ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify
semgrepAuthor
6,345
Download Count*
License
Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.
Run Locally
Run in CI
Defintion
rules:
- id: ruby-jwt-decode-without-verify
message: Detected the decoding of a JWT token without a verify step. JWT tokens
must be verified before use, otherwise the token's integrity is unknown.
This means a malicious actor could forge a JWT token with any claims.
metadata:
cwe:
- "CWE-345: Insufficient Verification of Data Authenticity"
owasp:
- A08:2021 - Software and Data Integrity Failures
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
category: security
technology:
- jwt
references:
- https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- ruby
severity: WARNING
patterns:
- pattern-inside: |
require 'jwt'
...
- pattern: JWT.decode($PAYLOAD,$SECRET,false,...)
Examples
jwt-decode-without-verify.rb
require 'jwt'
def bad1(hmac_secret)
# ruleid: ruby-jwt-decode-without-verify
decoded_token = JWT.decode token, hmac_secret, false, { algorithm: 'HS256' }
puts decoded_token
end
def ok1(hmac_secret)
# ok: ruby-jwt-decode-without-verify
token = JWT.encode payload, hmac_secret, 'HS256'
puts token
decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
puts decoded_token
end
Short Link: https://sg.run/AlYg