@appland/scanner 1.69.1 → 1.70.0

package/CHANGELOG.md

@@ -1,3 +1,16 @@
+# [@appland/scanner-v1.70.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.69.1...@appland/scanner-v1.70.0) (2022-08-31)
+
+
+### Bug Fixes
+
+* Don't attempt to destructure an undefined value ([b46e358](https://github.com/applandinc/appmap-js/commit/b46e358cf0fd0cc56a7f465268f87f219ab13c55))
+
+
+### Features
+
+* Add scan for presence of JWT signature verification ([a2b382b](https://github.com/applandinc/appmap-js/commit/a2b382bd571cfbc0fcdfa389ad382536f85eb671))
+* Add scanner for usage of JWT with the `none` algorithm ([025ac89](https://github.com/applandinc/appmap-js/commit/025ac89f0538d5b4bfed7f36e3d09788f2a38076))
+
 # [@appland/scanner-v1.69.1](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.69.0...@appland/scanner-v1.69.1) (2022-08-29)
 
 

package/built/rules/jwtAlgorithmNone.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+function getHeader(jwt) {
+    try {
+        const [header] = jwt.split('.');
+        const decodedHeader = Buffer.from(header, 'base64').toString('utf-8');
+        return JSON.parse(decodedHeader);
+    }
+    catch (_a) {
+        // the JWT is malformed
+        return undefined;
+    }
+}
+class JwtAlgoritmNoneLogic {
+    matcher(event) {
+        if (!event.returnValue)
+            return;
+        const matches = new Array();
+        const { value: jwt } = event.returnValue;
+        const header = getHeader(jwt);
+        if ((header === null || header === void 0 ? void 0 : header.alg) === 'none') {
+            matches.push({ event, message: 'Encoded JWT using the `none` algorithm' });
+        }
+        return matches;
+    }
+    where(event) {
+        return event.labels.has('jwt.encode');
+    }
+}
+class JwtAlgoritmNone {
+    constructor() {
+        this.id = 'jwt-algorithm-none';
+        this.title = "JWT 'none' algorithm";
+        this.impactDomain = 'Security';
+        this.enumerateScope = true;
+        this.description = (0, parseRuleDescription_1.default)('jwtAlgorithmNone');
+        this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-algorithm-none';
+    }
+    build() {
+        return new JwtAlgoritmNoneLogic();
+    }
+}
+exports.default = new JwtAlgoritmNone();

package/built/rules/jwtUnverifiedSignature.js

@@ -0,0 +1,84 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Labels = void 0;
+const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+const models_1 = require("@appland/models");
+var Labels;
+(function (Labels) {
+    Labels["SignatureVerify"] = "jwt.signature.verify";
+    Labels["JwtDecode"] = "jwt.decode";
+})(Labels = exports.Labels || (exports.Labels = {}));
+// Attempt to identify and return a JWT from an array of parameters
+function findJwt(parameters) {
+    if (!parameters)
+        return;
+    for (const param of parameters) {
+        const tokens = param.value.split('.');
+        if (tokens.length !== 3)
+            return;
+        const [header, payload, signature] = tokens;
+        return { header, payload, signature };
+    }
+}
+// Check if `obj` matches the JWT by value or by reference (receiverId)
+function matchJwt(obj, jwt, receiverId) {
+    const byValue = jwt !== undefined && obj.value.startsWith(`${jwt.header}.${jwt.payload}`);
+    const byReference = receiverId !== undefined && receiverId === obj.object_id;
+    return byValue || byReference;
+}
+class JwtUnverifiedSignatureLogic {
+    matcher(event) {
+        var _a, _b, _c;
+        if (event.labels.has(Labels.SignatureVerify)) {
+            // This method is marked both as decode and signature verify. It is compliant.
+            return;
+        }
+        let verified = false;
+        let receiverId;
+        const jwt = findJwt(event.parameters);
+        const matches = new Array();
+        // Don't track the receiver if it's static. We'll find references of the decoded JWT passed by
+        // function parameter instead.
+        if (!event.isStatic) {
+            receiverId = (_a = event.receiver) === null || _a === void 0 ? void 0 : _a.object_id;
+        }
+        for (const { event: child } of new models_1.EventNavigator(event).following()) {
+            if (!child.labels.has(Labels.SignatureVerify)) {
+                continue;
+            }
+            const matchesReceiver = receiverId !== undefined && receiverId === ((_b = child.receiver) === null || _b === void 0 ? void 0 : _b.object_id);
+            const matchesParameter = (_c = child.parameters) === null || _c === void 0 ? void 0 : _c.find((param) => matchJwt(param, jwt, receiverId));
+            if (matchesReceiver || matchesParameter) {
+                verified = true;
+                break;
+            }
+        }
+        if (!verified) {
+            matches.push({
+                event,
+                message: 'JWT signature is not validated',
+            });
+        }
+        return matches;
+    }
+    where(event) {
+        return event.labels.has('jwt.decode');
+    }
+}
+class JwtUnverifiedSignature {
+    constructor() {
+        this.id = 'jwt-unverified-signature';
+        this.title = 'Unverified signature';
+        this.impactDomain = 'Security';
+        this.enumerateScope = true;
+        this.description = (0, parseRuleDescription_1.default)('jwtUnverifiedSignature');
+        this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-unverified-signature';
+    }
+    build() {
+        return new JwtUnverifiedSignatureLogic();
+    }
+}
+exports.default = new JwtUnverifiedSignature();

package/doc/rules/jwt-algorithm-none.md

@@ -0,0 +1,25 @@
+---
+rule: jwt-algorithm-none
+name: Jwt algorithm none
+title: JWT 'none' algorithm
+impactDomain: Security
+---
+
+Finds usage of unsecured JWTs which use the `none` algorithm. When declaring this algorithm, there
+is no signature contained within the token that may be cryptographically verified. As a result, the
+data encoded within the token may be easily forged.
+
+### Rule logic
+
+Any function which encodes a new JWT will have its return value checked for presence of the `none`
+algorithm within the token header.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: jwt-algorithm-none
+```

package/doc/rules/jwt-unverified-signature.md

@@ -0,0 +1,24 @@
+---
+rule: jwt-unverified-signature
+name: Jwt unverified signature
+title: Unverified signature
+impactDomain: Security
+---
+
+Finds cases where a JWT is decoded but the signature is never verified. Without proper signature
+verification, the service will unknowingly accept arbitrary token payloads from any origin.
+
+### Rule logic
+
+Following a function call to decode a JWT, a subsequent function call to verify the token signature
+is expected.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: jwt-unverified-signature
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.69.1",
+  "version": "1.70.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [
@@ -56,7 +56,7 @@
   },
   "dependencies": {
     "@appland/client": "^1.3.0",
-    "@appland/models": "^1.16.1",
+    "@appland/models": "^1.18.1",
     "@appland/openapi": "1.0.2",
     "@appland/sql-parser": "^1.5.0",
     "@types/cli-progress": "^3.9.2",