go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm

profile photo of semgrepsemgrep
Author
6,345
Download Count*

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-go-none-algorithm
    message: Detected use of the 'none' algorithm in a JWT token. The 'none'
      algorithm assumes the integrity of the token has already been verified.
      This would allow a malicious actor to forge a JWT token that will
      automatically be verified. Do not explicitly use the 'none' algorithm.
      Instead, use an algorithm such as 'HS256'.
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      confidence: HIGH
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - go
    severity: ERROR
    patterns:
      - pattern-either:
          - pattern-inside: |
              import "github.com/golang-jwt/jwt"
              ...
          - pattern-inside: |
              import "github.com/dgrijalva/jwt-go"
              ...
      - pattern-either:
          - pattern: |
              jwt.SigningMethodNone
          - pattern: jwt.UnsafeAllowNoneSignatureType

Examples

jwt-none-alg.go

package main

import (
    "fmt"
    "github.com/dgrijalva/jwt-go"
)

func bad1() {
    claims := jwt.StandardClaims{
        ExpiresAt: 15000,
        Issuer:    "test",
    }

    // ruleid: jwt-go-none-algorithm
    token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)
    // ruleid: jwt-go-none-algorithm
    ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
    fmt.Printf("%v %v\n", ss, err)
}

func ok1(key []byte) {
    claims := jwt.StandardClaims{
        ExpiresAt: 15000,
        Issuer:    "test",
    }

    // ok: jwt-go-none-algorithm
    token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
    ss, err := token.SignedString(key)
    fmt.Printf("%v %v\n", ss, err)
}