go.jwt-go.security.audit.jwt-parse-unverified.jwt-go-parse-unverified

profile photo of semgrepsemgrep
Author
6,345
Download Count*
LGPL Commons Clause
License

Detected the decoding of a JWT token without a verify step. Don't use ParseUnverified unless you know what you're doing This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-go-parse-unverified
    message: Detected the decoding of a JWT token without a verify step. Don't use
      `ParseUnverified` unless you know what you're doing This method parses the
      token but doesn't validate the signature. It's only ever useful in cases
      where you know the signature is valid (because it has been checked
      previously in the stack) and you want to extract values from it.
    metadata:
      cwe:
        - "CWE-345: Insufficient Verification of Data Authenticity"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      confidence: MEDIUM
      references:
        - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - go
    severity: WARNING
    patterns:
      - pattern-inside: |
          import "github.com/dgrijalva/jwt-go"
          ...
      - pattern: |
          $JWT.ParseUnverified(...)

Examples

jwt-parse-unverified.go

package main

import (
    "fmt"

    "github.com/dgrijalva/jwt-go"
)

func bad1(tokenString string) {
    // ruleid: jwt-go-parse-unverified
    token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
    if err != nil {
        fmt.Println(err)
        return
    }

    if claims, ok := token.Claims.(jwt.MapClaims); ok {
        fmt.Println(claims["foo"], claims["exp"])
    } else {
        fmt.Println(err)
    }
}

func ok1(tokenString string, keyFunc Keyfunc) {
    // ok: jwt-go-parse-unverified
    token, err := new(jwt.Parser).ParseWithClaims(tokenString, jwt.MapClaims{}, keyFunc)
    if err != nil {
        fmt.Println(err)
        return
    }

    if claims, ok := token.Claims.(jwt.MapClaims); ok {
        fmt.Println(claims["foo"], claims["exp"])
    } else {
        fmt.Println(err)
    }
}