python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data
semgrep
Author
7,452
Download Count*
License
The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.
Run Locally
Run in CI
Defintion
rules:
- id: jwt-python-exposed-data
message: The object is passed strictly to jwt.encode(...) Make sure that
sensitive information is not exposed through JWT token payload.
severity: WARNING
metadata:
owasp:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
cwe:
- "CWE-522: Insufficiently Protected Credentials"
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
category: security
technology:
- jwt
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
patterns:
- pattern-inside: |
def $FUNC(...,$INPUT,...):
...
- pattern: jwt.encode($INPUT,...)
Examples
jwt-exposed-data.py
import jwt
def bad1(secret, payload):
# ruleid: jwt-python-exposed-data
encoded = jwt.encode(payload, secret, algorithm='HS256')
return encoded
def ok(secret_key):
# ok: jwt-python-exposed-data
encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
return encoded
Short Link: https://sg.run/ox8R