ajinabraham.njsscan.jwt.jwt_not_revoked.jwt_not_revoked

ajinabraham

Author

unknown

Download Count*

License

No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: jwt_not_revoked
    patterns:
      - pattern-inside: |
          $JWT = require('express-jwt')
          ...
      - pattern: $JWT(...)
      - pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...)
      - pattern-not-inside: |-
          $OPTS = <... {isRevoked:...} ...>;
          ...
          $JWT($OPTS,...)
    message: No token revoking configured for `express-jwt`. A leaked token could
      still be used and unable to be revoked. Consider using function as the
      `isRevoked` option.
    severity: WARNING
    languages:
      - javascript
    metadata:
      cwe: cwe-522
      owasp-web: a2
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other

Short Link: https://sg.run/8XNE