to merge 4 commits into from
Closed

Golang : Add query to detect JWT signing vulnerabilities #705

ghost wants to merge 4 commits into from

Conversation

@ghost
Copy link

@ghost ghost commented Mar 21, 2022

Using a hard-coded secret for signing JWT tokens in an open source project can cause security vulnerabilities.
This PR includes a query to find instances where a hard-coded string is used to sign a token.

@ghost ghost self-requested a review as a code owner March 21, 2022 13:52
@ghost ghost mentioned this pull request Mar 21, 2022
Closed
2 tasks
@owen-mc
Copy link
Contributor

owen-mc commented Mar 21, 2022

Thanks for this contribution. I haven't looked at it closely yet, but my first comment is that it would benefit from some tests and a qhelp file.

@ghost
Copy link
Author

ghost commented Mar 21, 2022

@owen-mc added QHelp along with an example. PTAL

owen-mc
owen-mc reviewed Mar 22, 2022
View reviewed changes
owen-mc
owen-mc reviewed Mar 22, 2022
View reviewed changes
owen-mc
owen-mc reviewed Mar 22, 2022
View reviewed changes
owen-mc
owen-mc reviewed Mar 22, 2022
View reviewed changes
pwntester
pwntester reviewed Mar 24, 2022
View reviewed changes
ql/src/experimental/CWE-321/HardcodedKeys.ql Outdated
Comment on lines 42 to 44
exists(ConversionExpr ce, StringLit str | ce.getOperand() = str and this.asExpr() = ce |
ce.getTypeExpr().getType() instanceof ByteSliceType
)
Copy link

@pwntester pwntester Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this clause is generating some FPs such as:

It doesnt seem like there is a StringLiteral involved in these (any many other) cases

Copy link

@pwntester pwntester Mar 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pwntester I thought about handling the FP in the first case. Having a empty string "" as a secret is a valid detection as it would the JWT is not signed at all. Hence, excluding all empty string from taint flow would lead to a lot of false negatives. However, I think considering any kind of comparison operation as a sanitizer would work here. So I have added a new sanitizer to detect any kind of binary op such as == or !=. I don't go about reasoning the correctness of the operation here.

In the second case, the project has a default insecure hard-coded key which it uses in the absence of a user supplied key. The alert is for the default key flow. Since, the default configuration is insecure, shouldn't we be flagging it? Ideally, the project should generate and use a random key if a user does not supply a custom key. Hence, I have kept this as is.

Can you point me to the empty key for the first case or the default key on the second case? Im not sure CodeQL is picking those

ghost
ghost commented Mar 26, 2022
View reviewed changes
@ghost
Copy link
Author

ghost commented Mar 26, 2022

@pwntester I thought about handling the FP in the first case. Having a empty string "" as a secret is a valid detection as it would the JWT is not signed at all. Hence, excluding all empty string from taint flow would lead to a lot of false negatives. However, I think considering any kind of comparison operation as a sanitizer would work here. So I have added a new sanitizer to detect any kind of binary op such as == or !=. I don't go about reasoning the correctness of the operation here.

In the second case, the project has a default insecure hard-coded key which it uses in the absence of a user supplied key. The alert is for the default key flow. Since, the default configuration is insecure, shouldn't we be flagging it? Ideally, the project should generate and use a random key if a user does not supply a custom key. Hence, I have kept this as is.

As for the clause you mentioned earlier, I think it a QL bug. See my other code comment for details.

@ghost
Copy link
Author

ghost commented Mar 29, 2022

@pwntester RE : #705 (comment)

In the firstcase, I was talking about the general case where there is no key used to sign a JWT. Since there is no secret, there is no encryption here.

As for the second case, can't you find kiali as the default string, QL gives me the flow directly on running no changes required.

@ghost
Copy link
Author

ghost commented Apr 4, 2022

Hey, Please don't run this on LGTM until this issue is resolved.

@owen-mc
Copy link
Contributor

owen-mc commented Apr 11, 2022

Test failure:

FAILED: /home/runner/work/codeql-go/codeql-go/ql/test/experimental/CWE-321/CONSISTENCY/UnexpectedFrontendErrors.ql

which means that it thinks there's something wrong with the go code in ql/test/experimental/CWE-321

Porucpiney Hairs added 2 commits April 12, 2022 20:00
Golang : Add query to detect JWT signing vulnerabilities
51f9007 
Using a hardcoded secret for signing JWT tokens in an open source project can cause security vulnerabilities.

There are multiple detections with this query. One of the publicly disclosed vulnerabilities includes [CVE-2022-0664](https://www.huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac/) found in [gravitl/netmaker](https://github.com/gravitl/netmaker).

A run of this query against a vulnerable version of the project [gravitl/netmaker](https://github.com/gravitl/netmaker) can be found [here](https://lgtm.com/query/8221520154596097031/)
fix tests
8ee3e3c
@ghost
Copy link
Author

ghost commented Apr 12, 2022

@owen-mc I don't understand why the tests are failing. The build successfully completes on my PC.

Porcupiney Hairs added 2 commits April 12, 2022 22:15
@ghost
Copy link
Author

ghost commented Apr 12, 2022

I think I was missing a main function. The tests are now cleared.

@owen-mc I think this is now ready for a review. PTAL.

@ghost
Copy link
Author

ghost commented Apr 19, 2022

@owen-mc Any updates here?

@pwntester
Copy link

pwntester commented Apr 20, 2022

hi @porcupineyhairs We are waiting for the CodeQL fixes to be pushed to LGTM to run the query again. In the meantime, I run the query on a smaller set of projects and found a FP worth addressing

owen-mc
owen-mc reviewed May 6, 2022
View reviewed changes
@ghost
Copy link
Author

ghost commented May 16, 2022

@owen-mc A quick update: I have seen your comments and plan on applying them.
I have found a few false positives which the query as of now detects. I plan on adding code to reduce them soon. I will push the changes once I am done. Thank you for waiting.

@owen-mc
Copy link
Contributor

owen-mc commented May 17, 2022

@smowton will take over reviewing this PR.

@ghost ghost mentioned this pull request May 30, 2022
Merged
@ghost
Copy link
Author

ghost commented May 30, 2022

I am closing this PR and opening a new one github/codeql#9378

@ghost ghost closed this May 30, 2022
@ghost ghost deleted the jwtSign branch May 30, 2022 20:29
This pull request was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@owen-mc @pwntester @smowton