javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
52,412
Download Count*

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Defintion

rules:
  - id: hardcoded-jwt-secret
    message: A hard-coded credential was detected. It is not recommended  to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary.  It is recommended to
      use environment variables to  securely provide credentials or retrieve
      credentials from  a secure vault or HSM (Hardware Security Module).
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      asvs:
        section: "V3: Session Management Verification Requirements"
        control_id: 3.5.2 Static API keys or secret
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
        version: "4"
      category: security
      technology:
        - jwt
        - javascript
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: WARNING
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - patterns:
                  - pattern-inside: |
                      $VALUE = '$Y' 
                      ...
                  - pattern: $VALUE
              - pattern-inside: $JWT.sign($VALUE, '$Y',...)
              - pattern-inside: $JWT.verify($VALUE, '$Y',...)
              - patterns:
                  - pattern-inside: |
                      $SECRET = "$Y"
                      ...
                      class $FUNC {
                        ...
                      }
                  - pattern: $SECRET
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  $JWT = require("jsonwebtoken")
                  ...
              - pattern-inside: |
                  import $JWT from "jsonwebtoken"
                  ...
              - pattern-inside: |
                  import * as $JWT from "jsonwebtoken"
                  ...
              - pattern-inside: |
                  import {...,$JWT,...} from "jsonwebtoken"
                  ...
          - pattern-either:
              - pattern-inside: |
                  $JWT.sign($DATA,$VALUE,...);
              - pattern-inside: |
                  $JWT.verify($DATA,$VALUE,...);
          - focus-metavariable: $VALUE

Examples

jwt-hardcode.js

"use strict";

const config = require('./config')
const jsonwt = require('jsonwebtoken')

function example1() {
  const payload = {foo: 'bar'}
  const secret = 'shhhhh'
  // ruleid: hardcoded-jwt-secret
  const token1 = jsonwt.sign(payload, secret)
}

function example2() {
  const payload = {foo: 'bar'}
  // ruleid: hardcoded-jwt-secret
  const token2 = jsonwt.sign(payload, 'some-secret')
}

function example3() {
  // ok: hardcoded-jwt-secret
  const payload = {foo: 'bar'}
  const token3 = jsonwt.sign(payload, config.secret)
}

function example4() {
  // ok: hardcoded-jwt-secret
  const payload = {foo: 'bar'}
  const secret2 = config.secret
  const token4 = jsonwt.sign(payload, secret2)
}

function example5() {
  // ok: hardcoded-jwt-secret
  const payload = {foo: 'bar'}
  const secret3 = process.env.SECRET 
  const token5 = jsonwt.sign(payload, secret3)
}

const Promise = require("bluebird");
const secret = "hardcoded-secret"
class Authentication {
    static sign(obj){
        // ruleid: hardcoded-jwt-secret
        return jsonwt.sign(obj, secret, {});
    }
}

module.exports = Authentication;