python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret

profile photo of semgrepsemgrep
Author
7,452
Download Count*
LGPL Commons Clause
License

Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: jwt-python-hardcoded-secret
    message: "Hardcoded JWT secret or private key is used. This is a Insufficiently
      Protected Credentials weakness:
      https://cwe.mitre.org/data/definitions/522.html Consider using an
      appropriate security mechanism to protect the credentials (e.g. keeping
      secrets in environment variables)"
    metadata:
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      references:
        - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    patterns:
      - pattern: |
          jwt.encode($X, $SECRET, ...)
      - focus-metavariable: $SECRET
      - pattern: |
          "..."
    languages:
      - python
    severity: ERROR

Examples

jwt-hardcode.py

import jwt

secret_const = "this-is-secret"


def bad1():
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
    return encoded

def bad1b():
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
    return encoded


def bad2():
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")
    return encoded


def bad3():
    secret = "secret"
    # ruleid: jwt-python-hardcoded-secret
    encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")
    return encoded


def ok(secret_key):
    encoded = jwt.encode({"some": "payload"}, secret_key, algorithm="HS256")
    return encoded