github
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jsonWebToken.qll‎ renamed to ‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JWT.qll‎
Lines changed: 25 additions & 1 deletion b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jsonWebToken.qll‎ renamed to ‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JWT.qll‎
Lines changed: 25 additions & 1 deletion
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebToken.ql‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebToken.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenLocalSource.ql‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenLocalSource.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jose.ql‎
Lines changed: 0 additions & 44 deletions b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jose.ql‎
Lines changed: 0 additions & 44 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtDecode.ql‎
Lines changed: 0 additions & 31 deletions b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtDecode.ql‎
Lines changed: 0 additions & 31 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtSimple.ql‎
Lines changed: 0 additions & 53 deletions b/‎javascript/ql/src/experimental/Security/CWE-347-noVerification/jwtSimple.ql‎
Lines changed: 0 additions & 53 deletions
@@ -12,6 +12,18 @@ DataFlow::Node unverifiedDecode() {
         .mayHaveStringValue("none") and
     result = verify.getParameter(0).asSink()
   )
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
+    result = n.getParameter(0).asSink()
+  )
+  or
+  // jwt-decode
+  result = API::moduleImport("jwt-decode").getParameter(0).asSink()
+  or
+  //jose
+  result = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
 }
 
 DataFlow::Node verifiedDecode() {
@@ -27,4 +39,16 @@ DataFlow::Node verifiedDecode() {
     ) and
     result = verify.getParameter(0).asSink()
   )
-}
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    (
+      n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = false) or
+      not exists(n.getParameter(2))
+    ) and
+    result = n.getParameter(0).asSink()
+    or
+    //jose
+    result = API::moduleImport("jose").getMember("jwtVerify").getParameter(0).asSink()
+  )
+}
@@ -12,7 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-import jsonWebToken
+import JWT
 
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "jsonwebtoken without any signature verification" }
 
@@ -12,7 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-import jsonWebToken
+import JWT
 
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "jsonwebtoken without any signature verification" }
 
@@ -12,7 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-import jsonWebToken
+import JWT
 
 class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
   ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }