ajinabraham.njsscan.jwt.jwt_exposed_data.jwt_exposed_data

ajinabraham

Author

unknown

Download Count*

License

The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: jwt_exposed_data
    patterns:
      - pattern-inside: |
          require('jose')
          ...
      - pattern-either:
          - patterns:
              - pattern-inside: function (...,$INPUT,...) {...}
              - pattern-either:
                  - pattern: $JOSE.JWT.sign($INPUT,...)
                  - pattern: $JWT.sign($INPUT,...)
          - patterns:
              - pattern-inside: function $F(...,$INPUT,...) {...}
              - pattern-either:
                  - pattern: $JOSE.JWT.sign($INPUT,...)
                  - pattern: $JWT.sign($INPUT,...)
    message: The object is passed strictly to jose.JWT.sign(...). Make sure  that
      sensitive information is not exposed through JWT token payload.
    severity: WARNING
    metadata:
      owasp-web: a3
      cwe: cwe-522
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other
    languages:
      - javascript

Short Link: https://sg.run/nD12