python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret

profile photo of returntocorpreturntocorp
Author
7,452
Download Count*

Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-python-hardcoded-secret
    message: "Hardcoded JWT secret or private key is used. This is a Insufficiently
      Protected Credentials weakness:
      https://cwe.mitre.org/data/definitions/522.html Consider using an
      appropriate security mechanism to protect the credentials (e.g. keeping
      secrets in environment variables)"
    metadata:
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      references:
        - https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    patterns:
      - pattern: |
          jwt.encode($X, $SECRET, ...)
      - focus-metavariable: $SECRET
      - pattern: |
          "..."
    languages:
      - python
    severity: ERROR

Examples

jwt-hardcode.py

import jwt

secret_const = "this-is-secret"


def bad1():
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
    return encoded

def bad1b():
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
    return encoded


def bad2():
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")
    return encoded


def bad3():
    secret = "secret"
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")
    return encoded


def ok(secret_key):
    encoded = jwt.encode({"some": "payload"}, secret_key, algorithm="HS256")
    return encoded