search

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.
https://github.com/Microsoft/botframework
MIT License
872 stars 482 forks source link

CodeQL alert SM03926: Security sensitive JsonWebTokenHandler validations are disabled in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet #6501

Closed BruceHaley closed 1 year ago

BruceHaley commented 2 years ago

Repro Steps

Summary:
CodeQL detected the following issue: Security sensitive JsonWebTokenHandler validations are disabled (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/blob/main?path=/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs#L30&lineStartColumn=36&lineEndColumn=41
File: /libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs
Location: Line 30, Column 36 - 41
Link: (Link to LGTM)

Recommendations:
The security sensitive property ValidateAudience is being disabled by the followign value: false.
Check if secruity sensitive token validations for JsonWebTokenHandler are being disabled.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM03926 (Link to Liquid Requirement)
Confidence: high

System Info

This issue is a copy of ADO work item 77423 created by CodeQL. This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)

BruceHaley commented 2 years ago

Original Work Item URL

Original Work Item Details

| Created date | Created by | Changed date | Changed By | Assigned To | State | Type | Area Path | Iteration Path| |---|---|---|---|---|---|---|---|---| | 2022-09-27T00:00:36.88Z | Bruce Haley | 2022-09-27T00:00:36.88Z | Bruce Haley | Tracy Boehrer | New | Bug | SDK_v4\Code Analysis | SDK_v4\Sprint 1 |

Original Work Item JSON

```json { "commentVersionRef": { "commentId": 5152345, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77423/comments/5152345/versions/1", "version": 1 }, "fields": { "BotFramework.IsException": false, "Custom.SecuritySeverity": "Important", "Microsoft.VSTS.Common.Priority": 2, "Microsoft.VSTS.Common.Severity": "2 - High", "Microsoft.VSTS.Common.StateChangeDate": "2022-09-27T00:00:36.88Z", "Microsoft.VSTS.Common.ValueArea": "Business", "Microsoft.VSTS.TCM.ReproSteps": "Summary:
CodeQL detected the following issue: Security sensitive JsonWebTokenHandler validations are disabled (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?path=/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs&line=30&lineStartColumn=36&lineEndColumn=41
File: /libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs
Location: Line 30, Column 36 - 41
Link: (Link to LGTM)

Recommendations:
The security sensitive property ValidateAudience is being disabled by the followign value: false.\n
Check if secruity sensitive token validations for `JsonWebTokenHandler` are being disabled.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM03926 (Link to Liquid Requirement)
Confidence: high", "Microsoft.VSTS.TCM.SystemInfo": "This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)", "System.AreaId": 140243, "System.AreaLevel1": "SDK_v4", "System.AreaLevel2": "Code Analysis", "System.AreaPath": "SDK_v4\\Code Analysis", "System.AssignedTo": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk" } }, "descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "displayName": "Tracy Boehrer", "id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "uniqueName": "trboehre@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd" }, "System.AuthorizedAs": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.AuthorizedDate": "2022-09-27T00:00:36.88Z", "System.ChangedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.ChangedDate": "2022-09-27T00:00:36.88Z", "System.CommentCount": 1, "System.CreatedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.CreatedDate": "2022-09-27T00:00:36.88Z", "System.Description": "Summary:
CodeQL detected the following issue: Security sensitive JsonWebTokenHandler validations are disabled (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?path=/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs&line=30&lineStartColumn=36&lineEndColumn=41
File: /libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs
Location: Line 30, Column 36 - 41
Link: (Link to LGTM)

Recommendations:
The security sensitive property ValidateAudience is being disabled by the followign value: false.\n
Check if secruity sensitive token validations for `JsonWebTokenHandler` are being disabled.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM03926 (Link to Liquid Requirement)
Confidence: high", "System.History": "Security Rating: Important
", "System.Id": 77423, "System.IterationId": 139042, "System.IterationLevel1": "SDK_v4", "System.IterationLevel2": "Sprint 1", "System.IterationPath": "SDK_v4\\Sprint 1", "System.NodeName": "Code Analysis", "System.PersonId": 48095448, "System.Reason": "New defect reported", "System.Rev": 1, "System.RevisedDate": "9999-01-01T00:00:00Z", "System.State": "New", "System.Tags": "CodeQL; manual-verification-required; sdl-recommended; sdl-required; security; ServiceOid 0ab2a10f-f0a6-40c7-8b24-f718d4c3cf88; wilson-library", "System.TeamProject": "SDK_v4", "System.Title": "CodeQL alert SM03926: Security sensitive JsonWebTokenHandler validations are disabled in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet", "System.Watermark": 324557, "System.WorkItemType": "Bug", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column": "New", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column.Done": false, "WEF_2AF1BD8A732542D29D4104AD064A9D25_System.ExtensionMarker": true }, "id": 77423, "relations": [ { "attributes": { "authorizedDate": "2022-09-27T00:00:36.88Z", "comment": "Liquid requirement link", "id": 6926461, "resourceCreatedDate": "2022-09-27T00:00:36.88Z", "resourceModifiedDate": "2022-09-27T00:00:36.88Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM03926" }, { "attributes": { "authorizedDate": "2022-09-27T00:00:36.88Z", "comment": "Issue in LGTM", "id": 6926460, "resourceCreatedDate": "2022-09-27T00:00:36.88Z", "resourceModifiedDate": "2022-09-27T00:00:36.88Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://onees.lgtm.microsoft.com/issues/1011948/csharp/0BC005mi33thlZd0kFx3modWWUw=" } ], "rev": 1, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77423" } ```

Work Item Comments (1)

| Created date | Created by | JSON URL | |---|---|---| | 2022-09-27T00:00:36.88Z | Bruce Haley | [URL](https://dev.azure.com/FuseLabs/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77423/comments/5152345) | **Comment text**: Security Rating: Important
-----------