Add JWT none algorithm detection query for PowerShell

Detects usage of 'none' algorithm in JWT token creation via PowerShell
modules (New-Jwt, etc.) and .NET JWT APIs (CreateToken, etc.).

Covers: Cryptography.10033 (CWE-347)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: chanel-y

powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.ql

@@ -0,0 +1,65 @@
+/**
+ * @name JWT none algorithm usage
+ * @description Using the "none" algorithm for JWT tokens disables signature verification,
+ *              allowing token forgery.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision medium
+ * @id powershell/microsoft/security/jwt-none-algorithm
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+
+// NOTE: PowerShell is a beta language for CodeQL and has no built-in JWT library modeling.
+// This query detects common patterns of JWT "none" algorithm usage in PowerShell modules
+// such as PSJwt, JWTPS, and direct .NET JWT library calls.
+// Coverage may be limited for less common JWT libraries.
+
+/**
+ * A string literal containing "none" used in a JWT-related cmdlet call.
+ */
+class JwtNoneAlgorithmLiteral extends StringConstExpr {
+  JwtNoneAlgorithmLiteral() {
+    this.getValueString().toLowerCase() = "none" and
+    exists(CmdCall call |
+      call.matchesName([
+          "New-Jwt", "New-JsonWebToken", "ConvertTo-Jwt",
+          "New-JWTToken", "ConvertTo-JWTToken"
+        ]) and
+      this = call.getAnArgument()
+    )
+  }
+}
+
+/**
+ * A string literal "none" passed as an algorithm argument to .NET JWT methods.
+ */
+class JwtNoneInDotNetCall extends StringConstExpr {
+  JwtNoneInDotNetCall() {
+    this.getValueString().toLowerCase() = "none" and
+    exists(InvokeMemberExpr call |
+      call.matchesName([
+          "CreateToken", "WriteToken", "CreateJwtSecurityToken", "CreateEncodedJwt"
+        ]) and
+      this = call.getAnArgument()
+    )
+  }
+}
+
+from StringConstExpr noneAlg, string msg
+where
+  (
+    noneAlg instanceof JwtNoneAlgorithmLiteral and
+    msg = "JWT token created with 'none' algorithm, disabling signature verification."
+  )
+  or
+  (
+    noneAlg instanceof JwtNoneInDotNetCall and
+    msg =
+      "JWT token created with 'none' algorithm via .NET API, disabling signature verification."
+  )
+select noneAlg, msg

powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/JwtNoneAlgorithm.expected

@@ -0,0 +1 @@
+| test.ps1:6:29:6:34 | none | JWT token created with 'none' algorithm, disabling signature verification. |

powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/JwtNoneAlgorithm.qlref

@@ -0,0 +1 @@
+queries/security/cwe-347/JwtNoneAlgorithm.ql

powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/test.ps1

@@ -0,0 +1,16 @@
+# ===================================================================
+# ========== TRUE POSITIVES (should trigger alert) ==================
+# ===================================================================
+
+# --- Case 1: PSJwt module with "none" algorithm ---
+$token = New-Jwt -Algorithm "none" -Payload @{sub="user"} # BAD
+
+# ===================================================================
+# ========== TRUE NEGATIVES (should NOT trigger alert) ==============
+# ===================================================================
+
+# --- Safe: JWT with HS256 ---
+$token = New-Jwt -Algorithm "HS256" -Payload @{sub="user"} -Secret $key # GOOD
+
+# --- Safe: Unrelated string "none" ---
+$value = "none" # GOOD