ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg
Verifed by r2c
Community Favorite
semgrep
Author
63,819
Download Count*
License
Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
Run Locally
Run in CI
Defintion
rules:
- id: ruby-jwt-none-alg
message: Detected use of the 'none' algorithm in a JWT token. The 'none'
algorithm assumes the integrity of the token has already been verified.
This would allow a malicious actor to forge a JWT token that will
automatically be verified. Do not explicitly use the 'none' algorithm.
Instead, use an algorithm such as 'HS256'.
metadata:
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
category: security
technology:
- jwt
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- ruby
severity: ERROR
patterns:
- pattern-inside: |
require 'jwt'
...
- pattern: |
JWT.encode($PAYLOAD, $SECRET, 'none', ...)
Examples
jwt-none-alg.rb
require 'jwt'
def bad1
payload = { data: 'test' }
# ruleid: ruby-jwt-none-alg
token = JWT.encode payload, nil, 'none'
puts token
end
def ok1(hmac_secret)
# ok: ruby-jwt-none-alg
token = JWT.encode payload, hmac_secret, 'HS256'
puts token
decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
puts decoded_token
end
Short Link: https://sg.run/R8kE