python.jwt.security.jwt-none-alg.jwt-python-none-alg

profile photo of returntocorpreturntocorp
Author
7,452
Download Count*

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-python-none-alg
    message: Detected use of the 'none' algorithm in a JWT token. The 'none'
      algorithm assumes the integrity of the token has already been verified.
      This would allow a malicious actor to forge a JWT token that will
      automatically be verified. Do not explicitly use the 'none' algorithm.
      Instead, use an algorithm such as 'HS256'.
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: ERROR
    pattern-either:
      - pattern: |
          jwt.encode(...,algorithm="none",...)
      - pattern: jwt.decode(...,algorithms=[...,"none",...],...)

Examples

jwt-none-alg.py

import jwt

def bad1():
    # ruleid: jwt-python-none-alg
    encoded = jwt.encode({'some': 'payload'}, None, algorithm='none')
    return encoded

def bad2(encoded):
    # ruleid: jwt-python-none-alg
    jwt.decode(encoded, None, algorithms=['none'])
    return encoded

def ok(secret_key):
    # ok: jwt-python-none-alg
    encoded = jwt.encode({'some': 'payload'}, secret_key, algorithm='HS256')
    return encoded