python.jwt.security.audit.jwt-exposed-data.jwt-python-exposed-data

profile photo of semgrepsemgrep
Author
7,452
Download Count*
LGPL Commons Clause
License

The object is passed strictly to jwt.encode(...) Make sure that sensitive information is not exposed through JWT token payload.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-python-exposed-data
    message: The object is passed strictly to jwt.encode(...) Make sure that
      sensitive information is not exposed through JWT token payload.
    severity: WARNING
    metadata:
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - python
    patterns:
      - pattern-inside: |
          def $FUNC(...,$INPUT,...):
            ...
      - pattern: jwt.encode($INPUT,...)

Examples

jwt-exposed-data.py

import jwt

def bad1(secret, payload):
    # ruleid: jwt-python-exposed-data
    encoded = jwt.encode(payload, secret, algorithm='HS256')
    return encoded

def ok(secret_key):
    # ok: jwt-python-exposed-data
    encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
    return encoded