go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm

profile photo of returntocorpreturntocorp
Author
6,345
Download Count*
LGPL Commons Clause
License

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-go-none-algorithm
    message: Detected use of the 'none' algorithm in a JWT token. The 'none'
      algorithm assumes the integrity of the token has already been verified.
      This would allow a malicious actor to forge a JWT token that will
      automatically be verified. Do not explicitly use the 'none' algorithm.
      Instead, use an algorithm such as 'HS256'.
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      confidence: HIGH
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - go
    severity: ERROR
    patterns:
      - pattern-inside: |
          import "github.com/dgrijalva/jwt-go"
          ...
      - pattern-either:
          - pattern: |
              jwt.SigningMethodNone
          - pattern: jwt.UnsafeAllowNoneSignatureType

Examples

jwt-none-alg.go

package main

import (
    "fmt"
    "github.com/dgrijalva/jwt-go"
)

func bad1() {
    claims := jwt.StandardClaims{
        ExpiresAt: 15000,
        Issuer:    "test",
    }

    // ruleid: jwt-go-none-algorithm
    token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)
    // ruleid: jwt-go-none-algorithm
    ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
    fmt.Printf("%v %v\n", ss, err)
}

func ok1(key []byte) {
    claims := jwt.StandardClaims{
        ExpiresAt: 15000,
        Issuer:    "test",
    }

    // ok: jwt-go-none-algorithm
    token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
    ss, err := token.SignedString(key)
    fmt.Printf("%v %v\n", ss, err)
}