codeql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.qhelp at f58a6e5d3a3e76dd06de0472cc48ff67280ef33e · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>
<overview>
<p>Token validation checks ensure that while validating tokens, all aspects are analyzed and verified. Turning off validation can lead to security holes by allowing untrusted tokens to make it through validation.</p>

</overview>
<recommendation>
<p>Set <code>Microsoft.IdentityModel.Tokens.TokenValidationParameters</code> properties <code>RequireExpirationTime</code>, <code>ValidateAudience</code>, <code>ValidateIssuer</code>, or <code>ValidateLifetime</code> to <code>true</code>. Or, remove the assignment to <code>false</code> because the default value is <code>true</code>.</p>
</recommendation>

<example>
<p>This example disabled the validation.</p>
<sample src="security-validation-disabled-bad.cs" />

<p>To fix it, do not disable the validations or use the default value.</p>
<sample src="security-validation-disabled-good.cs" />

</example>

<references>

  <li><a href="https://aka.ms/wilson/tokenvalidation">azure-activedirectory-identitymodel-extensions-for-dotnet ValidatingTokens wiki</a></li>

</references>
</qhelp>