contrib.nodejsscan.jwt_none_algorithm.node_jwt_none_algorithm

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_jwt_none_algorithm
    patterns:
      - pattern-either:
          - pattern: |
              $JWT = require("jsonwebtoken");
              ...
              $T = $JWT.verify($P, $X, {algorithms:[...,'none',...]},...);
          - pattern: |
              $JWT = require("jsonwebtoken");
              ...
              $JWT.verify($P, $X, {algorithms:[...,'none',...]},...);
          - pattern: |
              $JOSE = require("jose");
              ...
              var { JWK, JWT } = $JOSE;
              ...
              $T = JWT.verify($P, JWK.None,...);
          - pattern: |
              $JOSE = require("jose");
              ...
              var { JWK, JWT } = $JOSE;
              ...
              JWT.verify($P, JWK.None,...);
    message: Algorithm is set to none for JWT token. This can nullify the integrity
      of JWT signature.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A09:2017 - Using Components with Known Vulnerabilities
      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      category: security
      technology:
        - node.js
        - jwt
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

jwt_none_algorithm.js

// ruleid:node_jwt_none_algorithm
const jose = require("jose");
const { JWK, JWT } = jose;
const token = JWT.verify('token-here', JWK.None);

function verifyJwt() {
    // ruleid:node_jwt_none_algorithm
    let jwt = require("jsonwebtoken");
    let secret = 'some-secret';
    jwt.verify('token-here', secret, { algorithms: ['RS256', 'none'] }, function (err, payload) {
        console.log(payload);
    });
}