javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
45,880
Download Count*
LGPL Commons Clause
License

this rule has been deprecated.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-exposed-credentials
    message: this rule has been deprecated.
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.5.2 Static API keys or secret
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
        version: "4"
      category: security
      technology:
        - jwt
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: ERROR
    patterns:
      - pattern: a()
      - pattern: b()

Examples

jwt-exposed-credentials.js

const jsonwt = require('jsonwebtoken')

function example1 () {
    
    const token1 = jsonwt.sign({password: config}, 'secret', {some: 'params'})
}

function example2 () {
    const payload = {one: 1, two: 2, password: "a"}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example3 () {
    let payload;
    payload = {one: 1, two: 2, password: "a"}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example4 () {
    const payload = {}
    payload.password = "a"
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example5 () {
    const payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2})
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example6 () {
    let payload;
    payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2})
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example7 () {
    
    const token1 = jsonwt.sign(Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}), 'secret', {some: 'params'})
}

function example8 () {
    
    const token1 = jsonwt.sign({user: {password: "123"}}, 'secret', {some: 'params'})
}

function example9 () {
    const payload = {one: 1, two: 2, user: {password: "123"}}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example10 () {
    let payload;
    payload = {one: 1, two: 2, user: {password: "123"}}
    
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}

function example11 () {
    const payload = {...}
    payload.password = "123"
      
    const token1 = jsonwt.sign(payload, 'secret', {some: 'params'})
}