contrib.nodejsscan.jwt_express_hardcoded.jwt_express_hardcoded
returntocorpAuthor
99
Download Count*
License
Hardcoded JWT secret or private key was found. Store it properly in an environment variable.
Run Locally
Run in CI
Defintion
rules:
- id: jwt_express_hardcoded
patterns:
- pattern-inside: |
$JWT = require('express-jwt');
...
- pattern-either:
- pattern: |
$JWT(<... {secret: "..."} ...>,...);
- pattern: |
$SECRET = "...";
...
$JWT(<... {secret: $SECRET} ...>,...);
- pattern: |
$OPTS = <... {secret: "..."} ...>;
...
$JWT($OPTS,...);
- pattern: |-
$SECRET = "...";
...
$OPTS = <... {secret: $SECRET} ...>;
...
$JWT($OPTS,...);
message: Hardcoded JWT secret or private key was found. Store it properly in an
environment variable.
severity: ERROR
languages:
- javascript
metadata:
cwe: "CWE-522: Insufficiently Protected Credentials"
owasp: A02:2017 - Broken Authentication
category: security
technology:
- node.js
- jwt
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/Ekg5