insecure-jwt

Try in Playground
python-securitySecurityCritical

0

authentication
CWE-287

Use "verify_signature": False when decoding a JWT bypasses security and may authenticate users that should not be authenticated.

See Also

  • CWE-287 - Improper Authentication

Ast Rule: function call


insecure-jwt

How to write a rule
function visit(node, filename, code) {
  
  // If the analyzer did not get the arguments or if there is no argument, exit
  if(!node.arguments || !node.arguments.values || node.arguments.values.length  === 0) {
    return;
  }
  
  if(!node.moduleOrObject || node.moduleOrObject.value !== "jwt"){
    return;
  }
  
  // if the function is not defined or not equal to "info"
  // we can return.
  if(!node.functionName || node.functionName.value !== "decode"){
    return;
  }
  
  const arguments = node.arguments.values;
  const nbArguments = node.arguments.values.length;
  
  const allPackages = node.context.imports.filter(r => r.packages).flatMap(i => i.packages.map(p => p.name.str));
  
  const useJwtPackage = allPackages.filter(i => i === "jwt").length > 0;
  if (!useJwtPackage){
    return;
  }
  
  // Do we have an options arguments?
  const optionArguments = arguments.filter(a => a.name && a.name.value === "options");
  
  if(optionArguments && optionArguments.length > 0){
    const optionArgument = optionArguments[0];

    if (optionArgument.value.value.includes("{\"verify_signature\":True}")) {
        // build the error
        const error = buildError(optionArgument.start.line, optionArgument.start.col, 
                                 optionArgument.end.line, optionArgument.end.col, 
                                 "insecure JWT, change verify_signature to True", "WARNING", "SECURITY");

        addError(error);
    }
  }
}
  

insecure-jwt.py

Expected test result: has error

import jwt

jwt.decode(encoded, options={"verify_signature": True})

no-import.py

Expected test result: no error

jwt.decode(encoded, options={"verify_signature": True})

secure-jwt.py

Expected test result: no error

import jwt

jwt.decode(encoded, options={"verify_signature": False})
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.