python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials

profile photo of returntocorpreturntocorp
Author
7,452
Download Count*

Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-python-exposed-credentials
    languages:
      - python
    metadata:
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      references:
        - https://cwe.mitre.org/data/definitions/522.html
      category: security
      technology:
        - jwt
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Password is exposed through JWT token payload. This is not encrypted
      and the password could be compromised. Do not store passwords in JWT
      tokens.
    pattern-either:
      - pattern: |
          jwt.encode({...,"password":$P,...},...)
      - pattern: |
          $PAYLOAD = {...,"password":$P,...}
          ...
          jwt.encode($PAYLOAD,...)
    severity: ERROR

Examples

jwt-exposed-credentials.py

import jwt

# ruleid: jwt-python-exposed-credentials
payload = {'foo': 'bar','password': 123}

def bad1(secret, value):
    # ruleid: jwt-python-exposed-credentials
    encoded = jwt.encode({'some': 'payload','password': value}, secret, algorithm='HS256')
    return encoded

def bad2(secret):
    encoded = jwt.encode(payload, secret, algorithm='HS256')
    return encoded

def bad3(secret, value):
    # ruleid: jwt-python-exposed-credentials
    pp = {'one': 'two','password': value}
    encoded = jwt.encode(pp, secret, algorithm='HS256')
    return encoded

def ok(secret_key):
    # ok: jwt-python-exposed-credentials
    encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
    return encoded