javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify

profile photo of semgrepsemgrep
Author
7,650
Download Count*
LGPL Commons Clause
License

Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-decode-without-verify
    message: Detected the decoding of a JWT token without a verify step. JWT tokens
      must be verified before use, otherwise the token's integrity is unknown.
      This means a malicious actor could forge a JWT token with any claims. Call
      '.verify()' before using the token.
    metadata:
      cwe:
        - "CWE-345: Insufficient Verification of Data Authenticity"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.5.3 Insecue Stateless Session Tokens
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
        version: "4"
      category: security
      technology:
        - jwt
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          $JWT = require('jsonwebtoken');
          ...
      - pattern-not-inside: |
          ...
          $JWT.verify($TOKEN, ...)
          ...
      - pattern-not-inside: |
          ...
          if (<... $JWT.verify($TOKEN, ...) ...>) { ... }
          ...
      - pattern: $JWT.decode($TOKEN, ...)

Examples

jwt-decode-without-verify.js

const jwt = require('jsonwebtoken');

function notOk(token) {
  // ruleid: jwt-decode-without-verify
  if (jwt.decode(token, true).param === true) {
    console.log('token is valid');
  }
}

function ok(token, key) {
  // ok: jwt-decode-without-verify
  jwt.verify(token, key);
  if (jwt.decode(token, true).param === true) {
    console.log('token is valid');
  }
}

const ok2 = (token, key) => {
  // ok: jwt-decode-without-verify
  const value = jwt.decode(token, key).param;
  if (jwt.verify(token, true).param === true) {
    console.log('token is valid');
  }
};

jwt-decode-without-verify.jsx

const jwt = require('jsonwebtoken');

const bad = (token) => {
  // ruleid: jwt-decode-without-verify
  if (jwt.decode(token, true).param === true) {
    console.log('token is valid');
  }
};

const ok = (token, key) => {
  // ok: jwt-decode-without-verify
  jwt.verify(token, key);
  if (jwt.decode(token, true).param === true) {
    console.log('token is valid');
  }
};