[JS]: Signing and verifying JWT signature with a constant key

[am0o0]

Query PR

https://github.com/github/codeql/pull/14666

Language

Javascript

CVE(s) ID list

WIP

CWE

CWE-798

Report

Usage of a hardcoded secret key to decode and verify JWTs will cause authentication and authorization bypass which in this query I tried to model many libraries for.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• [X] Yes
• [ ] No

Blog post link

No response

[p-]

Hey @amammad 👋 Just a reminder that a CVE is missing here.

[am0o0]

Hi Peter, Is there any deadline for finding a new/old CVE? there are many vulnerable instances on my MRVA scan but I didn't have enough time to send a vulnerability report to them.

[p-]

Hi Peter, Is there any deadline for finding a new/old CVE?

No, afaik there's not. (but of course a reasonable time frame is welcome)

[p-]

Hey @am0o0 some time has passed by already, have you found a CVE for this issue by coincidence?

[am0o0]

Hi @p- I found many instances but I haven't reported them yet, I tried to contact some of the maintainers but they didn't response, I'll try this weekend again, maybe I found a new repository that is worth it. I managed to talk with one of the maintainers but they told me to just create a PR on our repository and no need to report something, do you accept this as I have to disclose the vulnerability in PR? They don't want to use the repository GitHub security panel So I think It can take a lot of time to request a CVE if I want to request the CVE myself.

[p-]

I'll try this weekend again, maybe I found a new repository that is worth it.

👍

do you accept this as I have to disclose the vulnerability in PR?

Let's wait if your new attempts bear any fruits and then I can talk to the team about that. (But in general we have the CVE requirement)

[am0o0]

@p- I found a CVE related to this submission. https://github.com/advisories/GHSA-32r3-57hp-cgfw the sink is here the commit is the last commit before fixing the CVE.

I'm wondering why codeql couldn't track the source to sink, with my PR I can find the sink which is the jsonwebteken method for signing and verifying the JWTs but I can't find the path between the constant and the sink. something needs to be added as an additional taint step.

I also have a gist for detected instances of hardcoded constant keys from only my additions and it does not contain the previously added hardcoded secret sinks. if it can make this submission process faster please let me know.

[am0o0]

@p- sorry for delay I checked the source code and debugged the codeql path and everything is good but the problem is that the taint configuration does not detect the source.

could you please examine the following query yourself? MyTest.ql.tar.gz

please create a DB of this commit https://github.com/evershopcommerce/evershop/tree/b09f2f4d1a0eb3017344cddc997078444a53af46

you can see that the source is getConfig('jwt.web_token_secret', 'secret'); which I think shouldn't be this way! and it should be the 'secret'.

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2653385 for bounty 607088 : [799] [JS]: Signing and verifying JWT signature with a constant key