java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret
semgrep
Author
6,345
Download Count*
License
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Run Locally
Run in CI
Defintion
rules:
- id: java-jwt-hardcoded-secret
message: A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
owasp:
- A07:2021 - Identification and Authentication Failures
technology:
- java
- secrets
- jwt
category: security
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- java
severity: WARNING
patterns:
- pattern-either:
- pattern: |
(Algorithm $ALG) = $ALGO.$HMAC("$Y");
- pattern: |
$SECRET = "$Y";
...
(Algorithm $ALG) = $ALGO.$HMAC($SECRET);
- pattern: |
class $CLASS {
...
$TYPE $SECRET = "$Y";
...
$RETURNTYPE $FUNC (...) {
...
(Algorithm $ALG) = $ALGO.$HMAC($SECRET);
...
}
...
}
- focus-metavariable: $Y
- metavariable-regex:
metavariable: $HMAC
regex: (HMAC384|HMAC256|HMAC512)
Examples
jwt-hardcode.java
package jwt_test.jwt_test_1;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
public class App
{
static String secret = "secret";
private static void bad1() {
try {
// ruleid: java-jwt-hardcoded-secret
Algorithm algorithm = Algorithm.HMAC256("secret");
String token = JWT.create()
.withIssuer("auth0")
.sign(algorithm);
} catch (JWTCreationException exception){
//Invalid Signing configuration / Couldn't convert Claims.
}
}
private static void ok1(String secretKey) {
try {
// ok: java-jwt-hardcoded-secret
Algorithm algorithm = Algorithm.HMAC256(secretKey);
String token = JWT.create()
.withIssuer("auth0")
.sign(algorithm);
} catch (JWTCreationException exception){
//Invalid Signing configuration / Couldn't convert Claims.
}
}
public static void main( String[] args )
{
bad1();
ok1(args[0]);
}
}
abstract class App2
{
// ruleid: java-jwt-hardcoded-secret
static String secret = "secret";
public void bad2() {
try {
Algorithm algorithm = Algorithm.HMAC256(secret);
String token = JWT.create()
.withIssuer("auth0")
.sign(algorithm);
} catch (JWTCreationException exception){
//Invalid Signing configuration / Couldn't convert Claims.
}
}
}
Short Link: https://sg.run/RoDK