contrib.nodejsscan.jwt_exposed_data.jwt_exposed_data
returntocorpAuthor
99
Download Count*
License
The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
Run Locally
Run in CI
Defintion
rules:
- id: jwt_exposed_data
patterns:
- pattern-inside: |
...
require('jose');
...
- pattern-either:
- patterns:
- pattern-inside: function (...,$INPUT,...) {...}
- pattern-either:
- pattern: $JOSE.JWT.sign($INPUT,...)
- pattern: $JWT.sign($INPUT,...)
- patterns:
- pattern-inside: function $F(...,$INPUT,...) {...}
- pattern-either:
- pattern: $JOSE.JWT.sign($INPUT,...)
- pattern: $JWT.sign($INPUT,...)
message: The object is passed strictly to jose.JWT.sign(...). Make sure that
sensitive information is not exposed through JWT token payload.
severity: WARNING
metadata:
owasp: A03:2017 - Sensitive Data Exposure
cwe: "CWE-522: Insufficiently Protected Credentials"
category: security
technology:
- node.js
- jwt
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
Examples
jwt_exposed_data.js
const config = require('./config')
const { JWT } = require('jose')
function example(user) {
// ruleid: jwt_exposed_data
const token = JWT.sign(user, secret)
return token;
}
Short Link: https://sg.run/ndod