jwt-cipher-algorithms

Try in Playground

javascript-security

Daniel StrongSecurityWarning

No tags

CWE-347

This rule warns if a JSON Web Token (JWT) is not signed.

If a token is not signed, an attacker can forge it and impersonate user identities.

Ast Rule: function call

jwt-cipher-algorithms

How to write a rule

function visit(node, filename, code) {
  if (!node) return;
  const name = node.functionName?.name;
  const parent = node.functionName?.parent;

  if (!name || !parent) return;
  if (parent.value !== "jwt") return;
  if (!["sign", "verify"].includes(name.value)) return;

  if (node.arguments?.values && node.arguments?.values.length > 2) {
    const badArg = node.arguments.values[2].value?.elements?.find(el => el.value?.value?.includes("none") || el.value?.elements?.some(el2 => el2.value.includes("none")));
    if (!badArg) return;
    const error = buildError(
      badArg.start.line,
      badArg.start.col,
      badArg.end.line,
      badArg.end.col,
      `Do not use the "none" algorithm`,
      "WARNING",
      "SECURITY"
    );
    addError(error);
  }
}

good.js

Expected test result: no error

const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'HS256' }); // Compliant

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['HS256'] }, callbackcheck); // Compliant

bad.js

Expected test result: has error

const jwt = require('jsonwebtoken');

let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)

jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature

Add comment

Be the first one to leave a comment!