ruby.jwt.security.jwt-none-alg.ruby-jwt-none-alg

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
63,819
Download Count*

Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.

Run Locally

Run in CI

Defintion

rules:
  - id: ruby-jwt-none-alg
    message: Detected use of the 'none' algorithm in a JWT token. The 'none'
      algorithm assumes the integrity of the token has already been verified.
      This would allow a malicious actor to forge a JWT token that will
      automatically be verified. Do not explicitly use the 'none' algorithm.
      Instead, use an algorithm such as 'HS256'.
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      category: security
      technology:
        - jwt
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby
    severity: ERROR
    patterns:
      - pattern-inside: |
          require 'jwt'
          ...
      - pattern: |
          JWT.encode($PAYLOAD, $SECRET, 'none', ...)

Examples

jwt-none-alg.rb

require 'jwt'

def bad1
    payload = { data: 'test' }
    # ruleid: ruby-jwt-none-alg
    token = JWT.encode payload, nil, 'none'
    puts token
end

def ok1(hmac_secret)
    # ok: ruby-jwt-none-alg
    token = JWT.encode payload, hmac_secret, 'HS256'
    puts token
    decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
    puts decoded_token
end