python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
semgrep
Author
7,452
Download Count*
License
Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.
Run Locally
Run in CI
Defintion
rules:
- id: unverified-jwt-decode
patterns:
- pattern-either:
- patterns:
- pattern: >
jwt.decode(..., options={..., "verify_signature": $BOOL, ...},
...)
- metavariable-pattern:
metavariable: $BOOL
pattern: |
False
- focus-metavariable: $BOOL
- patterns:
- pattern: |
$OPTS = {..., "verify_signature": $BOOL, ...}
...
jwt.decode(..., options=$OPTS, ...)
- metavariable-pattern:
metavariable: $BOOL
pattern: |
False
- focus-metavariable: $BOOL
message: Detected JWT token decoded with 'verify=False'. This bypasses any
integrity checks for the token which means the token could be tampered
with by malicious actors. Ensure that the JWT token is verified.
metadata:
owasp:
- A02:2017 - Broken Authentication
- A07:2021 - Identification and Authentication Failures
cwe:
- "CWE-287: Improper Authentication"
references:
- https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96
category: security
technology:
- jwt
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
fix: |
True
severity: ERROR
languages:
- python
Examples
unverified-jwt-decode.py
# cf. https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96
import jwt
from jwt.exceptions import DecodeError, MissingRequiredClaimError, InvalidKeyError
def tests(token):
# ruleid:unverified-jwt-decode
jwt.decode(encoded, key, options={"verify_signature": False})
# ruleid:unverified-jwt-decode
opts = {"verify_signature": False}
jwt.decode(encoded, key, options=opts)
a_false_boolean = False
# ruleid:unverified-jwt-decode
opts2 = {"verify_signature": a_false_boolean}
jwt.decode(encoded, key, options=opts2)
# ok:unverified-jwt-decode
jwt.decode(encoded, key, options={"verify_signature": True})
opts = {"verify_signature": True}
# ok:unverified-jwt-decode
jwt.decode(encoded, key, options=opts)
a_false_boolean = True
opts2 = {"verify_signature": a_false_boolean}
# ok:unverified-jwt-decode
jwt.decode(encoded, key, options=opts2)
# ok:unverified-jwt-decode
jwt.decode(encoded, key)
Short Link: https://sg.run/6nyB