python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials
semgrep
Author
7,452
Download Count*
License
Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
Run Locally
Run in CI
Defintion
rules:
- id: jwt-python-exposed-credentials
languages:
- python
metadata:
cwe:
- "CWE-522: Insufficiently Protected Credentials"
owasp:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
references:
- https://cwe.mitre.org/data/definitions/522.html
category: security
technology:
- jwt
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: Password is exposed through JWT token payload. This is not encrypted
and the password could be compromised. Do not store passwords in JWT
tokens.
pattern-either:
- pattern: |
jwt.encode({...,"password":$P,...},...)
- pattern: |
$PAYLOAD = {...,"password":$P,...}
...
jwt.encode($PAYLOAD,...)
severity: ERROR
Examples
jwt-exposed-credentials.py
import jwt
# ruleid: jwt-python-exposed-credentials
payload = {'foo': 'bar','password': 123}
def bad1(secret, value):
# ruleid: jwt-python-exposed-credentials
encoded = jwt.encode({'some': 'payload','password': value}, secret, algorithm='HS256')
return encoded
def bad2(secret):
encoded = jwt.encode(payload, secret, algorithm='HS256')
return encoded
def bad3(secret, value):
# ruleid: jwt-python-exposed-credentials
pp = {'one': 'two','password': value}
encoded = jwt.encode(pp, secret, algorithm='HS256')
return encoded
def ok(secret_key):
# ok: jwt-python-exposed-credentials
encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
return encoded
Short Link: https://sg.run/qxPy