csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-tokenvalidationparameters-no-expiry-validation
    patterns:
      - pattern-either:
          - patterns:
              - pattern: $LIFETIME = $FALSE
              - pattern-inside: new TokenValidationParameters {...}
          - patterns:
              - pattern: |
                  (TokenValidationParameters $OPTS). ... .$LIFETIME = $FALSE
      - metavariable-regex:
          metavariable: $LIFETIME
          regex: (RequireExpirationTime|ValidateLifetime)
      - metavariable-regex:
          metavariable: $FALSE
          regex: (false)
      - focus-metavariable: $FALSE
    fix: |
      true
    message: The TokenValidationParameters.$LIFETIME is set to $FALSE, this means
      the  JWT tokens lifetime is not validated. This can lead to an  JWT token
      being used after it has expired, which has security implications.  It is
      recommended to validate the JWT lifetime to ensure only valid tokens are
      used.
    metadata:
      category: security
      technology:
        - csharp
      owasp:
        - A02:2017 - Broken Authentication
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-613: Insufficient Session Expiration"
      references:
        - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
        - https://cwe.mitre.org/data/definitions/613.html
        - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet
      subcategory:
        - audit
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    severity: WARNING

Examples

jwt-tokenvalidationparameters-no-expiry-validation.cs

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // ruleid: jwt-tokenvalidationparameters-no-expiry-validation
                    ValidateLifetime = false,
                    RequireSignedTokens = true,
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    // ruleid: jwt-tokenvalidationparameters-no-expiry-validation
                    RequireExpirationTime = false
                };
            });

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
            {

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // ok: jwt-tokenvalidationparameters-no-expiry-validation
                    ValidateLifetime = true,
                    RequireSignedTokens = true,
                    ValidateIssuer = false,
                    ValidateAudience = false,
                    // ok: jwt-tokenvalidationparameters-no-expiry-validation
                    RequireExpirationTime = true
                };
            });

TokenValidationParameters parameters = new TokenValidationParameters();
// ruleid: jwt-tokenvalidationparameters-no-expiry-validation
parameters.RequireExpirationTime = false;
parameters.ValidateAudience = false;
parameters.ValidateIssuer = false;
// ruleid: jwt-tokenvalidationparameters-no-expiry-validation
parameters.ValidateLifetime = false;
// ok: jwt-tokenvalidationparameters-no-expiry-validation
parameters.ValidateLifetime = true;
// ok: jwt-tokenvalidationparameters-no-expiry-validation
parameters.RequireExpirationTime = true;