javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data
semgrep
Author
3,440
Download Count*
License
The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
Run Locally
Run in CI
Defintion
rules:
- id: jwt-exposed-data
message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that
sensitive information is not exposed through JWT token payload.
metadata:
owasp:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
cwe:
- "CWE-522: Insufficiently Protected Credentials"
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
asvs:
section: "V3: Session Management Verification Requirements"
control_id: 3.5.3 Insecue Stateless Session Tokens
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
version: "4"
category: security
technology:
- jwt
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
$JWT = require('jsonwebtoken');
...
- pattern-either:
- pattern-inside: function (...,$INPUT,...) {...}
- pattern-inside: function $F(...,$INPUT,...) {...}
- pattern: $JWT.sign($INPUT,...)
Examples
jwt-exposed-data.js
const jwt = require('jsonwebtoken')
User.findOne({name: req.body.name}, function(err, user){
// ruleid: jwt-exposed-data
var token = jwt.sign(user, key, {expiresIn: 60*60*10});
res.json({
success: true,
message: 'Enjoy your token!',
token: token
});
});
User.findOne({name: req.body.name}, function(err, user){
// ok: jwt-exposed-data
const {name, email} = user
var token = jwt.sign({name, email}, key, {expiresIn: 60*60*10});
return token;
});
User.findOne({name: req.body.name}, function(err, user){
// ok: jwt-exposed-data
const {name, email} = user
var token = jwt.sign({name, email}, key, {expiresIn: 60*60*10});
return token;
});
Short Link: https://sg.run/5Qkj