More test cases for io.jsonwebtoken.SigningKeyResolverAdapter

egregius313 · egregius313 · commit 5c10d4291593 · 2023-05-04T16:52:40.000-04:00
diff --git a/java/ql/test/library-tests/dataflow/taintsources/JwsSigningKeyResolverAdapter.java b/java/ql/test/library-tests/dataflow/taintsources/JwsSigningKeyResolverAdapter.java
@@ -1,3 +1,5 @@
+import java.security.Key;
+
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.SigningKeyResolverAdapter;
@@ -6,12 +8,27 @@ public class JwsSigningKeyResolverAdapter extends SigningKeyResolverAdapter {
     private void sink(Object o) {
     }
 
+    @Override
+    public Key resolveSigningKey(JwsHeader header, Claims claims) {
+        final String keyId = header.getKeyId();
+        String example = "example:" + keyId;
+        sink(example); // $ hasRemoteTaintFlow
+        return null;
+    }
+
     @Override
     public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
         final String keyId = header.getKeyId();
         String example = "example:" + keyId;
+
         sink(example); // $ hasRemoteTaintFlow
 
+        final String algorithm = header.getAlgorithm();
+        sink("algo:" + algorithm); // $ hasRemoteTaintFlow
+
+        final String random = (String)header.get("random");
+        sink("random:" + random) ; // $ hasRemoteTaintFlow
+
         return new byte[0];
     }
 }
