ruby.jwt.security.audit.jwt-exposed-data.ruby-jwt-exposed-data

semgrep

Author

6,345

Download Count*

License

The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: ruby-jwt-exposed-data
    message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that
      sensitive information is not exposed through JWT token payload.
    severity: WARNING
    metadata:
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - ruby
    patterns:
      - pattern-inside: |
          require 'jwt'
          ...
      - pattern-inside: |
          def $FUNC(...,$INPUT,...)
            ...
          end
      - pattern: |
          JWT.encode($INPUT,...)

Examples

jwt-exposed-data.rb

require 'jwt'

def bad1(hmac_secret, payload)
    # ruleid: ruby-jwt-exposed-data
    token = JWT.encode payload, hmac_secret, 'HS256'
    puts token
end

def ok1(hmac_secret)
    # ok: ruby-jwt-exposed-data
    payload = { data: 'data', nbf: nbf }
    token = JWT.encode payload, hmac_secret, 'HS256'
    puts token
end

Short Link: https://sg.run/B4Nb