python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret
semgrep
Author
7,452
Download Count*
License
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)
Run Locally
Run in CI
Defintion
rules:
- id: jwt-python-hardcoded-secret
message: "Hardcoded JWT secret or private key is used. This is a Insufficiently
Protected Credentials weakness:
https://cwe.mitre.org/data/definitions/522.html Consider using an
appropriate security mechanism to protect the credentials (e.g. keeping
secrets in environment variables)"
metadata:
cwe:
- "CWE-522: Insufficiently Protected Credentials"
owasp:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
references:
- https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
category: security
technology:
- jwt
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
patterns:
- pattern: |
jwt.encode($X, $SECRET, ...)
- focus-metavariable: $SECRET
- pattern: |
"..."
languages:
- python
severity: ERROR
Examples
jwt-hardcode.py
import jwt
secret_const = "this-is-secret"
def bad1():
# ruleid: jwt-python-hardcoded-secret
encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
return encoded
def bad1b():
# ruleid: jwt-python-hardcoded-secret
encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
return encoded
def bad2():
# ruleid: jwt-python-hardcoded-secret
encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")
return encoded
def bad3():
secret = "secret"
# ruleid: jwt-python-hardcoded-secret
encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")
return encoded
def ok(secret_key):
encoded = jwt.encode({"some": "payload"}, secret_key, algorithm="HS256")
return encoded
Short Link: https://sg.run/l2E9