javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data

semgrep

Author

3,440

Download Count*

License

The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: jwt-exposed-data
    message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that
      sensitive information is not exposed through JWT token payload.
    metadata:
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.5.3 Insecue Stateless Session Tokens
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
        version: "4"
      category: security
      technology:
        - jwt
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          $JWT = require('jsonwebtoken');
          ...
      - pattern-either:
          - pattern-inside: function (...,$INPUT,...) {...}
          - pattern-inside: function $F(...,$INPUT,...) {...}
      - pattern: $JWT.sign($INPUT,...)

Examples

jwt-exposed-data.js

const jwt = require('jsonwebtoken')

User.findOne({name: req.body.name}, function(err, user){
    // ruleid: jwt-exposed-data
    var token = jwt.sign(user, key, {expiresIn: 60*60*10});
    res.json({
        success: true,
        message: 'Enjoy your token!',
        token: token
    });
});

User.findOne({name: req.body.name}, function(err, user){
    // ok: jwt-exposed-data
    const {name, email} = user
    var token = jwt.sign({name, email}, key, {expiresIn: 60*60*10});
    return token;
});

User.findOne({name: req.body.name}, function(err, user){
    // ok: jwt-exposed-data
    const {name, email} = user
    var token = jwt.sign({name, email}, key, {expiresIn: 60*60*10});
    return token;
});

Short Link: https://sg.run/5Qkj