scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)

Run Locally

Run in CI

Defintion

rules:
  - id: jwt-scala-hardcode
    patterns:
      - pattern-inside: |
          import pdi.jwt.$DEPS
          ...
      - pattern-either:
          - pattern: $JWT.encode($X, "...", ...)
          - pattern: $JWT.decode($X, "...", ...)
          - pattern: $JWT.decodeRawAll($X, "...", ...)
          - pattern: $JWT.decodeRaw($X, "...", ...)
          - pattern: $JWT.decodeAll($X, "...", ...)
          - pattern: $JWT.validate($X, "...", ...)
          - pattern: $JWT.isValid($X, "...", ...)
          - pattern: $JWT.decodeJson($X, "...", ...)
          - pattern: $JWT.decodeJsonAll($X, "...", ...)
          - patterns:
              - pattern-either:
                  - pattern: $JWT.encode($X, $KEY, ...)
                  - pattern: $JWT.decode($X, $KEY, ...)
                  - pattern: $JWT.decodeRawAll($X, $KEY, ...)
                  - pattern: $JWT.decodeRaw($X, $KEY, ...)
                  - pattern: $JWT.decodeAll($X, $KEY, ...)
                  - pattern: $JWT.validate($X, $KEY, ...)
                  - pattern: $JWT.isValid($X, $KEY, ...)
                  - pattern: $JWT.decodeJson($X, $KEY, ...)
                  - pattern: $JWT.decodeJsonAll($X, $KEY, ...)
                  - pattern: $JWT.encode($X, this.$KEY, ...)
                  - pattern: $JWT.decode($X, this.$KEY, ...)
                  - pattern: $JWT.decodeRawAll($X, this.$KEY, ...)
                  - pattern: $JWT.decodeRaw($X, this.$KEY, ...)
                  - pattern: $JWT.decodeAll($X, this.$KEY, ...)
                  - pattern: $JWT.validate($X, this.$KEY, ...)
                  - pattern: $JWT.isValid($X, this.$KEY, ...)
                  - pattern: $JWT.decodeJson($X, this.$KEY, ...)
                  - pattern: $JWT.decodeJsonAll($X, this.$KEY, ...)
              - pattern-either:
                  - pattern-inside: |
                      class $CL {
                        ...
                        $KEY = "..."
                        ...
                      }
                  - pattern-inside: |
                      object $CL {
                        ...
                        $KEY = "..."
                        ...
                      }
      - metavariable-pattern:
          metavariable: $JWT
          patterns:
            - pattern-either:
                - pattern: Jwt
                - pattern: JwtArgonaut
                - pattern: JwtCirce
                - pattern: JwtJson4s
                - pattern: JwtJson
                - pattern: JwtUpickle
    message: "Hardcoded JWT secret or private key is used. This is a Insufficiently
      Protected Credentials weakness:
      https://cwe.mitre.org/data/definitions/522.html Consider using an
      appropriate security mechanism to protect the credentials (e.g. keeping
      secrets in environment variables)"
    languages:
      - scala
    severity: WARNING
    metadata:
      references:
        - https://jwt-scala.github.io/jwt-scala/
      category: security
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      technology:
        - scala
      confidence: HIGH
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

jwt-scala-hardcode.scala

import java.time.Clock
import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut, JwtCirce}
import play.api.libs.json.Json

object Smth {
  val secretKey = "foobar"

  def run1(token: String) = {
    val algo = JwtAlgorithm.HS256
    // ruleid: jwt-scala-hardcode
    JwtArgonaut.decodeJson(token, secretKey, algo)
  }

  def run2(token: String) = {
    val algo = JwtAlgorithm.HS256
    // ok: jwt-scala-hardcode
    JwtArgonaut.decodeJson(token, getSecretFromEnv(), algo)
  }
}

class FooBar {
  private val JWT_KEY = "foobar"

  def run1() = {
    val claim = Json.obj(("user", 1), ("nbf", 1431520421))
    val key1 = "secretKey"
    val algo = JwtAlgorithm.HS256
    // ruleid: jwt-scala-hardcode
    val token = JwtJson.encode(claim, key1, algo)
    // ok: jwt-scala-hardcode
    JwtJson.decodeJson(token, keyFromEnv, Seq(JwtAlgorithm.HS256))
  }

  def run2() = {
    val claim = Json.obj(("user", 1), ("nbf", 1431520421))
    val key2 = getSecretFromEnv()
    val algo = JwtAlgorithm.HS256
    // ruleid: jwt-scala-hardcode
    val token = JwtCirce.encode(claim, this.JWT_KEY, algo)
    // ruleid: jwt-scala-hardcode
    JwtCirce.decodeJson(token, this.JWT_KEY, Seq(JwtAlgorithm.HS256))
  }

  def run3() = {
    val claim = Json.obj(("user", 1), ("nbf", 1431520421))
    val key2 = getSecretFromEnv()
    val algo = JwtAlgorithm.HS256
    // ok: jwt-scala-hardcode
    val token = JwtJson.encode(claim, key2, algo)
    // ok: jwt-scala-hardcode
    JwtJson.decodeJson(token, key2, Seq(JwtAlgorithm.HS256))
  }
}