-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathsecurity-validation-disabled.ql
More file actions
29 lines (27 loc) · 1.12 KB
/
security-validation-disabled.ql
File metadata and controls
29 lines (27 loc) · 1.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/**
* @name Security sensitive JsonWebTokenHandler validations are disabled
* @description Check if security sensitive token validations for `JsonWebTokenHandler` are being disabled.
* @kind problem
* @tags security
* experimental
* JsonWebTokenHandler
* manual-verification-required
* @id cs/json-webtoken-handler/security-validations-disabled
* @problem.severity error
* @precision high
*/
import csharp
deprecated import JsonWebTokenHandlerLib
import semmle.code.csharp.commons.QualifiedName
deprecated query predicate problems(
DataFlow::Node sink, string message, TokenValidationParametersPropertySensitiveValidation pw,
string fullyQualifiedName, DataFlow::Node source, string value
) {
FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassValidation::flow(source, sink) and
sink.asExpr() = pw.getAnAssignedValue() and
exists(string qualifier, string name | pw.hasFullyQualifiedName(qualifier, name) |
fullyQualifiedName = getQualifiedName(qualifier, name)
) and
message = "The security sensitive property $@ is being disabled by the following value: $@." and
value = "false"
}