search

nahsra / WebGoat_12_23

Other
0 stars 2 forks source link

(CodeQL) Fixed finding: "Switch JWT calls to versions that enforce signature validity" #42

Closed pixeebot[bot] closed 1 week ago

pixeebot[bot] commented 3 weeks ago

Remediation

This change fixes "Switch JWT calls to versions that enforce signature validity" (id = missing-jwt-signature-check) identified by CodeQL.

Details

This change switches to Json Web Token (JWT) parsing APIs that perform signature validation.

Unfortunately the method names in JWT parsing with the io.jsonwebtoken.jjwt library don't convey the risk difference in usage. Although the parseClaimsJws() and parseClaimsJwt() methods perform signature validation, the parse() method does not.

Changing out these methods is easy and our changes look something like this:

  JwtParser parser = Jwts.parser();
  JwtParser jwtParser = parser.setSigningKey(JWT_PASSWORD);
- Jwt<Header, Claims> jwt = jwtParser.parse(token);
+ Jwt<Header, Claims> jwt = jwtParser.parseClaimsJwt(token);
More reading * [https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/](https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/) * [https://cwe.mitre.org/data/definitions/347.html](https://cwe.mitre.org/data/definitions/347.html)

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: codeql:java/missing-jwt-signature-check

sonarcloud[bot] commented 3 weeks ago

Quality Gate Failed Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)
B Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

pixeebot[bot] commented 2 weeks ago

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

pixeebot[bot] commented 1 week ago

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

pixeebot[bot] commented 1 week ago

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.