javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret
Verifed by r2c
Community Favorite
semgrepAuthor
52,412
Download Count*
License
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded-jwt-secret
message: A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
owasp:
- A07:2021 - Identification and Authentication Failures
asvs:
section: "V3: Session Management Verification Requirements"
control_id: 3.5.2 Static API keys or secret
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management
version: "4"
category: security
technology:
- jwt
- javascript
- secrets
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern: |
$X = '...'
- pattern: |
$X = '$Y'
- patterns:
- pattern-either:
- pattern-inside: |
$JWT.sign($DATA,"...",...);
- pattern-inside: |
$JWT.verify($DATA,"...",...);
pattern-sinks:
- patterns:
- pattern-either:
- pattern-inside: |
$JWT = require("jsonwebtoken")
...
- pattern-inside: |
import $JWT from "jsonwebtoken"
...
- pattern-inside: |
import * as $JWT from "jsonwebtoken"
...
- pattern-inside: |
import {...,$JWT,...} from "jsonwebtoken"
...
- pattern-either:
- pattern-inside: |
$JWT.sign($DATA,$VALUE,...);
- pattern-inside: |
$JWT.verify($DATA,$VALUE,...);
- focus-metavariable: $VALUE
Examples
jwt-hardcode.js
"use strict";
const config = require('./config')
const jsonwt = require('jsonwebtoken')
function example1() {
const payload = {foo: 'bar'}
const secret = 'shhhhh'
// ruleid: hardcoded-jwt-secret
const token1 = jsonwt.sign(payload, secret)
}
function example2() {
const payload = {foo: 'bar'}
// ruleid: hardcoded-jwt-secret
const token2 = jsonwt.sign(payload, 'some-secret')
}
function example3() {
// ok: hardcoded-jwt-secret
const payload = {foo: 'bar'}
const token3 = jsonwt.sign(payload, config.secret)
}
function example4() {
// ok: hardcoded-jwt-secret
const payload = {foo: 'bar'}
const secret2 = config.secret
const token4 = jsonwt.sign(payload, secret2)
}
function example5() {
// ok: hardcoded-jwt-secret
const payload = {foo: 'bar'}
const secret3 = process.env.SECRET
const token5 = jsonwt.sign(payload, secret3)
}
const Promise = require("bluebird");
const secret = "hardcoded-secret"
class Authentication {
static sign(obj){
// ruleid: hardcoded-jwt-secret
return jsonwt.sign(obj, secret, {});
}
}
module.exports = Authentication;
Short Link: https://sg.run/4xN9