javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
52,412
Download Count*
LGPL Commons Clause
License

this rule has been deprecated.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-exposed-credentials
    message: this rule has been deprecated.
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      category: security
      technology:
        - jose
        - jwt
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: INFO
    patterns:
      - pattern: a()
      - pattern: b()

Examples

jwt-exposed-credentials.js

const jsonwt = require('jsonwebtoken')

function example1 () {
    
    const token1 = jsonwt.sign({password: config}, 'secret', {some: 'params'})
}

function example2 () {
    const payload = {one: 1, two: 2, password: "a"}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example3 () {
    let payload;
    payload = {one: 1, two: 2, password: "a"}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example4 () {
    const payload = {}
    payload.password = "a"
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example5 () {
    const payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2})
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example6 () {
    let payload;
    payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2})
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example7 () {
    
    const token1 = jsonwt.sign(Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}), 'secret', {some: 'params'})
}

function example8 () {
    
    const token1 = jsonwt.sign({user: {password: "123"}}, 'secret', {some: 'params'})
}

function example9 () {
    const payload = {one: 1, two: 2, user: {password: "123"}}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example10 () {
    let payload;
    payload = {one: 1, two: 2, user: {password: "123"}}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example11 () {
    const payload = {...}
    payload.password = "123"
      
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}