ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify

profile photo of returntocorpreturntocorp
Author
6,345
Download Count*

Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.

Run Locally

Run in CI

Defintion

rules:
  - id: ruby-jwt-decode-without-verify
    message: Detected the decoding of a JWT token without a verify step. JWT tokens
      must be verified before use, otherwise the token's integrity is unknown.
      This means a malicious actor could forge a JWT token with any claims.
    metadata:
      cwe:
        - "CWE-345: Insufficient Verification of Data Authenticity"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      references:
        - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby
    severity: WARNING
    patterns:
      - pattern-inside: |
          require 'jwt'
          ...
      - pattern: JWT.decode($PAYLOAD,$SECRET,false,...)

Examples

jwt-decode-without-verify.rb

require 'jwt'

def bad1(hmac_secret)
    # ruleid: ruby-jwt-decode-without-verify
    decoded_token = JWT.decode token, hmac_secret, false, { algorithm: 'HS256' }
    puts decoded_token
end

def ok1(hmac_secret)
    # ok: ruby-jwt-decode-without-verify
    token = JWT.encode payload, hmac_secret, 'HS256'
    puts token
    decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
    puts decoded_token
end