python.jwt.security.unverified-jwt-decode.unverified-jwt-decode

profile photo of semgrepsemgrep
Author
7,452
Download Count*
LGPL Commons Clause
License

Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unverified-jwt-decode
    patterns:
      - pattern-either:
          - patterns:
              - pattern: >
                  jwt.decode(..., options={..., "verify_signature": $BOOL, ...},
                  ...)
              - metavariable-pattern:
                  metavariable: $BOOL
                  pattern: |
                    False
              - focus-metavariable: $BOOL
          - patterns:
              - pattern: |
                  $OPTS = {..., "verify_signature": $BOOL, ...}
                  ...
                  jwt.decode(..., options=$OPTS, ...)
              - metavariable-pattern:
                  metavariable: $BOOL
                  pattern: |
                    False
              - focus-metavariable: $BOOL
    message: Detected JWT token decoded with 'verify=False'. This bypasses any
      integrity checks for the token which means the token could be tampered
      with by malicious actors. Ensure that the JWT token is verified.
    metadata:
      owasp:
        - A02:2017 - Broken Authentication
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-287: Improper Authentication"
      references:
        - https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96
      category: security
      technology:
        - jwt
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    fix: |
      True
    severity: ERROR
    languages:
      - python

Examples

unverified-jwt-decode.py

# cf. https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96

import jwt
from jwt.exceptions import DecodeError, MissingRequiredClaimError, InvalidKeyError

def tests(token):
    # ruleid:unverified-jwt-decode
    jwt.decode(encoded, key, options={"verify_signature": False})

    # ruleid:unverified-jwt-decode
    opts = {"verify_signature": False}
    jwt.decode(encoded, key, options=opts)

    a_false_boolean = False
    # ruleid:unverified-jwt-decode
    opts2 = {"verify_signature": a_false_boolean}
    jwt.decode(encoded, key, options=opts2)

    # ok:unverified-jwt-decode
    jwt.decode(encoded, key, options={"verify_signature": True})

    opts = {"verify_signature": True}
    # ok:unverified-jwt-decode
    jwt.decode(encoded, key, options=opts)

    a_false_boolean = True
    opts2 = {"verify_signature": a_false_boolean}
    # ok:unverified-jwt-decode
    jwt.decode(encoded, key, options=opts2)

    # ok:unverified-jwt-decode
    jwt.decode(encoded, key)