diff --git a/go/ql/src/experimental/CWE-321/HardcodedKeys.qhelp b/go/ql/src/experimental/CWE-321/HardcodedKeys.qhelp new file mode 100644 index 000000000000..b641cbda1849 --- /dev/null +++ b/go/ql/src/experimental/CWE-321/HardcodedKeys.qhelp @@ -0,0 +1,50 @@ + + + +

+ A JSON Web Token (JWT) is used for authenticating and managing users in an application. +

+

+ Using a hard-coded secret key for signing JWT tokens in open source projects + can leave the application using the token vulnerable to authentication bypasses. +

+ +

+ A JWT token is safe for enforcing authentication and access control as long as it can't be forged by a malicious actor. However, when a project exposes this secret publicly, these seemingly unforgeable tokens can now be easily forged. + Since the authentication as well as access control is typically enforced through these JWT tokens, an attacker armed with the secret can create a valid authentication token for any user and may even gain access to other privileged parts of the application. +

+ + + + +

+ Generating a cryptograhically secure secret key during application initialization and using this generated key for future JWT signing requests can prevent this vulnerability. +

+ + + + +

+ The following code uses a hard-coded string as a secret for signing the tokens. In this case, an attacker can very easily forge a token by using the hard-coded secret. +

+ + + + + + +

+ In the following case, the application uses a programatically generated string as a secret for signing the tokens. In this case, since the secret can't be predicted, the code is secure. A function like `GenerateCryptoString` can be run to generate a secure secret key at the time of application installation/initialization. This generated key can then be used for all future signing requests. +

+ + + + + +
  • + CVE-2022-0664: + Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1. +
    • +     + +     \ No newline at end of file diff --git a/go/ql/src/experimental/CWE-321/HardcodedKeys.ql b/go/ql/src/experimental/CWE-321/HardcodedKeys.ql new file mode 100644 index 000000000000..06dacfcac278 --- /dev/null +++ b/go/ql/src/experimental/CWE-321/HardcodedKeys.ql @@ -0,0 +1,18 @@ +/** + * @name Use of a hardcoded key for signing JWT + * @description Using a fixed hardcoded key for signing JWT's can allow an attacker to compromise security. + * @kind path-problem + * @problem.severity error + * @id go/hardcoded-key + * @tags security + * external/cwe/cwe-321 + */ + +import go +import HardcodedKeysLib +import DataFlow::PathGraph + +from HardcodedKeys::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink +where cfg.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "$@ is used to sign a JWT token.", source.getNode(), + "Hardcoded String" diff --git a/go/ql/src/experimental/CWE-321/HardcodedKeysBad.go b/go/ql/src/experimental/CWE-321/HardcodedKeysBad.go new file mode 100644 index 000000000000..e0bb2225092f --- /dev/null +++ b/go/ql/src/experimental/CWE-321/HardcodedKeysBad.go @@ -0,0 +1,9 @@ +mySigningKey := []byte("AllYourBase") + +claims := &jwt.RegisteredClaims{ + ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)), + Issuer: "test", +} + +token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) +ss, err := token.SignedString(mySigningKey) diff --git a/go/ql/src/experimental/CWE-321/HardcodedKeysGood.go b/go/ql/src/experimental/CWE-321/HardcodedKeysGood.go new file mode 100644 index 000000000000..06c09fd34b74 --- /dev/null +++ b/go/ql/src/experimental/CWE-321/HardcodedKeysGood.go @@ -0,0 +1,23 @@ +func GenerateCryptoString(n int) (string, error) { + const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" + ret := make([]byte, n) + for i := range ret { + num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars)))) + if err != nil { + return "", err + } + ret[i] = chars[num.Int64()] + } + return string(ret), nil +} + +mySigningKey := GenerateCryptoString(64) + + +claims := &jwt.RegisteredClaims{ + ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)), + Issuer: "test", +} + +token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) +ss, err := token.SignedString(mySigningKey) diff --git a/go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll b/go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll new file mode 100644 index 000000000000..2eef4108bf6f --- /dev/null +++ b/go/ql/src/experimental/CWE-321/HardcodedKeysLib.qll @@ -0,0 +1,323 @@ +/** + * Provides default sources, sinks and sanitizers for reasoning about + * JWT token signing vulnerabilities as well as extension points + * for adding your own. + */ + +import go +import StringOps +import DataFlow::PathGraph + +/** + * Provides default sources, sinks and sanitizers for reasoning about + * JWT token signing vulnerabilities as well as extension points + * for adding your own. + */ +module HardcodedKeys { + /** + * A data flow source for JWT token signing vulnerabilities. + */ + abstract class Source extends DataFlow::Node { } + + /** + * A data flow sink for JWT token signing vulnerabilities. + */ + abstract class Sink extends DataFlow::Node { } + + /** + * A sanitizer for JWT token signing vulnerabilities. + */ + abstract class Sanitizer extends DataFlow::Node { } + + /** + * A sanitizer guard for JWT token signing vulnerabilities. + */ + abstract class SanitizerGuard extends DataFlow::BarrierGuard { } + + private predicate isTestCode(Expr e) { + e.getFile().getAbsolutePath().toLowerCase().matches("%test%") and + not e.getFile().getAbsolutePath().toLowerCase().matches("%ql/test%") + } + + private predicate isDemoCode(Expr e) { + e.getFile().getAbsolutePath().toLowerCase().matches(["%mock%", "%demo%", "%example%"]) + } + + /** + * A hardcoded string literal as a source for JWT token signing vulnerabilities. + */ + private class HardcodedStringSource extends Source { + HardcodedStringSource() { + this.asExpr() instanceof StringLit and + not (isTestCode(this.asExpr()) or isDemoCode(this.asExpr())) + } + } + + /** + * An expression used to sign JWT tokens as a sink for JWT token signing vulnerabilities. + */ + private class GolangJwtSign extends Sink { + GolangJwtSign() { + exists(string pkg | + pkg = + [ + "github.com/golang-jwt/jwt/v4", "github.com/dgrijalva/jwt-go", + "github.com/form3tech-oss/jwt-go", "github.com/ory/fosite/token/jwt" + ] + | + exists(DataFlow::MethodCallNode m | + // Models the `SignedString` method + // `func (t *Token) SignedString(key interface{}) (string, error)` + m.getTarget().hasQualifiedName(pkg, "Token", "SignedString") and + this = m.getArgument(0) + or + // Model the `Sign` method of the `SigningMethod` interface + // type SigningMethod interface { + // Verify(signingString, signature string, key interface{}) error + // Sign(signingString string, key interface{}) (string, error) + // Alg() string + // } + m.getTarget().hasQualifiedName(pkg, "SigningMethod", "Sign") and + this = m.getArgument(1) + ) + ) + } + } + + private class GinJwtSign extends Sink { + GinJwtSign() { + exists(Field f | + // https://pkg.go.dev/github.com/appleboy/gin-jwt/v2#GinJWTMiddleware + f.hasQualifiedName("github.com/appleboy/gin-jwt/v2", "GinJWTMiddleware", "Key") and + f.getAWrite().getRhs() = this + ) + } + } + + private class SquareJoseKey extends Sink { + SquareJoseKey() { + exists(Field f, string pkg | + // type Recipient struct { + // Algorithm KeyAlgorithm + // Key interface{} + // KeyID string + // PBES2Count int + // PBES2Salt []byte + // } + // type SigningKey struct { + // Algorithm SignatureAlgorithm + // Key interface{} + // } + f.hasQualifiedName(pkg, ["Recipient", "SigningKey"], "Key") and + f.getAWrite().getRhs() = this + | + pkg = ["github.com/square/go-jose/v3", "gopkg.in/square/go-jose.v2"] + ) + } + } + + private class CrystalHqJwtSigner extends Sink { + CrystalHqJwtSigner() { + exists(DataFlow::CallNode m | + // `func NewSignerHS(alg Algorithm, key []byte) (Signer, error)` + m.getTarget().hasQualifiedName("github.com/cristalhq/jwt/v3", "NewSignerHS") + | + this = m.getArgument(1) + ) + } + } + + private class GoKitJwt extends Sink { + GoKitJwt() { + exists(DataFlow::CallNode m | + // `func NewSigner(kid string, key []byte, method jwt.SigningMethod, claims jwt.Claims) endpoint.Middleware` + m.getTarget().hasQualifiedName("github.com/go-kit/kit/auth/jwt", "NewSigner") + | + this = m.getArgument(1) + ) + } + } + + private class LestrratJwk extends Sink { + LestrratJwk() { + exists(DataFlow::CallNode m, string pkg | + pkg.matches([ + "github.com/lestrrat-go/jwx", "github.com/lestrrat/go-jwx/jwk", + "github.com/lestrrat-go/jwx%/jwk" + ]) and + // `func New(key interface{}) (Key, error)` + m.getTarget().hasQualifiedName(pkg, "New") + | + this = m.getArgument(0) + ) + } + } + + /** + * Sanitizes any other use of an operand to a comparison, on the assumption that this may filter + * out special constant values -- for example, in context `if key != "invalid_key" { ... }`, + * if `"invalid_key"` is indeed the only dangerous key then guarded uses of `key` are likely + * to be safe. + * + * TODO: Before promoting this query look at replacing this with something more principled. + */ + private class CompareExprSanitizer extends Sanitizer { + CompareExprSanitizer() { + exists(ComparisonExpr c | + c.getAnOperand().getGlobalValueNumber() = this.asExpr().getGlobalValueNumber() and + not this.asExpr() instanceof Literal + ) + } + } + + /** + * Marks anything returned with an error as a sanitized. + * + * Typically this means contexts like `return "", errors.New("Oh no")`, + * where we can be reasonably confident downstream users won't mistake + * that empty string for a usable key. + */ + private class ReturnedAlongsideErrorSanitizer extends Sanitizer { + ReturnedAlongsideErrorSanitizer() { + exists(ReturnStmt r, DataFlow::CallNode c | + c.getTarget().hasQualifiedName("errors", "New") and + r.getNumChild() > 1 and + r.getAChild() = c.getAResult().getASuccessor*().asExpr() and + r.getAChild() = this.asExpr() + ) + } + } + + /** + * Marks anything returned alongside an error-value that is known + * to be non-nil by virtue of a guarding check as harmless. + * + * For example, `if err != nil { return "", err }` is unlikely to be + * contributing a dangerous hardcoded key. + */ + private class ReturnedAlongsideErrorSanitizerGuard extends Sanitizer { + ReturnedAlongsideErrorSanitizerGuard() { + exists(ControlFlow::ConditionGuardNode guard, SsaWithFields errorVar, ReturnStmt r | + guard.ensuresNeq(errorVar.getAUse(), Builtin::nil().getARead()) and + guard.dominates(this.getBasicBlock()) and + r.getExpr(1) = errorVar.getAUse().asExpr() and + this.asExpr() = r.getExpr(0) + ) + } + } + + /** Mark any formatting string call as a sanitizer */ + private class FormattingSanitizer extends Sanitizer { + FormattingSanitizer() { exists(Formatting::StringFormatCall s | s.getAResult() = this) } + } + + private string getRandIntFunctionName() { + result = + [ + "ExpFloat64", "Float32", "Float64", "Int", "Int31", "Int31n", "Int63", "Int63n", "Intn", + "NormFloat64", "Uint32", "Uint64" + ] + } + + private DataFlow::CallNode getARandIntCall() { + result.getTarget().hasQualifiedName("math/rand", getRandIntFunctionName()) or + result.getTarget().(Method).hasQualifiedName("math/rand", "Rand", getRandIntFunctionName()) or + result.getTarget().hasQualifiedName("crypto/rand", "Int") + } + + private DataFlow::CallNode getARandReadCall() { + result.getTarget().hasQualifiedName("crypto/rand", "Read") + } + + /** + * Mark any taint arising from a read on a tainted slice with a random index as a + * sanitizer for all instances of the taint + */ + private class RandSliceSanitizer extends Sanitizer { + RandSliceSanitizer() { + exists(DataFlow::Node randomValue, DataFlow::Node index | + // Sanitize flows like this: + // func GenerateCryptoString(n int) (string, error) { + // const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" + // ret := make([]byte, n) + // for i := range ret { + // num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars)))) + // if err != nil { + // return "", err + // } + // ret[i] = chars[num.Int64()] + // } + // return string(ret), nil + // } + randomValue = getARandIntCall().getAResult() + or + // Sanitize flows like : + // func GenerateRandomString(size int) string { + // var bytes = make([]byte, size) + // rand.Read(bytes) + // for i, x := range bytes { + // bytes[i] = characters[x%byte(len(characters))] + // } + // return string(bytes) + // } + randomValue = + any(DataFlow::PostUpdateNode pun | + pun.getPreUpdateNode() = getARandReadCall().getArgument(0) + ) + | + TaintTracking::localTaint(randomValue, index) and + this.(DataFlow::ElementReadNode).reads(_, index) + ) + } + } + + /** + * Models flow from a call to `Int64` if the receiver is tainted + */ + private class BigIntFlow extends TaintTracking::FunctionModel { + BigIntFlow() { this.(Method).hasQualifiedName("math/big", "Int", "Int64") } + + override predicate hasTaintFlow(DataFlow::FunctionInput inp, DataFlow::FunctionOutput outp) { + inp.isReceiver() and + outp.isResult(0) + } + } + + /* + * Models taint flow through a binary operation such as a + * modulo `%` operation or an addition `+` operation + */ + + private class BinExpAdditionalTaintStep extends TaintTracking::AdditionalTaintStep { + // This is required to model the sanitizers for the `HardcodedKeys` query. + // This is required to correctly detect a sanitizer such as the one shown below. + // func GenerateRandomString(size int) string { + // var bytes = make([]byte, size) + // rand.Read(bytes) + // for i, x := range bytes { + // bytes[i] = characters[x%byte(len(characters))] + // } + // return string(bytes) + // } + override predicate step(DataFlow::Node prev, DataFlow::Node succ) { + exists(BinaryExpr b | b.getAnOperand() = prev.asExpr() | succ.asExpr() = b) + } + } + + /** + * A configuration depicting taint flow for studying JWT token signing vulnerabilities. + */ + class Configuration extends TaintTracking::Configuration { + Configuration() { this = "Hard-coded JWT Signing Key" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer } + + override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof SanitizerGuard + } + } +} diff --git a/go/ql/test/experimental/CWE-321/HardcodedKeys.expected b/go/ql/test/experimental/CWE-321/HardcodedKeys.expected new file mode 100644 index 000000000000..23b79ccb2a9d --- /dev/null +++ b/go/ql/test/experimental/CWE-321/HardcodedKeys.expected @@ -0,0 +1,74 @@ +edges +| HardcodedKeysBad.go:11:18:11:38 | type conversion : string | HardcodedKeysBad.go:19:28:19:39 | mySigningKey | +| HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" : string | HardcodedKeysBad.go:11:18:11:38 | type conversion : string | +| main.go:25:18:25:31 | type conversion : string | main.go:34:28:34:39 | mySigningKey | +| main.go:25:25:25:30 | "key1" : string | main.go:25:18:25:31 | type conversion : string | +| main.go:42:23:42:28 | "key2" : string | main.go:42:16:42:29 | type conversion | +| main.go:60:9:60:22 | type conversion : string | main.go:61:44:61:46 | key | +| main.go:60:16:60:21 | `key3` : string | main.go:60:9:60:22 | type conversion : string | +| main.go:65:9:65:22 | type conversion : string | main.go:66:66:66:68 | key | +| main.go:65:16:65:21 | "key4" : string | main.go:65:9:65:22 | type conversion : string | +| main.go:69:10:69:23 | type conversion : string | main.go:74:15:74:18 | key2 | +| main.go:69:17:69:22 | "key5" : string | main.go:69:10:69:23 | type conversion : string | +| main.go:80:9:80:22 | type conversion : string | main.go:84:41:84:43 | key | +| main.go:80:16:80:21 | "key6" : string | main.go:80:9:80:22 | type conversion : string | +| main.go:89:10:89:23 | type conversion : string | main.go:91:66:91:69 | key2 | +| main.go:89:17:89:22 | "key7" : string | main.go:89:10:89:23 | type conversion : string | +| main.go:97:9:97:22 | type conversion : string | main.go:102:30:102:32 | key | +| main.go:97:16:97:21 | "key8" : string | main.go:97:9:97:22 | type conversion : string | +| main.go:106:15:106:28 | type conversion : string | main.go:107:16:107:24 | sharedKey | +| main.go:106:22:106:27 | "key9" : string | main.go:106:15:106:28 | type conversion : string | +| main.go:110:23:110:37 | type conversion : string | main.go:113:16:113:30 | sharedKeyglobal | +| main.go:110:30:110:36 | "key10" : string | main.go:110:23:110:37 | type conversion : string | +| sanitizer.go:17:9:17:21 | type conversion : string | sanitizer.go:18:44:18:46 | key | +| sanitizer.go:17:16:17:20 | `key` : string | sanitizer.go:17:9:17:21 | type conversion : string | +nodes +| HardcodedKeysBad.go:11:18:11:38 | type conversion : string | semmle.label | type conversion : string | +| HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" : string | semmle.label | "AllYourBase" : string | +| HardcodedKeysBad.go:19:28:19:39 | mySigningKey | semmle.label | mySigningKey | +| main.go:25:18:25:31 | type conversion : string | semmle.label | type conversion : string | +| main.go:25:25:25:30 | "key1" : string | semmle.label | "key1" : string | +| main.go:34:28:34:39 | mySigningKey | semmle.label | mySigningKey | +| main.go:42:16:42:29 | type conversion | semmle.label | type conversion | +| main.go:42:23:42:28 | "key2" : string | semmle.label | "key2" : string | +| main.go:60:9:60:22 | type conversion : string | semmle.label | type conversion : string | +| main.go:60:16:60:21 | `key3` : string | semmle.label | `key3` : string | +| main.go:61:44:61:46 | key | semmle.label | key | +| main.go:65:9:65:22 | type conversion : string | semmle.label | type conversion : string | +| main.go:65:16:65:21 | "key4" : string | semmle.label | "key4" : string | +| main.go:66:66:66:68 | key | semmle.label | key | +| main.go:69:10:69:23 | type conversion : string | semmle.label | type conversion : string | +| main.go:69:17:69:22 | "key5" : string | semmle.label | "key5" : string | +| main.go:74:15:74:18 | key2 | semmle.label | key2 | +| main.go:80:9:80:22 | type conversion : string | semmle.label | type conversion : string | +| main.go:80:16:80:21 | "key6" : string | semmle.label | "key6" : string | +| main.go:84:41:84:43 | key | semmle.label | key | +| main.go:89:10:89:23 | type conversion : string | semmle.label | type conversion : string | +| main.go:89:17:89:22 | "key7" : string | semmle.label | "key7" : string | +| main.go:91:66:91:69 | key2 | semmle.label | key2 | +| main.go:97:9:97:22 | type conversion : string | semmle.label | type conversion : string | +| main.go:97:16:97:21 | "key8" : string | semmle.label | "key8" : string | +| main.go:102:30:102:32 | key | semmle.label | key | +| main.go:106:15:106:28 | type conversion : string | semmle.label | type conversion : string | +| main.go:106:22:106:27 | "key9" : string | semmle.label | "key9" : string | +| main.go:107:16:107:24 | sharedKey | semmle.label | sharedKey | +| main.go:110:23:110:37 | type conversion : string | semmle.label | type conversion : string | +| main.go:110:30:110:36 | "key10" : string | semmle.label | "key10" : string | +| main.go:113:16:113:30 | sharedKeyglobal | semmle.label | sharedKeyglobal | +| sanitizer.go:17:9:17:21 | type conversion : string | semmle.label | type conversion : string | +| sanitizer.go:17:16:17:20 | `key` : string | semmle.label | `key` : string | +| sanitizer.go:18:44:18:46 | key | semmle.label | key | +subpaths +#select +| HardcodedKeysBad.go:19:28:19:39 | mySigningKey | HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" : string | HardcodedKeysBad.go:19:28:19:39 | mySigningKey | $@ is used to sign a JWT token. | HardcodedKeysBad.go:11:25:11:37 | "AllYourBase" | Hardcoded String | +| main.go:34:28:34:39 | mySigningKey | main.go:25:25:25:30 | "key1" : string | main.go:34:28:34:39 | mySigningKey | $@ is used to sign a JWT token. | main.go:25:25:25:30 | "key1" | Hardcoded String | +| main.go:42:16:42:29 | type conversion | main.go:42:23:42:28 | "key2" : string | main.go:42:16:42:29 | type conversion | $@ is used to sign a JWT token. | main.go:42:23:42:28 | "key2" | Hardcoded String | +| main.go:61:44:61:46 | key | main.go:60:16:60:21 | `key3` : string | main.go:61:44:61:46 | key | $@ is used to sign a JWT token. | main.go:60:16:60:21 | `key3` | Hardcoded String | +| main.go:66:66:66:68 | key | main.go:65:16:65:21 | "key4" : string | main.go:66:66:66:68 | key | $@ is used to sign a JWT token. | main.go:65:16:65:21 | "key4" | Hardcoded String | +| main.go:74:15:74:18 | key2 | main.go:69:17:69:22 | "key5" : string | main.go:74:15:74:18 | key2 | $@ is used to sign a JWT token. | main.go:69:17:69:22 | "key5" | Hardcoded String | +| main.go:84:41:84:43 | key | main.go:80:16:80:21 | "key6" : string | main.go:84:41:84:43 | key | $@ is used to sign a JWT token. | main.go:80:16:80:21 | "key6" | Hardcoded String | +| main.go:91:66:91:69 | key2 | main.go:89:17:89:22 | "key7" : string | main.go:91:66:91:69 | key2 | $@ is used to sign a JWT token. | main.go:89:17:89:22 | "key7" | Hardcoded String | +| main.go:102:30:102:32 | key | main.go:97:16:97:21 | "key8" : string | main.go:102:30:102:32 | key | $@ is used to sign a JWT token. | main.go:97:16:97:21 | "key8" | Hardcoded String | +| main.go:107:16:107:24 | sharedKey | main.go:106:22:106:27 | "key9" : string | main.go:107:16:107:24 | sharedKey | $@ is used to sign a JWT token. | main.go:106:22:106:27 | "key9" | Hardcoded String | +| main.go:113:16:113:30 | sharedKeyglobal | main.go:110:30:110:36 | "key10" : string | main.go:113:16:113:30 | sharedKeyglobal | $@ is used to sign a JWT token. | main.go:110:30:110:36 | "key10" | Hardcoded String | +| sanitizer.go:18:44:18:46 | key | sanitizer.go:17:16:17:20 | `key` : string | sanitizer.go:18:44:18:46 | key | $@ is used to sign a JWT token. | sanitizer.go:17:16:17:20 | `key` | Hardcoded String | diff --git a/go/ql/test/experimental/CWE-321/HardcodedKeys.qlref b/go/ql/test/experimental/CWE-321/HardcodedKeys.qlref new file mode 100644 index 000000000000..83c71d75ae97 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/HardcodedKeys.qlref @@ -0,0 +1 @@ +experimental/CWE-321/HardcodedKeys.ql \ No newline at end of file diff --git a/go/ql/test/experimental/CWE-321/HardcodedKeysBad.go b/go/ql/test/experimental/CWE-321/HardcodedKeysBad.go new file mode 100644 index 000000000000..2ffc46147f6e --- /dev/null +++ b/go/ql/test/experimental/CWE-321/HardcodedKeysBad.go @@ -0,0 +1,20 @@ +package main + +import ( + "time" + + jwt "github.com/golang-jwt/jwt/v4" +) + +func bad() (interface{}, error) { + + mySigningKey := []byte("AllYourBase") + + claims := &jwt.RegisteredClaims{ + ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)), + Issuer: "test", + } + + token := jwt.NewWithClaims(nil, claims) + return token.SignedString(mySigningKey) +} diff --git a/go/ql/test/experimental/CWE-321/HardcodedKeysGood.go b/go/ql/test/experimental/CWE-321/HardcodedKeysGood.go new file mode 100644 index 000000000000..901392fec541 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/HardcodedKeysGood.go @@ -0,0 +1,38 @@ +package main + +import ( + crand "crypto/rand" + "fmt" + "math/big" + "time" + + jwt "github.com/golang-jwt/jwt/v4" +) + +func GenerateCryptoString(n int) (string, error) { + const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" + ret := make([]byte, n) + for i := range ret { + num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars)))) + if err != nil { + return "", err + } + ret[i] = chars[num.Int64()] + } + return string(ret), nil +} + +func good() (interface{}, error) { + mySigningKey, err := GenerateCryptoString(64) + if mySigningKey == "" { + _ = fmt.Errorf("Error : %s", err) + } + + claims := &jwt.RegisteredClaims{ + ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)), + Issuer: "test", + } + + token := jwt.NewWithClaims(nil, claims) + return token.SignedString(mySigningKey) +} diff --git a/go/ql/test/experimental/CWE-321/go.mod b/go/ql/test/experimental/CWE-321/go.mod new file mode 100644 index 000000000000..1f78c4037c06 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/go.mod @@ -0,0 +1,41 @@ +module main + +go 1.18 + +require ( + github.com/appleboy/gin-jwt/v2 v2.8.0 + github.com/cristalhq/jwt/v3 v3.1.0 + github.com/go-kit/kit v0.12.0 + github.com/golang-jwt/jwt/v4 v4.4.1 + github.com/lestrrat/go-jwx v0.9.1 + github.com/square/go-jose/v3 v3.0.0-20200630053402-0a67ce9b0693 + gopkg.in/square/go-jose.v2 v2.6.0 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/gin-contrib/sse v0.1.0 // indirect + github.com/gin-gonic/gin v1.7.7 // indirect + github.com/go-kit/log v0.2.0 // indirect + github.com/go-logfmt/logfmt v0.5.1 // indirect + github.com/go-playground/locales v0.13.0 // indirect + github.com/go-playground/universal-translator v0.17.0 // indirect + github.com/go-playground/validator/v10 v10.4.1 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/leodido/go-urn v1.2.0 // indirect + github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 // indirect + github.com/mattn/go-isatty v0.0.14 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/ugorji/go/codec v1.1.7 // indirect + golang.org/x/crypto v0.0.0-20210915214749-c084706c2272 // indirect + golang.org/x/net v0.0.0-20210917221730-978cfadd31cf // indirect + golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 // indirect + golang.org/x/text v0.3.7 // indirect + google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4 // indirect + google.golang.org/grpc v1.40.0 // indirect + google.golang.org/protobuf v1.27.1 // indirect + gopkg.in/yaml.v2 v2.2.8 // indirect +) diff --git a/go/ql/test/experimental/CWE-321/main.go b/go/ql/test/experimental/CWE-321/main.go new file mode 100644 index 000000000000..1e1f3ee45e4b --- /dev/null +++ b/go/ql/test/experimental/CWE-321/main.go @@ -0,0 +1,118 @@ +package main + +//go:generate depstubber -vendor github.com/appleboy/gin-jwt/v2 GinJWTMiddleware New +//go:generate depstubber -vendor github.com/golang-jwt/jwt/v4 MapClaims,RegisteredClaims,SigningMethodRSA,SigningMethodHMAC,Token NewNumericDate,NewWithClaims +//go:generate depstubber -vendor github.com/gin-gonic/gin Context New +//go:generate depstubber -vendor github.com/go-kit/kit/auth/jwt "" NewSigner +//go:generate depstubber -vendor github.com/lestrrat/go-jwx/jwk "" New +//go:generate depstubber -vendor github.com/square/go-jose/v3 Recipient NewEncrypter,NewSigner +//go:generate depstubber -vendor gopkg.in/square/go-jose.v2 Recipient NewEncrypter,NewSigner +//go:generate depstubber -vendor github.com/cristalhq/jwt/v3 Signer NewSignerHS,HS256 + +import ( + "time" + + jwt "github.com/appleboy/gin-jwt/v2" + cristal "github.com/cristalhq/jwt/v3" + gokit "github.com/go-kit/kit/auth/jwt" + gjwt "github.com/golang-jwt/jwt/v4" + le "github.com/lestrrat/go-jwx/jwk" + jose_v3 "github.com/square/go-jose/v3" + jose_v2 "gopkg.in/square/go-jose.v2" +) + +func gjwtt() (interface{}, error) { + mySigningKey := []byte("key1") + + // Create the Claims + claims := &gjwt.RegisteredClaims{ + ExpiresAt: gjwt.NewNumericDate(time.Unix(1516239022, 0)), + Issuer: "test", + } + + token := gjwt.NewWithClaims(nil, claims) + return token.SignedString(mySigningKey) // BAD +} + +func gin_jwt() (interface{}, error) { + var identityKey = "id" + // authMiddleware, err := + return jwt.New(&jwt.GinJWTMiddleware{ + Realm: "test zone", + Key: []byte("key2"), // BAD + Timeout: time.Hour, + MaxRefresh: time.Hour, + IdentityKey: identityKey, + PayloadFunc: func(data interface{}) jwt.MapClaims { + return nil + }, + IdentityHandler: nil, + Authenticator: nil, + Authorizator: nil, + Unauthorized: nil, + TokenLookup: "header: Authorization, query: token, cookie: jwt", + TokenHeadName: "Bearer", + TimeFunc: time.Now, + }) +} + +func cristalhq() (interface{}, error) { + key := []byte(`key3`) + return cristal.NewSignerHS(cristal.HS256, key) // BAD +} + +func josev3() (interface{}, error) { + key := []byte("key4") + return jose_v3.NewSigner(jose_v3.SigningKey{Algorithm: "", Key: key}, nil) // BAD +} +func josev3_2() (interface{}, error) { + key2 := []byte("key5") + return jose_v3.NewEncrypter( + "", + jose_v3.Recipient{ + Algorithm: "", + Key: key2, // BAD + }, + nil) +} + +func josev2() (interface{}, error) { + key := []byte("key6") + + return jose_v2.NewEncrypter( + "", + jose_v2.Recipient{Algorithm: "", Key: key}, // BAD + nil, + ) +} +func jose_v2_2() (interface{}, error) { + key2 := []byte("key7") + + return jose_v2.NewSigner(jose_v2.SigningKey{Algorithm: "", Key: key2}, nil) // BAD +} + +func go_kit() interface{} { + var ( + kid = "kid" + key = []byte("key8") + + mapClaims = gjwt.MapClaims{"user": "go-kit"} + ) + + return gokit.NewSigner(kid, key, nil, mapClaims) // BAD +} + +func lejwt() (interface{}, error) { + sharedKey := []byte("key9") + return le.New(sharedKey) // BAD +} + +var sharedKeyglobal = []byte("key10") + +func lejwt2() (interface{}, error) { + return le.New(sharedKeyglobal) // BAD +} + +func main() { + return +} diff --git a/go/ql/test/experimental/CWE-321/sanitizer.go b/go/ql/test/experimental/CWE-321/sanitizer.go new file mode 100644 index 000000000000..314d91870454 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/sanitizer.go @@ -0,0 +1,114 @@ +package main + +//go:generate depstubber -vendor github.com/cristalhq/jwt/v3 Signer NewSignerHS,HS256 + +import ( + crand "crypto/rand" + "errors" + "fmt" + "math/big" + "math/rand" + "time" + + cristal "github.com/cristalhq/jwt/v3" +) + +func check_ok() (interface{}, error) { + key := []byte(`key`) + return cristal.NewSignerHS(cristal.HS256, key) // BAD +} + +func GenerateRandomString(size int) string { + const characters = `0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz` + var bytes = make([]byte, size) + crand.Read(bytes) + for i, x := range bytes { + bytes[i] = characters[x%byte(len(characters))] + } + return string(bytes) +} + +func GenerateCryptoString2(n int) (string, error) { + const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" + ret := make([]byte, n) + for i := range ret { + num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars)))) + if err != nil { + return "", err + } + ret[i] = chars[num.Int64()] + } + return string(ret), nil +} + +func GenerateRandomString3(size int) string { + const characters = `0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz` + var bytes = make([]byte, size) + crand.Read(bytes) + for i, x := range bytes { + bytes[i] = characters[x] + } + return string(bytes) +} + +func RandAuthToken() string { + buf := make([]byte, 32) + _, err := crand.Read(buf) + if err != nil { + return RandString(64) + } + + return fmt.Sprintf("%x", buf) +} + +func RandString(length int64) string { + sources := []byte("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") + var result []byte + r := rand.New(rand.NewSource(time.Now().UnixNano())) + sourceLength := len(sources) + var i int64 = 0 + for ; i < length; i++ { + result = append(result, sources[r.Intn(sourceLength)]) + } + + return string(result) +} + +func randIntSanitizerModulo_test() (interface{}, error) { + key := GenerateRandomString(32) + return cristal.NewSignerHS(cristal.HS256, []byte(key)) // GOOD +} + +func randIntSanitizer_test() (interface{}, error) { + key2, _ := GenerateCryptoString2(32) + return cristal.NewSignerHS(cristal.HS256, []byte(key2)) // GOOD +} + +func formattingSanitizer_test() (interface{}, error) { + key3 := RandAuthToken() + return cristal.NewSignerHS(cristal.HS256, []byte(key3)) // GOOD +} + +func genKey() (string, error) { + k := "asd" + e := errors.New("no key") + return k, e +} + +func emptyErrorSanitizer_test() (interface{}, error) { + key4, _ := genKey() + return cristal.NewSignerHS(cristal.HS256, []byte(key4)) // GOOD +} + +func compareSanitizerTest() (interface{}, error) { + key5 := "" + if key5 != "" { + return cristal.NewSignerHS(cristal.HS256, []byte(key5)) // GOOD + } + return "", nil +} + +func randReadSanitizer_test() (interface{}, error) { + key6 := GenerateRandomString3(32) + return cristal.NewSignerHS(cristal.HS256, []byte(key6)) // GOOD +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go new file mode 100644 index 000000000000..87a117f1f921 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/appleboy/gin-jwt/v2/stub.go @@ -0,0 +1,93 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/appleboy/gin-jwt/v2, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/appleboy/gin-jwt/v2 (exports: GinJWTMiddleware; functions: New) + +// Package gin is a stub of github.com/appleboy/gin-jwt/v2, generated by depstubber. +package gin + +import ( + http "net/http" + time "time" +) + +type GinJWTMiddleware struct { + Realm string + SigningAlgorithm string + Key []byte + KeyFunc func(interface{}) (interface{}, error) + Timeout time.Duration + MaxRefresh time.Duration + Authenticator func(interface{}) (interface{}, error) + Authorizator func(interface{}, interface{}) bool + PayloadFunc func(interface{}) MapClaims + Unauthorized func(interface{}, int, string) + LoginResponse func(interface{}, int, string, time.Time) + LogoutResponse func(interface{}, int) + RefreshResponse func(interface{}, int, string, time.Time) + IdentityHandler func(interface{}) interface{} + IdentityKey string + TokenLookup string + TokenHeadName string + TimeFunc func() time.Time + HTTPStatusMessageFunc func(error, interface{}) string + PrivKeyFile string + PrivKeyBytes []byte + PubKeyFile string + PrivateKeyPassphrase string + PubKeyBytes []byte + SendCookie bool + CookieMaxAge time.Duration + SecureCookie bool + CookieHTTPOnly bool + CookieDomain string + SendAuthorization bool + DisabledAbort bool + CookieName string + CookieSameSite http.SameSite +} + +func (_ *GinJWTMiddleware) CheckIfTokenExpire(_ interface{}) (interface{}, error) { + return nil, nil +} + +func (_ *GinJWTMiddleware) GetClaimsFromJWT(_ interface{}) (MapClaims, error) { + return nil, nil +} + +func (_ *GinJWTMiddleware) LoginHandler(_ interface{}) {} + +func (_ *GinJWTMiddleware) LogoutHandler(_ interface{}) {} + +func (_ *GinJWTMiddleware) MiddlewareFunc() interface{} { + return nil +} + +func (_ *GinJWTMiddleware) MiddlewareInit() error { + return nil +} + +func (_ *GinJWTMiddleware) ParseToken(_ interface{}) (interface{}, error) { + return nil, nil +} + +func (_ *GinJWTMiddleware) ParseTokenString(_ string) (interface{}, error) { + return nil, nil +} + +func (_ *GinJWTMiddleware) RefreshHandler(_ interface{}) {} + +func (_ *GinJWTMiddleware) RefreshToken(_ interface{}) (string, time.Time, error) { + return "", time.Time{}, nil +} + +func (_ *GinJWTMiddleware) TokenGenerator(_ interface{}) (string, time.Time, error) { + return "", time.Time{}, nil +} + +type MapClaims map[string]interface{} + +func New(_ *GinJWTMiddleware) (*GinJWTMiddleware, error) { + return nil, nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go new file mode 100644 index 000000000000..c4f718e4f1a8 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/cristalhq/jwt/v3/stub.go @@ -0,0 +1,26 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/cristalhq/jwt/v3, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/cristalhq/jwt/v3 (exports: Signer; functions: NewSignerHS,HS256) + +// Package jwt is a stub of github.com/cristalhq/jwt/v3, generated by depstubber. +package jwt + +type Algorithm string + +func (_ Algorithm) String() string { + return "" +} + +var HS256 Algorithm = "" + +func NewSignerHS(_ Algorithm, _ []byte) (Signer, error) { + return nil, nil +} + +type Signer interface { + Algorithm() Algorithm + Sign(_ []byte) ([]byte, error) + SignSize() int +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go new file mode 100644 index 000000000000..f941716f925f --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/gin-gonic/gin/stub.go @@ -0,0 +1,681 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/gin-gonic/gin (exports: Context; functions: New) + +// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber. +package gin + +import ( + bufio "bufio" + template "html/template" + io "io" + multipart "mime/multipart" + net "net" + http "net/http" + time "time" +) + +type Context struct { + Request *http.Request + Writer ResponseWriter + Params Params + Keys map[string]interface{} + Errors interface{} + Accepted []string +} + +func (_ *Context) Abort() {} + +func (_ *Context) AbortWithError(_ int, _ error) *Error { + return nil +} + +func (_ *Context) AbortWithStatus(_ int) {} + +func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {} + +func (_ *Context) AsciiJSON(_ int, _ interface{}) {} + +func (_ *Context) Bind(_ interface{}) error { + return nil +} + +func (_ *Context) BindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) BindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) BindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) BindUri(_ interface{}) error { + return nil +} + +func (_ *Context) BindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) BindXML(_ interface{}) error { + return nil +} + +func (_ *Context) BindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) ClientIP() string { + return "" +} + +func (_ *Context) ContentType() string { + return "" +} + +func (_ *Context) Cookie(_ string) (string, error) { + return "", nil +} + +func (_ *Context) Copy() *Context { + return nil +} + +func (_ *Context) Data(_ int, _ string, _ []byte) {} + +func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {} + +func (_ *Context) Deadline() (time.Time, bool) { + return time.Time{}, false +} + +func (_ *Context) DefaultPostForm(_ string, _ string) string { + return "" +} + +func (_ *Context) DefaultQuery(_ string, _ string) string { + return "" +} + +func (_ *Context) Done() <-chan struct{} { + return nil +} + +func (_ *Context) Err() error { + return nil +} + +func (_ *Context) Error(_ error) *Error { + return nil +} + +func (_ *Context) File(_ string) {} + +func (_ *Context) FileAttachment(_ string, _ string) {} + +func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {} + +func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) { + return nil, nil +} + +func (_ *Context) FullPath() string { + return "" +} + +func (_ *Context) Get(_ string) (interface{}, bool) { + return nil, false +} + +func (_ *Context) GetBool(_ string) bool { + return false +} + +func (_ *Context) GetDuration(_ string) time.Duration { + return 0 +} + +func (_ *Context) GetFloat64(_ string) float64 { + return 0 +} + +func (_ *Context) GetHeader(_ string) string { + return "" +} + +func (_ *Context) GetInt(_ string) int { + return 0 +} + +func (_ *Context) GetInt64(_ string) int64 { + return 0 +} + +func (_ *Context) GetPostForm(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetPostFormArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetQuery(_ string) (string, bool) { + return "", false +} + +func (_ *Context) GetQueryArray(_ string) ([]string, bool) { + return nil, false +} + +func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) { + return nil, false +} + +func (_ *Context) GetRawData() ([]byte, error) { + return nil, nil +} + +func (_ *Context) GetString(_ string) string { + return "" +} + +func (_ *Context) GetStringMap(_ string) map[string]interface{} { + return nil +} + +func (_ *Context) GetStringMapString(_ string) map[string]string { + return nil +} + +func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string { + return nil +} + +func (_ *Context) GetStringSlice(_ string) []string { + return nil +} + +func (_ *Context) GetTime(_ string) time.Time { + return time.Time{} +} + +func (_ *Context) GetUint(_ string) uint { + return 0 +} + +func (_ *Context) GetUint64(_ string) uint64 { + return 0 +} + +func (_ *Context) HTML(_ int, _ string, _ interface{}) {} + +func (_ *Context) Handler() HandlerFunc { + return nil +} + +func (_ *Context) HandlerName() string { + return "" +} + +func (_ *Context) HandlerNames() []string { + return nil +} + +func (_ *Context) Header(_ string, _ string) {} + +func (_ *Context) IndentedJSON(_ int, _ interface{}) {} + +func (_ *Context) IsAborted() bool { + return false +} + +func (_ *Context) IsWebsocket() bool { + return false +} + +func (_ *Context) JSON(_ int, _ interface{}) {} + +func (_ *Context) JSONP(_ int, _ interface{}) {} + +func (_ *Context) MultipartForm() (*multipart.Form, error) { + return nil, nil +} + +func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) MustGet(_ string) interface{} { + return nil +} + +func (_ *Context) Negotiate(_ int, _ Negotiate) {} + +func (_ *Context) NegotiateFormat(_ ...string) string { + return "" +} + +func (_ *Context) Next() {} + +func (_ *Context) Param(_ string) string { + return "" +} + +func (_ *Context) PostForm(_ string) string { + return "" +} + +func (_ *Context) PostFormArray(_ string) []string { + return nil +} + +func (_ *Context) PostFormMap(_ string) map[string]string { + return nil +} + +func (_ *Context) ProtoBuf(_ int, _ interface{}) {} + +func (_ *Context) PureJSON(_ int, _ interface{}) {} + +func (_ *Context) Query(_ string) string { + return "" +} + +func (_ *Context) QueryArray(_ string) []string { + return nil +} + +func (_ *Context) QueryMap(_ string) map[string]string { + return nil +} + +func (_ *Context) Redirect(_ int, _ string) {} + +func (_ *Context) RemoteIP() (net.IP, bool) { + return nil, false +} + +func (_ *Context) Render(_ int, _ interface{}) {} + +func (_ *Context) SSEvent(_ string, _ interface{}) {} + +func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error { + return nil +} + +func (_ *Context) SecureJSON(_ int, _ interface{}) {} + +func (_ *Context) Set(_ string, _ interface{}) {} + +func (_ *Context) SetAccepted(_ ...string) {} + +func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {} + +func (_ *Context) SetSameSite(_ http.SameSite) {} + +func (_ *Context) ShouldBind(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindHeader(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindJSON(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindQuery(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindUri(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindXML(_ interface{}) error { + return nil +} + +func (_ *Context) ShouldBindYAML(_ interface{}) error { + return nil +} + +func (_ *Context) Status(_ int) {} + +func (_ *Context) Stream(_ func(io.Writer) bool) bool { + return false +} + +func (_ *Context) String(_ int, _ string, _ ...interface{}) {} + +func (_ *Context) Value(_ interface{}) interface{} { + return nil +} + +func (_ *Context) XML(_ int, _ interface{}) {} + +func (_ *Context) YAML(_ int, _ interface{}) {} + +type Engine struct { + RouterGroup RouterGroup + RedirectTrailingSlash bool + RedirectFixedPath bool + HandleMethodNotAllowed bool + ForwardedByClientIP bool + AppEngine bool + UseRawPath bool + UnescapePathValues bool + RemoveExtraSlash bool + RemoteIPHeaders []string + TrustedPlatform string + MaxMultipartMemory int64 + HTMLRender interface{} + FuncMap template.FuncMap +} + +func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) BasePath() string { + return "" +} + +func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Delims(_ string, _ string) *Engine { + return nil +} + +func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) HandleContext(_ *Context) {} + +func (_ *Engine) LoadHTMLFiles(_ ...string) {} + +func (_ *Engine) LoadHTMLGlob(_ string) {} + +func (_ *Engine) NoMethod(_ ...HandlerFunc) {} + +func (_ *Engine) NoRoute(_ ...HandlerFunc) {} + +func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *Engine) Routes() RoutesInfo { + return nil +} + +func (_ *Engine) Run(_ ...string) error { + return nil +} + +func (_ *Engine) RunFd(_ int) error { + return nil +} + +func (_ *Engine) RunListener(_ net.Listener) error { + return nil +} + +func (_ *Engine) RunTLS(_ string, _ string, _ string) error { + return nil +} + +func (_ *Engine) RunUnix(_ string) error { + return nil +} + +func (_ *Engine) SecureJsonPrefix(_ string) *Engine { + return nil +} + +func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {} + +func (_ *Engine) SetFuncMap(_ template.FuncMap) {} + +func (_ *Engine) SetHTMLTemplate(_ *template.Template) {} + +func (_ *Engine) SetTrustedProxies(_ []string) error { + return nil +} + +func (_ *Engine) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *Engine) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *Engine) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type Error struct { + Err error + Type ErrorType + Meta interface{} +} + +func (_ Error) Error() string { + return "" +} + +func (_ *Error) IsType(_ ErrorType) bool { + return false +} + +func (_ *Error) JSON() interface{} { + return nil +} + +func (_ *Error) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *Error) SetMeta(_ interface{}) *Error { + return nil +} + +func (_ *Error) SetType(_ ErrorType) *Error { + return nil +} + +func (_ *Error) Unwrap() error { + return nil +} + +type ErrorType uint64 + +type HandlerFunc func(*Context) + +type HandlersChain []HandlerFunc + +func (_ HandlersChain) Last() HandlerFunc { + return nil +} + +type IRoutes interface { + Any(_ string, _ ...HandlerFunc) IRoutes + DELETE(_ string, _ ...HandlerFunc) IRoutes + GET(_ string, _ ...HandlerFunc) IRoutes + HEAD(_ string, _ ...HandlerFunc) IRoutes + Handle(_ string, _ string, _ ...HandlerFunc) IRoutes + OPTIONS(_ string, _ ...HandlerFunc) IRoutes + PATCH(_ string, _ ...HandlerFunc) IRoutes + POST(_ string, _ ...HandlerFunc) IRoutes + PUT(_ string, _ ...HandlerFunc) IRoutes + Static(_ string, _ string) IRoutes + StaticFS(_ string, _ http.FileSystem) IRoutes + StaticFile(_ string, _ string) IRoutes + Use(_ ...HandlerFunc) IRoutes +} + +type Negotiate struct { + Offered []string + HTMLName string + HTMLData interface{} + JSONData interface{} + XMLData interface{} + YAMLData interface{} + Data interface{} +} + +func New() *Engine { + return nil +} + +type Param struct { + Key string + Value string +} + +type Params []Param + +func (_ Params) ByName(_ string) string { + return "" +} + +func (_ Params) Get(_ string) (string, bool) { + return "", false +} + +type ResponseWriter interface { + CloseNotify() <-chan bool + Flush() + Header() http.Header + Hijack() (net.Conn, *bufio.ReadWriter, error) + Pusher() http.Pusher + Size() int + Status() int + Write(_ []byte) (int, error) + WriteHeader(_ int) + WriteHeaderNow() + WriteString(_ string) (int, error) + Written() bool +} + +type RouteInfo struct { + Method string + Path string + Handler string + HandlerFunc HandlerFunc +} + +type RouterGroup struct { + Handlers HandlersChain +} + +func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) BasePath() string { + return "" +} + +func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup { + return nil +} + +func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes { + return nil +} + +func (_ *RouterGroup) Static(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes { + return nil +} + +func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes { + return nil +} + +func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes { + return nil +} + +type RoutesInfo []RouteInfo diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go new file mode 100644 index 000000000000..b85d079daa57 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/go-kit/kit/auth/jwt/stub.go @@ -0,0 +1,12 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/go-kit/kit/auth/jwt, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/go-kit/kit/auth/jwt (exports: ; functions: NewSigner) + +// Package jwt is a stub of github.com/go-kit/kit/auth/jwt, generated by depstubber. +package jwt + +func NewSigner(_ string, _ []byte, _ interface{}, _ interface{}) interface{} { + return nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/stub.go new file mode 100644 index 000000000000..d83739d7fde9 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/golang-jwt/jwt/v4/stub.go @@ -0,0 +1,328 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/golang-jwt/jwt/v4, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/golang-jwt/jwt/v4 (exports: MapClaims,RegisteredClaims,SigningMethodRSA,SigningMethodHMAC,Token; functions: NewNumericDate,NewWithClaims) + +// Package jwt is a stub of github.com/golang-jwt/jwt/v4, generated by depstubber. +package jwt + +import ( + crypto "crypto" + time "time" +) + +type ClaimStrings []string + +func (_ ClaimStrings) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *ClaimStrings) UnmarshalJSON(_ []byte) error { + return nil +} + +type Claims interface { + Valid() error +} + +type MapClaims map[string]interface{} + +func (_ MapClaims) Valid() error { + return nil +} + +func (_ MapClaims) VerifyAudience(_ string, _ bool) bool { + return false +} + +func (_ MapClaims) VerifyExpiresAt(_ int64, _ bool) bool { + return false +} + +func (_ MapClaims) VerifyIssuedAt(_ int64, _ bool) bool { + return false +} + +func (_ MapClaims) VerifyIssuer(_ string, _ bool) bool { + return false +} + +func (_ MapClaims) VerifyNotBefore(_ int64, _ bool) bool { + return false +} + +func NewNumericDate(_ time.Time) *NumericDate { + return nil +} + +func NewWithClaims(_ SigningMethod, _ Claims) *Token { + return nil +} + +type NumericDate struct { + Time time.Time +} + +func (_ NumericDate) Add(_ time.Duration) time.Time { + return time.Time{} +} + +func (_ NumericDate) AddDate(_ int, _ int, _ int) time.Time { + return time.Time{} +} + +func (_ NumericDate) After(_ time.Time) bool { + return false +} + +func (_ NumericDate) AppendFormat(_ []byte, _ string) []byte { + return nil +} + +func (_ NumericDate) Before(_ time.Time) bool { + return false +} + +func (_ NumericDate) Clock() (int, int, int) { + return 0, 0, 0 +} + +func (_ NumericDate) Date() (int, time.Month, int) { + return 0, 0, 0 +} + +func (_ NumericDate) Day() int { + return 0 +} + +func (_ NumericDate) Equal(_ time.Time) bool { + return false +} + +func (_ NumericDate) Format(_ string) string { + return "" +} + +func (_ NumericDate) GoString() string { + return "" +} + +func (_ NumericDate) GobEncode() ([]byte, error) { + return nil, nil +} + +func (_ NumericDate) Hour() int { + return 0 +} + +func (_ NumericDate) ISOWeek() (int, int) { + return 0, 0 +} + +func (_ NumericDate) In(_ *time.Location) time.Time { + return time.Time{} +} + +func (_ NumericDate) IsDST() bool { + return false +} + +func (_ NumericDate) IsZero() bool { + return false +} + +func (_ NumericDate) Local() time.Time { + return time.Time{} +} + +func (_ NumericDate) Location() *time.Location { + return nil +} + +func (_ NumericDate) MarshalBinary() ([]byte, error) { + return nil, nil +} + +func (_ NumericDate) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ NumericDate) MarshalText() ([]byte, error) { + return nil, nil +} + +func (_ NumericDate) Minute() int { + return 0 +} + +func (_ NumericDate) Month() time.Month { + return 0 +} + +func (_ NumericDate) Nanosecond() int { + return 0 +} + +func (_ NumericDate) Round(_ time.Duration) time.Time { + return time.Time{} +} + +func (_ NumericDate) Second() int { + return 0 +} + +func (_ NumericDate) String() string { + return "" +} + +func (_ NumericDate) Sub(_ time.Time) time.Duration { + return 0 +} + +func (_ NumericDate) Truncate(_ time.Duration) time.Time { + return time.Time{} +} + +func (_ NumericDate) UTC() time.Time { + return time.Time{} +} + +func (_ NumericDate) Unix() int64 { + return 0 +} + +func (_ NumericDate) UnixMicro() int64 { + return 0 +} + +func (_ NumericDate) UnixMilli() int64 { + return 0 +} + +func (_ NumericDate) UnixNano() int64 { + return 0 +} + +func (_ NumericDate) Weekday() time.Weekday { + return 0 +} + +func (_ NumericDate) Year() int { + return 0 +} + +func (_ NumericDate) YearDay() int { + return 0 +} + +func (_ NumericDate) Zone() (string, int) { + return "", 0 +} + +func (_ *NumericDate) GobDecode(_ []byte) error { + return nil +} + +func (_ *NumericDate) UnmarshalBinary(_ []byte) error { + return nil +} + +func (_ *NumericDate) UnmarshalJSON(_ []byte) error { + return nil +} + +func (_ *NumericDate) UnmarshalText(_ []byte) error { + return nil +} + +type RegisteredClaims struct { + Issuer string + Subject string + Audience ClaimStrings + ExpiresAt *NumericDate + NotBefore *NumericDate + IssuedAt *NumericDate + ID string +} + +func (_ RegisteredClaims) Valid() error { + return nil +} + +func (_ *RegisteredClaims) VerifyAudience(_ string, _ bool) bool { + return false +} + +func (_ *RegisteredClaims) VerifyExpiresAt(_ time.Time, _ bool) bool { + return false +} + +func (_ *RegisteredClaims) VerifyIssuedAt(_ time.Time, _ bool) bool { + return false +} + +func (_ *RegisteredClaims) VerifyIssuer(_ string, _ bool) bool { + return false +} + +func (_ *RegisteredClaims) VerifyNotBefore(_ time.Time, _ bool) bool { + return false +} + +type SigningMethod interface { + Alg() string + Sign(_ string, _ interface{}) (string, error) + Verify(_ string, _ string, _ interface{}) error +} + +type SigningMethodHMAC struct { + Name string + Hash crypto.Hash +} + +func (_ *SigningMethodHMAC) Alg() string { + return "" +} + +func (_ *SigningMethodHMAC) Sign(_ string, _ interface{}) (string, error) { + return "", nil +} + +func (_ *SigningMethodHMAC) Verify(_ string, _ string, _ interface{}) error { + return nil +} + +type SigningMethodRSA struct { + Name string + Hash crypto.Hash +} + +func (_ *SigningMethodRSA) Alg() string { + return "" +} + +func (_ *SigningMethodRSA) Sign(_ string, _ interface{}) (string, error) { + return "", nil +} + +func (_ *SigningMethodRSA) Verify(_ string, _ string, _ interface{}) error { + return nil +} + +type Token struct { + Raw string + Method SigningMethod + Header map[string]interface{} + Claims Claims + Signature string + Valid bool +} + +func (_ *Token) SignedString(_ interface{}) (string, error) { + return "", nil +} + +func (_ *Token) SigningString() (string, error) { + return "", nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/stub.go new file mode 100644 index 000000000000..de88951dd465 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/lestrrat/go-jwx/jwk/stub.go @@ -0,0 +1,39 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/lestrrat/go-jwx/jwk, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/lestrrat/go-jwx/jwk (exports: ; functions: New) + +// Package jwk is a stub of github.com/lestrrat/go-jwx/jwk, generated by depstubber. +package jwk + +import ( + crypto "crypto" + x509 "crypto/x509" +) + +type Key interface { + Algorithm() string + ExtractMap(_ map[string]interface{}) error + Get(_ string) (interface{}, bool) + KeyID() string + KeyOps() []KeyOperation + KeyType() interface{} + KeyUsage() string + Materialize() (interface{}, error) + PopulateMap(_ map[string]interface{}) error + Remove(_ string) + Set(_ string, _ interface{}) error + Thumbprint(_ crypto.Hash) ([]byte, error) + Walk(_ func(string, interface{}) error) error + X509CertChain() []*x509.Certificate + X509CertThumbprint() string + X509CertThumbprintS256() string + X509URL() string +} + +type KeyOperation string + +func New(_ interface{}) (Key, error) { + return nil, nil +} diff --git a/go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/stub.go b/go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/stub.go new file mode 100644 index 000000000000..cf34d6ec99d4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/github.com/square/go-jose/v3/stub.go @@ -0,0 +1,219 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for github.com/square/go-jose/v3, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: github.com/square/go-jose/v3 (exports: Recipient; functions: NewEncrypter,NewSigner) + +// Package go_pkg is a stub of github.com/square/go-jose/v3, generated by depstubber. +package go_pkg + +import ( + crypto "crypto" + x509 "crypto/x509" + url "net/url" +) + +type CompressionAlgorithm string + +type ContentEncryption string + +type ContentType string + +type Encrypter interface { + Encrypt(_ []byte) (*JSONWebEncryption, error) + EncryptWithAuthData(_ []byte, _ []byte) (*JSONWebEncryption, error) + Options() EncrypterOptions +} + +type EncrypterOptions struct { + Compression CompressionAlgorithm + ExtraHeaders map[HeaderKey]interface{} +} + +func (_ *EncrypterOptions) WithContentType(_ ContentType) *EncrypterOptions { + return nil +} + +func (_ *EncrypterOptions) WithHeader(_ HeaderKey, _ interface{}) *EncrypterOptions { + return nil +} + +func (_ *EncrypterOptions) WithType(_ ContentType) *EncrypterOptions { + return nil +} + +type Header struct { + KeyID string + JSONWebKey *JSONWebKey + Algorithm string + Nonce string + ExtraHeaders map[HeaderKey]interface{} +} + +func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) { + return nil, nil +} + +type HeaderKey string + +type JSONWebEncryption struct { + Header Header +} + +func (_ JSONWebEncryption) CompactSerialize() (string, error) { + return "", nil +} + +func (_ JSONWebEncryption) Decrypt(_ interface{}) ([]byte, error) { + return nil, nil +} + +func (_ JSONWebEncryption) DecryptMulti(_ interface{}) (int, Header, []byte, error) { + return 0, Header{}, nil, nil +} + +func (_ JSONWebEncryption) FullSerialize() string { + return "" +} + +func (_ JSONWebEncryption) GetAuthData() []byte { + return nil +} + +type JSONWebKey struct { + Key interface{} + KeyID string + Algorithm string + Use string + Certificates []*x509.Certificate + CertificatesURL *url.URL + CertificateThumbprintSHA1 []byte + CertificateThumbprintSHA256 []byte +} + +func (_ JSONWebKey) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *JSONWebKey) IsPublic() bool { + return false +} + +func (_ *JSONWebKey) Public() JSONWebKey { + return JSONWebKey{} +} + +func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) { + return nil, nil +} + +func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error { + return nil +} + +func (_ *JSONWebKey) Valid() bool { + return false +} + +type JSONWebSignature struct { + Signatures []Signature +} + +func (_ JSONWebSignature) CompactSerialize() (string, error) { + return "", nil +} + +func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) { + return "", nil +} + +func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error { + return nil +} + +func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) { + return 0, Signature{}, nil +} + +func (_ JSONWebSignature) FullSerialize() string { + return "" +} + +func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte { + return nil +} + +func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) { + return nil, nil +} + +func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) { + return 0, Signature{}, nil, nil +} + +type KeyAlgorithm string + +func NewEncrypter(_ ContentEncryption, _ Recipient, _ *EncrypterOptions) (Encrypter, error) { + return nil, nil +} + +func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) { + return nil, nil +} + +type NonceSource interface { + Nonce() (string, error) +} + +type Recipient struct { + Algorithm KeyAlgorithm + Key interface{} + KeyID string + PBES2Count int + PBES2Salt []byte +} + +type Signature struct { + Header Header + Protected Header + Unprotected Header + Signature []byte +} + +type SignatureAlgorithm string + +type Signer interface { + Options() SignerOptions + Sign(_ []byte) (*JSONWebSignature, error) +} + +type SignerOptions struct { + NonceSource NonceSource + EmbedJWK bool + ExtraHeaders map[HeaderKey]interface{} +} + +func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions { + return nil +} + +type SigningKey struct { + Algorithm SignatureAlgorithm + Key interface{} +} diff --git a/go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/stub.go b/go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/stub.go new file mode 100644 index 000000000000..cbbbd9a4df8b --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/gopkg.in/square/go-jose.v2/stub.go @@ -0,0 +1,219 @@ +// Code generated by depstubber. DO NOT EDIT. +// This is a simple stub for gopkg.in/square/go-jose.v2, strictly for use in testing. + +// See the LICENSE file for information about the licensing of the original library. +// Source: gopkg.in/square/go-jose.v2 (exports: Recipient; functions: NewEncrypter,NewSigner) + +// Package go_pkg is a stub of gopkg.in/square/go-jose.v2, generated by depstubber. +package go_pkg + +import ( + crypto "crypto" + x509 "crypto/x509" + url "net/url" +) + +type CompressionAlgorithm string + +type ContentEncryption string + +type ContentType string + +type Encrypter interface { + Encrypt(_ []byte) (*JSONWebEncryption, error) + EncryptWithAuthData(_ []byte, _ []byte) (*JSONWebEncryption, error) + Options() EncrypterOptions +} + +type EncrypterOptions struct { + Compression CompressionAlgorithm + ExtraHeaders map[HeaderKey]interface{} +} + +func (_ *EncrypterOptions) WithContentType(_ ContentType) *EncrypterOptions { + return nil +} + +func (_ *EncrypterOptions) WithHeader(_ HeaderKey, _ interface{}) *EncrypterOptions { + return nil +} + +func (_ *EncrypterOptions) WithType(_ ContentType) *EncrypterOptions { + return nil +} + +type Header struct { + KeyID string + JSONWebKey *JSONWebKey + Algorithm string + Nonce string + ExtraHeaders map[HeaderKey]interface{} +} + +func (_ Header) Certificates(_ x509.VerifyOptions) ([][]*x509.Certificate, error) { + return nil, nil +} + +type HeaderKey string + +type JSONWebEncryption struct { + Header Header +} + +func (_ JSONWebEncryption) CompactSerialize() (string, error) { + return "", nil +} + +func (_ JSONWebEncryption) Decrypt(_ interface{}) ([]byte, error) { + return nil, nil +} + +func (_ JSONWebEncryption) DecryptMulti(_ interface{}) (int, Header, []byte, error) { + return 0, Header{}, nil, nil +} + +func (_ JSONWebEncryption) FullSerialize() string { + return "" +} + +func (_ JSONWebEncryption) GetAuthData() []byte { + return nil +} + +type JSONWebKey struct { + Key interface{} + KeyID string + Algorithm string + Use string + Certificates []*x509.Certificate + CertificatesURL *url.URL + CertificateThumbprintSHA1 []byte + CertificateThumbprintSHA256 []byte +} + +func (_ JSONWebKey) MarshalJSON() ([]byte, error) { + return nil, nil +} + +func (_ *JSONWebKey) IsPublic() bool { + return false +} + +func (_ *JSONWebKey) Public() JSONWebKey { + return JSONWebKey{} +} + +func (_ *JSONWebKey) Thumbprint(_ crypto.Hash) ([]byte, error) { + return nil, nil +} + +func (_ *JSONWebKey) UnmarshalJSON(_ []byte) error { + return nil +} + +func (_ *JSONWebKey) Valid() bool { + return false +} + +type JSONWebSignature struct { + Signatures []Signature +} + +func (_ JSONWebSignature) CompactSerialize() (string, error) { + return "", nil +} + +func (_ JSONWebSignature) DetachedCompactSerialize() (string, error) { + return "", nil +} + +func (_ JSONWebSignature) DetachedVerify(_ []byte, _ interface{}) error { + return nil +} + +func (_ JSONWebSignature) DetachedVerifyMulti(_ []byte, _ interface{}) (int, Signature, error) { + return 0, Signature{}, nil +} + +func (_ JSONWebSignature) FullSerialize() string { + return "" +} + +func (_ JSONWebSignature) UnsafePayloadWithoutVerification() []byte { + return nil +} + +func (_ JSONWebSignature) Verify(_ interface{}) ([]byte, error) { + return nil, nil +} + +func (_ JSONWebSignature) VerifyMulti(_ interface{}) (int, Signature, []byte, error) { + return 0, Signature{}, nil, nil +} + +type KeyAlgorithm string + +func NewEncrypter(_ ContentEncryption, _ Recipient, _ *EncrypterOptions) (Encrypter, error) { + return nil, nil +} + +func NewSigner(_ SigningKey, _ *SignerOptions) (Signer, error) { + return nil, nil +} + +type NonceSource interface { + Nonce() (string, error) +} + +type Recipient struct { + Algorithm KeyAlgorithm + Key interface{} + KeyID string + PBES2Count int + PBES2Salt []byte +} + +type Signature struct { + Header Header + Protected Header + Unprotected Header + Signature []byte +} + +type SignatureAlgorithm string + +type Signer interface { + Options() SignerOptions + Sign(_ []byte) (*JSONWebSignature, error) +} + +type SignerOptions struct { + NonceSource NonceSource + EmbedJWK bool + ExtraHeaders map[HeaderKey]interface{} +} + +func (_ *SignerOptions) WithBase64(_ bool) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithContentType(_ ContentType) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithCritical(_ ...string) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithHeader(_ HeaderKey, _ interface{}) *SignerOptions { + return nil +} + +func (_ *SignerOptions) WithType(_ ContentType) *SignerOptions { + return nil +} + +type SigningKey struct { + Algorithm SignatureAlgorithm + Key interface{} +} diff --git a/go/ql/test/experimental/CWE-321/vendor/modules.txt b/go/ql/test/experimental/CWE-321/vendor/modules.txt new file mode 100644 index 000000000000..1a10cd454fb4 --- /dev/null +++ b/go/ql/test/experimental/CWE-321/vendor/modules.txt @@ -0,0 +1,96 @@ +# github.com/appleboy/gin-jwt/v2 v2.8.0 +## explicit +github.com/appleboy/gin-jwt/v2 +# github.com/cristalhq/jwt/v3 v3.1.0 +## explicit +github.com/cristalhq/jwt/v3 +# github.com/gin-gonic/gin v1.7.7 +## explicit +github.com/gin-gonic/gin +# github.com/go-kit/kit v0.12.0 +## explicit +github.com/go-kit/kit +# github.com/golang-jwt/jwt/v4 v4.4.1 +## explicit +github.com/golang-jwt/jwt/v4 +# github.com/lestrrat/go-jwx v0.9.1 +## explicit +github.com/lestrrat/go-jwx +# github.com/square/go-jose/v3 v3.0.0-20200630053402-0a67ce9b0693 +## explicit +github.com/square/go-jose/v3 +# gopkg.in/square/go-jose.v2 v2.6.0 +## explicit +gopkg.in/square/go-jose.v2 +# github.com/davecgh/go-spew v1.1.1 +## explicit +github.com/davecgh/go-spew +# github.com/gin-contrib/sse v0.1.0 +## explicit +github.com/gin-contrib/sse +# github.com/go-kit/log v0.2.0 +## explicit +github.com/go-kit/log +# github.com/go-logfmt/logfmt v0.5.1 +## explicit +github.com/go-logfmt/logfmt +# github.com/go-playground/locales v0.13.0 +## explicit +github.com/go-playground/locales +# github.com/go-playground/universal-translator v0.17.0 +## explicit +github.com/go-playground/universal-translator +# github.com/go-playground/validator/v10 v10.4.1 +## explicit +github.com/go-playground/validator/v10 +# github.com/golang/protobuf v1.5.2 +## explicit +github.com/golang/protobuf +# github.com/json-iterator/go v1.1.12 +## explicit +github.com/json-iterator/go +# github.com/leodido/go-urn v1.2.0 +## explicit +github.com/leodido/go-urn +# github.com/lestrrat/go-pdebug v0.0.0-20180220043741-569c97477ae8 +## explicit +github.com/lestrrat/go-pdebug +# github.com/mattn/go-isatty v0.0.14 +## explicit +github.com/mattn/go-isatty +# github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd +## explicit +github.com/modern-go/concurrent +# github.com/modern-go/reflect2 v1.0.2 +## explicit +github.com/modern-go/reflect2 +# github.com/pkg/errors v0.9.1 +## explicit +github.com/pkg/errors +# github.com/ugorji/go/codec v1.1.7 +## explicit +github.com/ugorji/go/codec +# golang.org/x/crypto v0.0.0-20210915214749-c084706c2272 +## explicit +golang.org/x/crypto +# golang.org/x/net v0.0.0-20210917221730-978cfadd31cf +## explicit +golang.org/x/net +# golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 +## explicit +golang.org/x/sys +# golang.org/x/text v0.3.7 +## explicit +golang.org/x/text +# google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4 +## explicit +google.golang.org/genproto +# google.golang.org/grpc v1.40.0 +## explicit +google.golang.org/grpc +# google.golang.org/protobuf v1.27.1 +## explicit +google.golang.org/protobuf +# gopkg.in/yaml.v2 v2.2.8 +## explicit +gopkg.in/yaml.v2