ajinabraham.njsscan.jwt_not_revoked.jwt_not_revoked

ajinabraham

Author

1,129

Download Count*

License

No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: jwt_not_revoked
    patterns:
      - pattern-inside: |
          $JWT = require('express-jwt')
          ...
      - pattern: $JWT(...)
      - pattern-not-inside: $JWT(<... {isRevoked:...} ...>,...)
      - pattern-not-inside: |-
          $OPTS = <... {isRevoked:...} ...>;
          ...
          $JWT($OPTS,...)
    message: No token revoking configured for `express-jwt`. A leaked token could
      still be used and unable to be revoked. Consider using function as the
      `isRevoked` option.
    severity: WARNING
    languages:
      - javascript
    metadata:
      cwe: cwe-522
      owasp-web: a2
      license: LGPL-3.0-or-later

Short Link: https://sg.run/0Q3r