ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data

profile photo of returntocorpreturntocorp
Author
6,345
Download Count*

The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.

Run Locally

Run in CI

Defintion

rules:
  - id: ruby-jwt-exposed-data
    message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that
      sensitive information is not exposed through JWT token payload.
    severity: WARNING
    metadata:
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby
    patterns:
      - pattern-inside: |
          require 'jwt'
          ...
      - pattern-inside: |
          def $FUNC(...,$INPUT,...)
            ...
          end
      - pattern: |
          JWT.encode($INPUT,...)

Examples

jwt-exposed-data.rb

require 'jwt'

def bad1(hmac_secret, payload)
    # ruleid: ruby-jwt-exposed-data
    token = JWT.encode payload, hmac_secret, 'HS256'
    puts token
end

def ok1(hmac_secret)
    # ok: ruby-jwt-exposed-data
    payload = { data: 'data', nbf: nbf }
    token = JWT.encode payload, hmac_secret, 'HS256'
    puts token
end