python.jwt.security.jwt-none-alg.jwt-python-none-alg
semgrep
Author
7,452
Download Count*
License
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
Run Locally
Run in CI
Defintion
rules:
- id: jwt-python-none-alg
message: Detected use of the 'none' algorithm in a JWT token. The 'none'
algorithm assumes the integrity of the token has already been verified.
This would allow a malicious actor to forge a JWT token that will
automatically be verified. Do not explicitly use the 'none' algorithm.
Instead, use an algorithm such as 'HS256'.
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
category: security
technology:
- jwt
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
severity: ERROR
pattern-either:
- pattern: |
jwt.encode(...,algorithm="none",...)
- pattern: jwt.decode(...,algorithms=[...,"none",...],...)
Examples
jwt-none-alg.py
import jwt
def bad1():
# ruleid: jwt-python-none-alg
encoded = jwt.encode({'some': 'payload'}, None, algorithm='none')
return encoded
def bad2(encoded):
# ruleid: jwt-python-none-alg
jwt.decode(encoded, None, algorithms=['none'])
return encoded
def ok(secret_key):
# ok: jwt-python-none-alg
encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
return encoded
Short Link: https://sg.run/Yvp4