javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret
Verifed by r2c
Community Favorite

Author
52,412
Download Count*
License
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded-jwt-secret
message: A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
metadata:
interfile: true
cwe:
- "CWE-798: Use of Hard-coded Credentials"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
owasp:
- A07:2021 - Identification and Authentication Failures
asvs:
section: "V3: Session Management Verification Requirements"
control_id: 3.5.2 Static API keys or secret
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
version: "4"
category: security
technology:
- jose
- jwt
- secrets
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
$JOSE = require("jose");
...
- pattern-either:
- pattern-inside: |
var {JWT} = $JOSE;
...
- pattern-inside: |
var {JWK, JWT} = $JOSE;
...
- pattern-inside: |
const {JWT} = $JOSE;
...
- pattern-inside: |
const {JWK, JWT} = $JOSE;
...
- pattern-inside: |
let {JWT} = $JOSE;
...
- pattern-inside: |
let {JWK, JWT} = $JOSE;
...
- pattern-either:
- pattern: |
JWT.verify($P, "...", ...);
- pattern: |
JWT.sign($P, "...", ...);
- pattern: |
JWT.verify($P, JWK.asKey("..."), ...);
- pattern: |
$JWT.sign($P, JWK.asKey("..."), ...);
options:
symbolic_propagation: true
Examples
jwt-hardcode.js
const config = require('./config')
function example1() {
const jose = require('jose')
const { JWT } = jose
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
JWT.verify(payload, 'shhhhh')
}
function example2() {
const jose = require('jose')
const { JWT } = jose
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
const token2 = JWT.sign(payload, 'shhhhh')
}
function example3() {
const jose = require('jose')
const { JWT } = jose
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
const token3 = JWT.verify(payload, 'shhhhh')
}
function example4() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
JWT.verify(payload, JWK.asKey('raz-dva-tri'))
}
function example5() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
const token5 = JWT.sign(payload, JWK.asKey('raz-dva-tri'))
}
function example6() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
const token6 = JWT.verify(payload, JWK.asKey('raz-dva-tri'))
}
function example7() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const key7 = JWK.asKey('raz-dva-tri')
// ruleid: hardcoded-jwt-secret
JWT.verify(payload, key7)
}
function example8() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const key8 = JWK.asKey('raz-dva-tri')
// ruleid: hardcoded-jwt-secret
const token8 = JWT.sign(payload, key8)
}
function example9() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const key9 = JWK.asKey('raz-dva-tri')
// ruleid: hardcoded-jwt-secret
const token9 = JWT.verify(payload, key9)
}
function example10() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret10 = 'shhhhh'
// ruleid: hardcoded-jwt-secret
JWT.verify(payload, secret10)
}
function example11() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret11 = 'shhhhh'
// ruleid: hardcoded-jwt-secret
const token11 = JWT.sign(payload, secret11)
}
function example12() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret12 = 'shhhhh'
// ruleid: hardcoded-jwt-secret
const token3 = JWT.verify(payload, secret12)
}
function example13() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret13 = 'shhhhh'
// ruleid: hardcoded-jwt-secret
JWT.verify(payload, JWK.asKey(secret13))
}
function example14() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret14 = 'shhhhh'
// ruleid: hardcoded-jwt-secret
const token5 = JWT.sign(payload, JWK.asKey(secret14))
}
function example15() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret15 = 'shhhhh'
// ruleid: hardcoded-jwt-secret
const token6 = JWT.verify(payload, JWK.asKey(secret15))
}
function example16() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret16 = 'shhhhh'
const key16 = JWK.asKey(secret16)
// ruleid: hardcoded-jwt-secret
JWT.verify(payload, key16)
}
function example17() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret17 = 'shhhhh'
const key17 = JWK.asKey(secret17)
// ruleid: hardcoded-jwt-secret
const token8 = JWT.sign(payload, key17)
}
function example18() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret18 = 'shhhhh'
const key18 = JWK.asKey(secret18)
// ruleid: hardcoded-jwt-secret
const token9 = JWT.verify(payload, key18)
}
function example10() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret2 = config.secret
// ok: hardcoded-jwt-secret
const token11 = JWT.sign(payload, JWK.asKey(secret2))
}
function example11() {
const jose = require('jose')
const { JWK, JWT } = jose
const payload = {foo: 'bar'}
const secret2 = config.secret
// ok: hardcoded-jwt-secret
const token12 = JWT.sign(payload, secret2)
}
Short Link: https://sg.run/Ro1g