changed to just detect the .net usage, updated tests, added qhelp

chanel-y · chanel-y · commit 1f0f8e5a31c0 · 2026-04-13T10:16:14.000-07:00
diff --git a/powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.qhelp b/powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Using the <code>"none"</code> algorithm when creating a JWT token with
+<code>JwtSecurityTokenHandler</code> disables signature verification. This allows attackers to
+forge arbitrary tokens that will be accepted as valid, potentially leading to authentication
+bypass and privilege escalation.</p>
+
+</overview>
+<recommendation>
+
+<p>Always use a secure signing algorithm such as <code>HS256</code>, <code>RS256</code>, or
+<code>ES256</code> when creating JWT tokens. Ensure that tokens are signed with a strong secret
+or key pair.</p>
+
+</recommendation>
+<example>
+
+<p>In this example, a JWT token is created using the <code>"none"</code> algorithm, which produces
+an unsigned token:</p>
+
+<sample src="examples/JwtNoneAlgorithmBad.ps1" />
+
+<p>The fix is to use a secure algorithm instead:</p>
+
+<sample src="examples/JwtNoneAlgorithmGood.ps1" />
+
+</example>
+<references>
+
+<li>
+RFC 7518:
+<a href="https://datatracker.ietf.org/doc/html/rfc7518#section-3.6">JSON Web Algorithms - Unsecured JWS</a>.
+</li>
+
+<li>
+CWE-347:
+<a href="https://cwe.mitre.org/data/definitions/347.html">Improper Verification of Cryptographic Signature</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.ql b/powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.ql
@@ -5,61 +5,33 @@
  * @kind problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision medium
- * @id powershell/microsoft/security/jwt-none-algorithm
+ * @precision high
+ * @id powershell/jwt-none-algorithm
  * @tags security
  *       external/cwe/cwe-347
  */
 
 import powershell
 import semmle.code.powershell.dataflow.DataFlow
 
-// NOTE: PowerShell is a beta language for CodeQL and has no built-in JWT library modeling.
-// This query detects common patterns of JWT "none" algorithm usage in PowerShell modules
-// such as PSJwt, JWTPS, and direct .NET JWT library calls.
-// Coverage may be limited for less common JWT libraries.
-
-/**
- * A string literal containing "none" used in a JWT-related cmdlet call.
- */
-class JwtNoneAlgorithmLiteral extends StringConstExpr {
-  JwtNoneAlgorithmLiteral() {
-    this.getValueString().toLowerCase() = "none" and
-    exists(CmdCall call |
-      call.matchesName([
-          "New-Jwt", "New-JsonWebToken", "ConvertTo-Jwt",
-          "New-JWTToken", "ConvertTo-JWTToken"
-        ]) and
-      this = call.getAnArgument()
-    )
-  }
-}
-
 /**
- * A string literal "none" passed as an algorithm argument to .NET JWT methods.
+ * A string literal "none" passed as an algorithm argument to .NET JWT methods
+ * on a JwtSecurityTokenHandler instance.
  */
 class JwtNoneInDotNetCall extends StringConstExpr {
   JwtNoneInDotNetCall() {
     this.getValueString().toLowerCase() = "none" and
-    exists(InvokeMemberExpr call |
-      call.matchesName([
-          "CreateToken", "WriteToken", "CreateJwtSecurityToken", "CreateEncodedJwt"
-        ]) and
-      this = call.getAnArgument()
+    exists(DataFlow::CallNode cn, DataFlow::ObjectCreationNode ocn |
+      cn.getQualifier().getALocalSource() = ocn and
+      ocn.getConstructedTypeNode().asExpr().getExpr().(TypeNameExpr).hasQualifiedName("system.identitymodel.tokens.jwt", "jwtsecuritytokenhandler") and
+      cn.getLowerCaseName() in [
+          "createtoken", "writetoken", "createjwtsecuritytoken", "createencodedjwt"
+        ] and
+      cn.getAnArgument().asExpr().getExpr() = this
     )
   }
 }
 
-from StringConstExpr noneAlg, string msg
-where
-  (
-    noneAlg instanceof JwtNoneAlgorithmLiteral and
-    msg = "JWT token created with 'none' algorithm, disabling signature verification."
-  )
-  or
-  (
-    noneAlg instanceof JwtNoneInDotNetCall and
-    msg =
-      "JWT token created with 'none' algorithm via .NET API, disabling signature verification."
-  )
-select noneAlg, msg
+from JwtNoneInDotNetCall noneAlg
+select noneAlg,
+  "JWT token created with 'none' algorithm via .NET API, disabling signature verification."
diff --git a/powershell/ql/src/queries/security/cwe-347/examples/JwtNoneAlgorithmBad.ps1 b/powershell/ql/src/queries/security/cwe-347/examples/JwtNoneAlgorithmBad.ps1
@@ -0,0 +1,4 @@
+$handler = [System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler]::new()
+
+# BAD: Creating a JWT token with the "none" algorithm disables signature verification.
+$token = $handler.CreateToken("none")
diff --git a/powershell/ql/src/queries/security/cwe-347/examples/JwtNoneAlgorithmGood.ps1 b/powershell/ql/src/queries/security/cwe-347/examples/JwtNoneAlgorithmGood.ps1
@@ -0,0 +1,4 @@
+$handler = [System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler]::new()
+
+# GOOD: Creating a JWT token with a secure algorithm.
+$token = $handler.CreateToken("HS256")
diff --git a/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/JwtNoneAlgorithm.expected b/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/JwtNoneAlgorithm.expected
@@ -1 +1,2 @@
-| test.ps1:6:29:6:34 | none | JWT token created with 'none' algorithm, disabling signature verification. |
+| test.ps1:7:31:7:36 | none | JWT token created with 'none' algorithm via .NET API, disabling signature verification. |
+| test.ps1:10:36:10:41 | none | JWT token created with 'none' algorithm via .NET API, disabling signature verification. |
diff --git a/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/test.ps1 b/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/test.ps1
@@ -2,15 +2,16 @@
 # ========== TRUE POSITIVES (should trigger alert) ==================
 # ===================================================================
 
-# --- Case 1: PSJwt module with "none" algorithm ---
-$token = New-Jwt -Algorithm "none" -Payload @{sub="user"} # BAD
+# --- Case 1: .NET JwtSecurityTokenHandler.CreateToken with "none" ---
+$handler = [System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler]::new()
+$token = $handler.CreateToken("none") # BAD
+
+# --- Case 2: .NET JwtSecurityTokenHandler.CreateEncodedJwt with "none" ---
+$token = $handler.CreateEncodedJwt("none") # BAD
 
 # ===================================================================
 # ========== TRUE NEGATIVES (should NOT trigger alert) ==============
 # ===================================================================
 
-# --- Safe: JWT with HS256 ---
-$token = New-Jwt -Algorithm "HS256" -Payload @{sub="user"} -Secret $key # GOOD
-
-# --- Safe: Unrelated string "none" ---
-$value = "none" # GOOD
+# --- Safe: .NET CreateToken with HS256 ---
+$token = $handler.CreateToken("HS256") # GOOD

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-\| test.ps1:6:29:6:34 \| none \| JWT token created with 'none' algorithm, disabling signature verification. \|`
	`1`	`+\| test.ps1:7:31:7:36 \| none \| JWT token created with 'none' algorithm via .NET API, disabling signature verification. \|`
	`2`	`+\| test.ps1:10:36:10:41 \| none \| JWT token created with 'none' algorithm via .NET API, disabling signature verification. \|`