jwt-none

Try in Playground
jwt-none

theinfosecguy

UnknownInformational

0

No tags

No CWE or CVE

Ast Rule: function definition


jwt-none

How to write a rule
function visit(node, filename, code) {
	console.log("hi")
  // If the analyzer did not get the arguments or if there is no argument, exit
  if (!node.arguments || !node.arguments.values || node.arguments.values.length === 0) {
    return;
  }

  if (!node.moduleOrObject || node.moduleOrObject.value !== "jwt") {
    return;
  }

  // if the function is not defined or not equal to "info"
  // we can return.
  if (!node.functionName || node.functionName.value !== "encode") {
    return;
  }

  const arguments = node.arguments.values;
  const nbArguments = node.arguments.values.length;

  const allPackages = node.context.imports.filter(r => r.packages).flatMap(i => i.packages.map(p => p.name.str));

  const useJwtPackage = allPackages.filter(i => i === "jwt").length > 0;
  if (!useJwtPackage) {
    return;
  }
	
  // Do we have an options arguments?
  const optionArguments = arguments.filter(a => a.name && a.name.value === "algorithm");
	console.log("here")
  if (optionArguments && optionArguments.length > 0) {
    const optionArgument = optionArguments[0];
    console.log(optionArgument.value.value)
    if (optionArgument.value.value.includes("\"None\"")) {
      // build the error
      const error = buildError(optionArgument.start.line, optionArgument.start.col,
        optionArgument.end.line, optionArgument.end.col,
        "insecure JWT, change verify_signature to True", "WARNING", "SECURITY");

      addError(error);
    }
  }
}

no-import.py

Expected test result: has error

import jwt

r = jwt.encode(w, algorithm="None")

weak-jwt-algo.py

Expected test result: no error

import jwt

r = jwt.encode(w, algorithm="HS256")
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.