javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret
returntocorpAuthor
3,077
Download Count*
License
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Run Locally
Run in CI
Defintion
rules:
- id: express-jwt-hardcoded-secret
message: A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
metadata:
interfile: true
cwe:
- "CWE-798: Use of Hard-coded Credentials"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
owasp:
- A07:2021 - Identification and Authentication Failures
category: security
technology:
- express
- secrets
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-either:
- pattern-inside: |
$JWT = require('express-jwt');
...
- pattern-inside: |
import $JWT from 'express-jwt';
...
- pattern-inside: |
import * as $JWT from 'express-jwt';
...
- pattern-inside: |
import { ..., $JWT, ... } from 'express-jwt';
...
- pattern-either:
- pattern: |
$JWT({...,secret: "$Y",...},...)
- pattern: |
$OPTS = "$Y";
...
$JWT({...,secret: $OPTS},...);
- focus-metavariable: $Y
Examples
express-jwt-hardcoded-secret.js
var jwt = require('express-jwt');
// ruleid: express-jwt-hardcoded-secret
app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
// ruleid: express-jwt-hardcoded-secret
let hardcodedSecret = 'shhhhhhared-secret'
app.get('/protected2', jwt({ secret: hardcodedSecret }), function(req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
let secret = "hardcode"
const opts = Object.assign({issuer: 'http://issuer'}, {secret: secret})
app.get('/protected3', jwt(opts), function(req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
// ok: express-jwt-hardcoded-secret
app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
let configSecret = config.get('secret')
const opts = Object.assign({issuer: 'http://issuer'}, {secret: configSecret})
// ok: express-jwt-hardcoded-secret
app.get('/ok-protected', jwt(opts), function(req, res) {
if (!req.user.admin) return res.sendStatus(401);
res.sendStatus(200);
});
Short Link: https://sg.run/Do1d