Divide JWT libraries

jorgectf · jorgectf · commit f1b3c709099e · 2021-07-21T21:29:23.000+02:00
diff --git a/python/ql/src/experimental/semmle/python/Frameworks.qll b/python/ql/src/experimental/semmle/python/Frameworks.qll
@@ -5,3 +5,6 @@
 private import experimental.semmle.python.frameworks.Stdlib
 private import experimental.semmle.python.frameworks.LDAP
 private import experimental.semmle.python.frameworks.JWT
+private import experimental.semmle.python.libraries.PyJWT
+private import experimental.semmle.python.libraries.Authlib
+private import experimental.semmle.python.libraries.PythonJose
diff --git a/python/ql/src/experimental/semmle/python/frameworks/JWT.qll b/python/ql/src/experimental/semmle/python/frameworks/JWT.qll
@@ -1,5 +1,4 @@
 private import python
-private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
 predicate isEmptyOrNone(DataFlow::Node arg) { isEmpty(arg) or isNone(arg) }
@@ -19,72 +18,3 @@ predicate isFalse(DataFlow::Node arg) {
   exists( | DataFlow::exprNode(any(False falseExpr)).(DataFlow::LocalSourceNode).flowsTo(arg))
 }
 
-private module JWT {
-  /** Gets a reference to `jwt` */
-  private API::Node pyjwt() { result = API::moduleImport("jwt") }
-
-  /** Gets a reference to `jwt.encode` */
-  private API::Node pyjwt_encode() { result = pyjwt().getMember("encode") }
-
-  /** Gets a reference to `jwt.decode` */
-  private API::Node pyjwt_decode() { result = pyjwt().getMember("decode") }
-
-  private class PyJWTEncodeCall extends DataFlow::CallCfgNode, JWTEncoding::Range {
-    PyJWTEncodeCall() { this = pyjwt_encode().getACall() }
-
-    override DataFlow::Node getPayload() {
-      result in [this.getArg(0), this.getArgByName("payload")]
-    }
-
-    override DataFlow::Node getKey() { result in [this.getArg(1), this.getArgByName("key")] }
-
-    override DataFlow::Node getAlgorithm() {
-      result in [this.getArg(2), this.getArgByName("algorithm")]
-    }
-
-    override string getAlgorithmString() {
-      exists(StrConst str |
-        DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(getAlgorithm()) and
-        result = str.getText()
-      )
-    }
-  }
-
-  private class PyJWTDecodeCall extends DataFlow::CallCfgNode, JWTDecoding::Range {
-    PyJWTDecodeCall() { this = pyjwt_decode().getACall() }
-
-    override DataFlow::Node getPayload() { result in [this.getArg(0), this.getArgByName("jwt")] }
-
-    override DataFlow::Node getKey() { result in [this.getArg(1), this.getArgByName("key")] }
-
-    override DataFlow::Node getAlgorithm() {
-      result in [this.getArg(2), this.getArgByName("algorithms")]
-    }
-
-    override string getAlgorithmString() {
-      exists(StrConst str |
-        DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(getAlgorithm()) and
-        result = str.getText()
-      )
-    }
-
-    override DataFlow::Node getOptions() {
-      result in [this.getArg(3), this.getArgByName("options")]
-    }
-
-    override predicate verifiesSignature() {
-      // jwt.decode(token, "key", "HS256")
-      not exists(this.getArgByName("verify")) and not exists(this.getOptions())
-      or
-      // jwt.decode(token, verify=False)
-      not isFalse(this.getArgByName("verify")) and
-      // jwt.decode(token, key, options={"verify_signature": False})
-      not exists(KeyValuePair optionsDict, NameConstant falseName |
-        falseName.getId() = "False" and
-        optionsDict = this.getArgByName("options").asExpr().(Dict).getItems().getAnItem() and
-        optionsDict.getKey().(Str_).getS().matches("%verify%") and
-        falseName = optionsDict.getValue()
-      )
-    }
-  }
-}
diff --git a/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll b/python/ql/src/experimental/semmle/python/libraries/PyJWT.qll
@@ -0,0 +1,74 @@
+private import python
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import experimental.semmle.python.frameworks.JWT
+
+private module PyJWT {
+  /** Gets a reference to `jwt` */
+  private API::Node pyjwt() { result = API::moduleImport("jwt") }
+
+  /** Gets a reference to `jwt.encode` */
+  private API::Node pyjwtEncode() { result = pyjwt().getMember("encode") }
+
+  /** Gets a reference to `jwt.decode` */
+  private API::Node pyjwtDecode() { result = pyjwt().getMember("decode") }
+
+  private class PyJWTEncodeCall extends DataFlow::CallCfgNode, JWTEncoding::Range {
+    PyJWTEncodeCall() { this = pyjwtEncode().getACall() }
+
+    override DataFlow::Node getPayload() {
+      result in [this.getArg(0), this.getArgByName("payload")]
+    }
+
+    override DataFlow::Node getKey() { result in [this.getArg(1), this.getArgByName("key")] }
+
+    override DataFlow::Node getAlgorithm() {
+      result in [this.getArg(2), this.getArgByName("algorithm")]
+    }
+
+    override string getAlgorithmString() {
+      exists(StrConst str |
+        DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(getAlgorithm()) and
+        result = str.getText()
+      )
+    }
+  }
+
+  private class PyJWTDecodeCall extends DataFlow::CallCfgNode, JWTDecoding::Range {
+    PyJWTDecodeCall() { this = pyjwtDecode().getACall() }
+
+    override DataFlow::Node getPayload() { result in [this.getArg(0), this.getArgByName("jwt")] }
+
+    override DataFlow::Node getKey() { result in [this.getArg(1), this.getArgByName("key")] }
+
+    override DataFlow::Node getAlgorithm() {
+      result in [this.getArg(2), this.getArgByName("algorithms")]
+    }
+
+    override string getAlgorithmString() {
+      exists(StrConst str |
+        DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(getAlgorithm()) and
+        result = str.getText()
+      )
+    }
+
+    override DataFlow::Node getOptions() {
+      result in [this.getArg(3), this.getArgByName("options")]
+    }
+
+    override predicate verifiesSignature() {
+      // jwt.decode(token, "key", "HS256")
+      not exists(this.getArgByName("verify")) and not exists(this.getOptions())
+      or
+      // jwt.decode(token, verify=False)
+      not isFalse(this.getArgByName("verify")) and
+      // jwt.decode(token, key, options={"verify_signature": False})
+      not exists(KeyValuePair optionsDict, NameConstant falseName |
+        falseName.getId() = "False" and
+        optionsDict = this.getOptions().asExpr().(Dict).getItems().getAnItem() and
+        optionsDict.getKey().(Str_).getS().matches("%verify%") and
+        falseName = optionsDict.getValue()
+      )
+    }
+  }
+}
