codeql-queries icon indicating copy to clipboard operation
codeql-queries copied to clipboard

Published 20 hours ago verified publisher icon advanced-security

[JS] - Enhancement to add jose decodeJWT to js/jwt-missing-verification

Open felickz opened this issue 2 years ago • 1 comments
trafficstars

Add additional logic to JWT Verification query js/jwt-missing-verification

Reproduction

  • https://github.com/vulna-felickz/ts-jose-jwtdecode/blob/main/src/index.ts#L4

Detections:

  • Potential TP: https://github.com/backstage/backstage/blob/6c0867be8dacd8c8a87ac3aa222327ac98f2d370/plugins/auth-backend/src/providers/azure-easyauth/provider.ts#L88-L88
  • Potential FP based on combination of other methods used: https://github.com/abnamro/repository-scanner/blob/cdec8aac14d4bb24da49e6c920a36741839b48db/components/resc-frontend/src/services/auth-service.js#L176

MRVA top 990 JS repos: image

felickz avatar May 19 '23 15:05 felickz

This repo has been merged with the Security Lab one into the new community-codeql-packs repo which we plan to make public and promote soon. If you would like this PR to be applied to the new repo, please open a new PR there so it can get merged in the new QLPacks.

pwntester avatar Sep 21 '23 12:09 pwntester