Rule S5659: JWT should be signed and verified with strong cipher algorithms (Vulnerability warning) is not caught by sonar scanner for the first Noncompliant example in the code on SonarQube 8.4 version community edition

mike1970fl03 · September 22, 2020, 6:50pm

I’m using SonarQube sonarqube-8.4.1.35646 community edition, sonar scanner sonar-scanner-msbuild-4.7.1.2311-net46

The warning for the rule S5659: JWT should be signed and verified with strong cipher algorithms (Category: Vulnerability) is not caught by sonar scanner
and it is not displayed in the report for the Noncompliant code as var decodedtoken1 = decoder.Decode(token, secret, verify: false);. The
warning is displayed for the second Noncompliant code as:

var decodedtoken2 = new JwtBuilder()
  .WithSecret(secret)
  .Decode(forgedtoken1);

E.g. Analyzing :

using System;

/// <title>JWT should be signed and verified with strong cipher algorithms</title>
/// <summary>
/// If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) 
/// an attacker can forge it and impersonate user identities.
/// Don't use none algorithm to sign or verify the validity of an algorithm.
/// Don't use a token without verifying its signature before.
/// </summary>
/// 

namespace SonarQubeToolVerification.Vulnerability.Warnings
{
    using System.Security.Cryptography;
    using JWT;
    using JWT.Algorithms;
    using JWT.Builder;
    using JWT.Serializers;

    public class S5659Warning
    {
        public void test()
        {
            const string forgedtoken1 = null;
            const string token = "some token";
            const string secret = "GQDstcKsx0NHjPOuXOYg5MbeJ1XT0uFiwDVvVBrk";

            IJsonSerializer serializer = new JsonNetSerializer();
            var provider = new UtcDateTimeProvider();
            IJwtValidator validator = new JwtValidator(serializer, provider);
            IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
            // IJwtAlgorithm algorithm = new RS256Algorithm((RSA)null);
            var factory = new RSAlgorithmFactory((RSA)null);
            var algorithm = factory.Create(null);
            IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm);

            var decodedtoken1 = decoder.Decode(token, secret, verify: false); // Noncompliant: signature should be verified

            var decodedtoken2 = new JwtBuilder()
                                .WithSecret(secret)
                                .Decode(forgedtoken1); // Noncompliant: signature should be verified
        }
    }

}

Hendrik_Buchwald · September 24, 2020, 10:54am

Hey Felix,

If I am not mistaken for C# this rule will be part of the 8.5 release in 2 weeks: https://github.com/SonarSource/sonar-dotnet/issues/2866

Best regards,
Hendrik

mike1970fl03 · September 25, 2020, 2:59pm

Thank you Hendrik!

 Anyway, the rule is available on 8.4.1.35646 version. I will wait for the 8.5 version to see if it is going to work.

Regards!

Pavel_Mikula · September 30, 2020, 2:19pm

Hi @mike1970fl03,

Thank you for reporting this case. I can confirm this as False Negative. We don’t support the JwtDecoderExtensions variants of the method. I’ve created this issue to track it.

There’s no change in SQ 8.5 regarding this rule. It will not be fixed there.

mike1970fl03 · September 30, 2020, 2:35pm

Thank you Pavel!

system · October 7, 2020, 2:35pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.