javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
52,412
Download Count*

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Defintion

rules:
  - id: hardcoded-jwt-secret
    message: A hard-coded credential was detected. It is not recommended to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary. It is recommended to
      use environment variables to securely provide credentials or retrieve
      credentials from a secure vault or HSM (Hardware Security Module).
    metadata:
      interfile: true
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.5.2 Static API keys or secret
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
        version: "4"
      category: security
      technology:
        - jose
        - jwt
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Hard-coded Secrets
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          $JOSE = require("jose");
          ...
      - pattern-either:
          - pattern-inside: |
              var {JWT} = $JOSE;
              ...
          - pattern-inside: |
              var {JWK, JWT} = $JOSE;
              ...
          - pattern-inside: |
              const {JWT} = $JOSE;
              ...
          - pattern-inside: |
              const {JWK, JWT} = $JOSE;
              ...
          - pattern-inside: |
              let {JWT} = $JOSE;
              ...
          - pattern-inside: |
              let {JWK, JWT} = $JOSE;
              ...
      - pattern-either:
          - pattern: |
              JWT.verify($P, "...", ...);
          - pattern: |
              JWT.sign($P, "...", ...);
          - pattern: |
              JWT.verify($P, JWK.asKey("..."), ...);     
          - pattern: |
              $JWT.sign($P, JWK.asKey("..."), ...);
    options:
      symbolic_propagation: true
      interfile: true

Examples

jwt-hardcode.js

const config = require('./config')

function example1() {
  const jose = require('jose')
  const { JWT } = jose
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  JWT.verify(payload, 'shhhhh')
}

function example2() {
  const jose = require('jose')
  const { JWT } = jose
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  const token2 = JWT.sign(payload, 'shhhhh')
}

function example3() {
  const jose = require('jose')
  const { JWT } = jose
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  const token3 = JWT.verify(payload, 'shhhhh')
}

function example4() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  JWT.verify(payload, JWK.asKey('raz-dva-tri'))
}

function example5() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  const token5 = JWT.sign(payload, JWK.asKey('raz-dva-tri'))
}

function example6() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  const token6 = JWT.verify(payload, JWK.asKey('raz-dva-tri'))
}

function example7() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const key7 = JWK.asKey('raz-dva-tri')
  // ruleid: hardcoded-jwt-secret
  JWT.verify(payload, key7)
}

function example8() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const key8 = JWK.asKey('raz-dva-tri')
  // ruleid: hardcoded-jwt-secret
  const token8 = JWT.sign(payload, key8)
}

function example9() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const key9 = JWK.asKey('raz-dva-tri')
  // ruleid: hardcoded-jwt-secret
  const token9 = JWT.verify(payload, key9)
}

function example10() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret10 = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  JWT.verify(payload, secret10)
}

function example11() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret11 = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  const token11 = JWT.sign(payload, secret11)
}

function example12() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret12 = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  const token3 = JWT.verify(payload, secret12)
}

function example13() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret13 = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  JWT.verify(payload, JWK.asKey(secret13))
}
 
function example14() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret14 = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  const token5 = JWT.sign(payload, JWK.asKey(secret14))
}

function example15() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret15 = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  const token6 = JWT.verify(payload, JWK.asKey(secret15))
}

function example16() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret16 = 'shhhhh'
  const key16 = JWK.asKey(secret16)
  // ruleid: hardcoded-jwt-secret
  JWT.verify(payload, key16)
}

function example17() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret17 = 'shhhhh'
  const key17 = JWK.asKey(secret17)
  // ruleid: hardcoded-jwt-secret
  const token8 = JWT.sign(payload, key17)
}

function example18() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret18 = 'shhhhh'
  const key18 = JWK.asKey(secret18)
  // ruleid: hardcoded-jwt-secret
  const token9 = JWT.verify(payload, key18)
}

function example10() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret2 = config.secret
  // ok: hardcoded-jwt-secret
  const token11 = JWT.sign(payload, JWK.asKey(secret2))
}

function example11() {
  const jose = require('jose')
  const { JWK, JWT } = jose
  const payload = {foo: 'bar'}
  const secret2 = config.secret
  // ok: hardcoded-jwt-secret
  const token12 = JWT.sign(payload, secret2)
}