CodeQL alert SM03926: Security sensitive JsonWebTokenHandler validations are disabled in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet

[BruceHaley]

Repro Steps

Summary:
CodeQL detected the following issue: Security sensitive JsonWebTokenHandler validations are disabled (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/blob/main?path=/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs#L207&lineStartColumn=40&lineEndColumn=45
File: /libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs
Location: Line 207, Column 40 - 45
Link: (Link to LGTM)

Recommendations:
The security sensitive property ValidateAudience is being disabled by the followign value: false.
Check if secruity sensitive token validations for JsonWebTokenHandler are being disabled.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM03926 (Link to Liquid Requirement)
Confidence: high

System Info

This issue is a copy of ADO work item 77435 created by CodeQL. This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)

[BruceHaley]

Original Work Item URL

Original Work Item Details

| Created date | Created by | Changed date | Changed By | Assigned To | State | Type | Area Path | Iteration Path| |---|---|---|---|---|---|---|---|---| | 2022-09-27T00:01:04.083Z | Bruce Haley | 2022-10-10T13:20:57.197Z | Tracy Boehrer | Tracy Boehrer | New | Bug | SDK_v4\Code Analysis | SDK_v4\Sprint 1 |

Original Work Item JSON

```json { "commentVersionRef": { "commentId": 5193583, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77435/comments/5193583/versions/1", "version": 1 }, "fields": { "BotFramework.IsException": false, "Custom.SecuritySeverity": "Important", "Microsoft.VSTS.Common.Priority": 2, "Microsoft.VSTS.Common.Severity": "2 - High", "Microsoft.VSTS.Common.StateChangeDate": "2022-09-27T00:01:04.083Z", "Microsoft.VSTS.Common.ValueArea": "Business", "Microsoft.VSTS.TCM.ReproSteps": "Summary:
CodeQL detected the following issue: Security sensitive JsonWebTokenHandler validations are disabled (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?path=/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs&line=207&lineStartColumn=40&lineEndColumn=45
File: /libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs
Location: Line 207, Column 40 - 45
Link: (Link to LGTM)

Recommendations:
The security sensitive property ValidateAudience is being disabled by the followign value: false.\n
Check if secruity sensitive token validations for `JsonWebTokenHandler` are being disabled.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM03926 (Link to Liquid Requirement)
Confidence: high", "Microsoft.VSTS.TCM.SystemInfo": "This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)", "System.AreaId": 140243, "System.AreaLevel1": "SDK_v4", "System.AreaLevel2": "Code Analysis", "System.AreaPath": "SDK_v4\\Code Analysis", "System.AssignedTo": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk" } }, "descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "displayName": "Tracy Boehrer", "id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "uniqueName": "trboehre@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd" }, "System.AuthorizedAs": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk" } }, "descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "displayName": "Tracy Boehrer", "id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "uniqueName": "trboehre@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd" }, "System.AuthorizedDate": "2022-10-10T13:20:57.197Z", "System.ChangedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk" } }, "descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "displayName": "Tracy Boehrer", "id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "uniqueName": "trboehre@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd" }, "System.ChangedDate": "2022-10-10T13:20:57.197Z", "System.CommentCount": 2, "System.CreatedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.CreatedDate": "2022-09-27T00:01:04.083Z", "System.Description": "Summary:
CodeQL detected the following issue: Security sensitive JsonWebTokenHandler validations are disabled (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?path=/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs&line=207&lineStartColumn=40&lineEndColumn=45
File: /libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs
Location: Line 207, Column 40 - 45
Link: (Link to LGTM)

Recommendations:
The security sensitive property ValidateAudience is being disabled by the followign value: false.\n
Check if secruity sensitive token validations for `JsonWebTokenHandler` are being disabled.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM03926 (Link to Liquid Requirement)
Confidence: high", "System.History": "

This can be suppressed.  The validation is happening manually later.

", "System.Id": 77435, "System.IterationId": 139042, "System.IterationLevel1": "SDK_v4", "System.IterationLevel2": "Sprint 1", "System.IterationPath": "SDK_v4\\Sprint 1", "System.NodeName": "Code Analysis", "System.PersonId": 46928738, "System.Reason": "New defect reported", "System.Rev": 2, "System.RevisedDate": "9999-01-01T00:00:00Z", "System.State": "New", "System.Tags": "CodeQL; manual-verification-required; sdl-recommended; sdl-required; security; ServiceOid 0ab2a10f-f0a6-40c7-8b24-f718d4c3cf88; wilson-library", "System.TeamProject": "SDK_v4", "System.Title": "CodeQL alert SM03926: Security sensitive JsonWebTokenHandler validations are disabled in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet", "System.Watermark": 325168, "System.WorkItemType": "Bug", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column": "New", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column.Done": false, "WEF_2AF1BD8A732542D29D4104AD064A9D25_System.ExtensionMarker": false }, "id": 77435, "relations": [ { "attributes": { "authorizedDate": "2022-09-27T00:01:04.083Z", "comment": "Liquid requirement link", "id": 6926485, "resourceCreatedDate": "2022-09-27T00:01:04.083Z", "resourceModifiedDate": "2022-09-27T00:01:04.083Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM03926" }, { "attributes": { "authorizedDate": "2022-09-27T00:01:04.083Z", "comment": "Issue in LGTM", "id": 6926484, "resourceCreatedDate": "2022-09-27T00:01:04.083Z", "resourceModifiedDate": "2022-09-27T00:01:04.083Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://onees.lgtm.microsoft.com/issues/1011948/csharp/z+TPDk7MsDzO93kahAuElyGsVSQ=" } ], "rev": 2, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77435" } ```

Work Item Comments (2)

| Created date | Created by | JSON URL | |---|---|---| | 2022-10-10T13:20:57.197Z | Tracy Boehrer | [URL](https://dev.azure.com/FuseLabs/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77435/comments/5193583) | **Comment text**:

This can be suppressed.  The validation is happening manually later.

----------- | Created date | Created by | JSON URL | |---|---|---| | 2022-09-27T00:01:04.083Z | Bruce Haley | [URL](https://dev.azure.com/FuseLabs/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77435/comments/5152357) | **Comment text**: Security Rating: Important
-----------

[tracyboehrer]

We need to suppress this. The ValidateAudience is happening manually later.