javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret

profile photo of returntocorpreturntocorp
Author
3,077
Download Count*

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Defintion

rules:
  - id: express-jwt-hardcoded-secret
    message: A hard-coded credential was detected. It is not recommended  to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary.  It is recommended to
      use environment variables to  securely provide credentials or retrieve
      credentials from  a secure vault or HSM (Hardware Security Module).
    metadata:
      deepsemgrep: true
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      category: security
      technology:
        - express
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern-inside: |
              $JWT = require('express-jwt');
              ...
          - pattern-inside: |
              import $JWT from 'express-jwt';
              ...
          - pattern-inside: |
              import * as $JWT from 'express-jwt';
              ...
          - pattern-inside: |
              import { ..., $JWT, ... } from 'express-jwt';
              ...
      - pattern-either:
          - pattern: |
              $JWT({...,secret: "$Y",...},...)
          - pattern: |
              $OPTS = "$Y";
              ...
              $JWT({...,secret: $OPTS},...);
      - focus-metavariable: $Y

Examples

express-jwt-hardcoded-secret.js

var jwt = require('express-jwt');

// ruleid: express-jwt-hardcoded-secret
app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) {
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
});

// ruleid: express-jwt-hardcoded-secret
let hardcodedSecret = 'shhhhhhared-secret'

app.get('/protected2', jwt({ secret: hardcodedSecret }), function(req, res) {
    
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
});

let secret = "hardcode"

const opts = Object.assign({issuer: 'http://issuer'}, {secret: secret})

app.get('/protected3', jwt(opts), function(req, res) {
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
});

// ok: express-jwt-hardcoded-secret
app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) {
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
});


let configSecret = config.get('secret')
const opts = Object.assign({issuer: 'http://issuer'}, {secret: configSecret})

// ok: express-jwt-hardcoded-secret
app.get('/ok-protected', jwt(opts), function(req, res) {
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
});