Skip to content

Commit 2821015

Browse files
ESS-ENNESS-ENN
committed
jwt-tokenvalidationparameters-no-expiry-validation-csharp
1 parent 783bde6 commit 2821015

File tree

3 files changed

+357
-0
lines changed

3 files changed

+357
-0
lines changed

rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml

Lines changed: 146 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,146 @@
1+
id: jwt-tokenvalidationparameters-no-expiry-validation-csharp
2+
severity: warning
3+
language: csharp
4+
message: >-
5+
The TokenValidationParameters.$LIFETIME is set to $FALSE, this means
6+
the JWT tokens lifetime is not validated. This can lead to an JWT token
7+
being used after it has expired, which has security implications. It is
8+
recommended to validate the JWT lifetime to ensure only valid tokens are
9+
used.
10+
note: >-
11+
[CWE-613] Insufficient Session Expiration.
12+
[REFERENCES]
13+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
14+
- https://cwe.mitre.org/data/definitions/613.html
15+
- https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet
16+
17+
ast-grep-essentials: true
18+
19+
utils:
20+
MATCH_PATTERN_ONE:
21+
kind: boolean_literal
22+
inside:
23+
all:
24+
- has:
25+
stopBy: neighbor
26+
regex: ^(RequireExpirationTime|ValidateLifetime).*
27+
any:
28+
- kind: identifier
29+
- kind: member_access_expression
30+
- has:
31+
stopBy: neighbor
32+
regex: '^=$'
33+
- has:
34+
stopBy: neighbor
35+
kind: boolean_literal
36+
regex: '^false$'
37+
- inside:
38+
stopBy: end
39+
kind: object_creation_expression
40+
has:
41+
stopBy: neighbor
42+
kind: identifier
43+
regex: '^TokenValidationParameters$'
44+
45+
MATCH_PATTERN_TWO:
46+
kind: boolean_literal
47+
inside:
48+
all:
49+
- has:
50+
stopBy: neighbor
51+
kind: member_access_expression
52+
all:
53+
- has:
54+
stopBy: end
55+
kind: identifier
56+
pattern: $T
57+
58+
- has:
59+
stopBy: neighbor
60+
kind: identifier
61+
regex: ^(RequireExpirationTime|ValidateLifetime).*
62+
63+
- has:
64+
stopBy: neighbor
65+
regex: '^=$'
66+
- has:
67+
stopBy: neighbor
68+
kind: boolean_literal
69+
regex: '^false$'
70+
- inside:
71+
stopBy: end
72+
kind: global_statement
73+
follows:
74+
stopBy: end
75+
kind: global_statement
76+
has:
77+
stopBy: end
78+
kind: variable_declaration
79+
all:
80+
- has:
81+
stopBy: neighbor
82+
kind: identifier
83+
regex: '^TokenValidationParameters$'
84+
- has:
85+
stopBy: neighbor
86+
kind: variable_declarator
87+
has:
88+
stopBy: neighbor
89+
kind: identifier
90+
pattern: $T
91+
MATCH_PATTERN_THREE:
92+
kind: boolean_literal
93+
inside:
94+
all:
95+
- has:
96+
stopBy: neighbor
97+
kind: member_access_expression
98+
all:
99+
- has:
100+
stopBy: end
101+
kind: identifier
102+
pattern: $S
103+
104+
- has:
105+
stopBy: neighbor
106+
kind: identifier
107+
regex: ^(RequireExpirationTime|ValidateLifetime).*
108+
- has:
109+
stopBy: neighbor
110+
regex: '^=$'
111+
- has:
112+
stopBy: neighbor
113+
kind: boolean_literal
114+
regex: '^false$'
115+
- inside:
116+
kind: expression_statement
117+
stopBy: end
118+
follows:
119+
stopBy: end
120+
kind: local_declaration_statement
121+
has:
122+
stopBy: end
123+
kind: variable_declaration
124+
all:
125+
- has:
126+
stopBy: end
127+
kind: identifier
128+
regex: '^TokenValidationParameters$'
129+
- has:
130+
stopBy: neighbor
131+
kind: variable_declarator
132+
has:
133+
stopBy: neighbor
134+
kind: identifier
135+
pattern: $S
136+
137+
rule:
138+
kind: boolean_literal
139+
any:
140+
- matches: MATCH_PATTERN_ONE
141+
- matches: MATCH_PATTERN_TWO
142+
- matches: MATCH_PATTERN_THREE
143+
not:
144+
has:
145+
kind: ERROR
146+
stopBy: end

tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
id: jwt-tokenvalidationparameters-no-expiry-validation-csharp
2+
snapshots:
3+
? |
4+
TokenValidationParameters parameters = new TokenValidationParameters
5+
{
6+
ValidateLifetime = false,
7+
RequireExpirationTime = false,
8+
ValidateIssuer = false,
9+
ValidateAudience = false
10+
};
11+
: labels:
12+
- source: 'false'
13+
style: primary
14+
start: 90
15+
end: 95
16+
- source: ValidateLifetime
17+
style: secondary
18+
start: 71
19+
end: 87
20+
- source: =
21+
style: secondary
22+
start: 88
23+
end: 89
24+
- source: 'false'
25+
style: secondary
26+
start: 90
27+
end: 95
28+
- source: TokenValidationParameters
29+
style: secondary
30+
start: 43
31+
end: 68
32+
- source: |-
33+
new TokenValidationParameters
34+
{
35+
ValidateLifetime = false,
36+
RequireExpirationTime = false,
37+
ValidateIssuer = false,
38+
ValidateAudience = false
39+
}
40+
style: secondary
41+
start: 39
42+
end: 178
43+
- source: ValidateLifetime = false
44+
style: secondary
45+
start: 71
46+
end: 95
47+
? "TokenValidationParameters parameters = new TokenValidationParameters\n{ \nValidateLifetime = false,\nRequireExpirationTime = false,\nValidateIssuer = false,\nValidateAudience = false\n};\n"
48+
: labels:
49+
- source: 'false'
50+
style: primary
51+
start: 91
52+
end: 96
53+
- source: ValidateLifetime
54+
style: secondary
55+
start: 72
56+
end: 88
57+
- source: =
58+
style: secondary
59+
start: 89
60+
end: 90
61+
- source: 'false'
62+
style: secondary
63+
start: 91
64+
end: 96
65+
- source: TokenValidationParameters
66+
style: secondary
67+
start: 43
68+
end: 68
69+
- source: "new TokenValidationParameters\n{ \nValidateLifetime = false,\nRequireExpirationTime = false,\nValidateIssuer = false,\nValidateAudience = false\n}"
70+
style: secondary
71+
start: 39
72+
end: 179
73+
- source: ValidateLifetime = false
74+
style: secondary
75+
start: 72
76+
end: 96
77+
? |
78+
options.TokenValidationParameters = new TokenValidationParameters
79+
{
80+
ValidateLifetime = true,
81+
RequireExpirationTime = false,
82+
ValidateIssuer = false,
83+
ValidateAudience = false
84+
};
85+
: labels:
86+
- source: 'false'
87+
style: primary
88+
start: 125
89+
end: 130
90+
- source: RequireExpirationTime
91+
style: secondary
92+
start: 101
93+
end: 122
94+
- source: =
95+
style: secondary
96+
start: 123
97+
end: 124
98+
- source: 'false'
99+
style: secondary
100+
start: 125
101+
end: 130
102+
- source: TokenValidationParameters
103+
style: secondary
104+
start: 40
105+
end: 65
106+
- source: |-
107+
new TokenValidationParameters
108+
{
109+
ValidateLifetime = true,
110+
RequireExpirationTime = false,
111+
ValidateIssuer = false,
112+
ValidateAudience = false
113+
}
114+
style: secondary
115+
start: 36
116+
end: 190
117+
- source: RequireExpirationTime = false
118+
style: secondary
119+
start: 101
120+
end: 130
121+
? |
122+
options.TokenValidationParameters = new TokenValidationParameters
123+
{
124+
ValidateLifetime = false,
125+
RequireSignedTokens = true,
126+
ValidateIssuer = false,
127+
ValidateAudience = false,
128+
RequireExpirationTime = false
129+
};
130+
TokenValidationParameters parameters = new TokenValidationParameters();
131+
parameters.RequireExpirationTime = false;
132+
parameters.ValidateLifetime = false;
133+
: labels:
134+
- source: 'false'
135+
style: primary
136+
start: 87
137+
end: 92
138+
- source: ValidateLifetime
139+
style: secondary
140+
start: 68
141+
end: 84
142+
- source: =
143+
style: secondary
144+
start: 85
145+
end: 86
146+
- source: 'false'
147+
style: secondary
148+
start: 87
149+
end: 92
150+
- source: TokenValidationParameters
151+
style: secondary
152+
start: 40
153+
end: 65
154+
- source: |-
155+
new TokenValidationParameters
156+
{
157+
ValidateLifetime = false,
158+
RequireSignedTokens = true,
159+
ValidateIssuer = false,
160+
ValidateAudience = false,
161+
RequireExpirationTime = false
162+
}
163+
style: secondary
164+
start: 36
165+
end: 203
166+
- source: ValidateLifetime = false
167+
style: secondary
168+
start: 68
169+
end: 92

tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: jwt-tokenvalidationparameters-no-expiry-validation-csharp
2+
valid:
3+
- |
4+
parameters.ValidateLifetime = true;
5+
parameters.RequireExpirationTime = true
6+
invalid:
7+
- |
8+
options.TokenValidationParameters = new TokenValidationParameters
9+
{
10+
ValidateLifetime = false,
11+
RequireSignedTokens = true,
12+
ValidateIssuer = false,
13+
ValidateAudience = false,
14+
RequireExpirationTime = false
15+
};
16+
TokenValidationParameters parameters = new TokenValidationParameters();
17+
parameters.RequireExpirationTime = false;
18+
parameters.ValidateLifetime = false;
19+
- |
20+
TokenValidationParameters parameters = new TokenValidationParameters
21+
{
22+
ValidateLifetime = false,
23+
RequireExpirationTime = false,
24+
ValidateIssuer = false,
25+
ValidateAudience = false
26+
};
27+
- |
28+
options.TokenValidationParameters = new TokenValidationParameters
29+
{
30+
ValidateLifetime = true,
31+
RequireExpirationTime = false,
32+
ValidateIssuer = false,
33+
ValidateAudience = false
34+
};
35+
- |
36+
TokenValidationParameters parameters = new TokenValidationParameters
37+
{
38+
ValidateLifetime = false,
39+
RequireExpirationTime = false,
40+
ValidateIssuer = false,
41+
ValidateAudience = false
42+
};

0 commit comments

Comments
 (0)