scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode
semgrep
Author
unknown
Download Count*
License
Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)
Run Locally
Run in CI
Defintion
rules:
- id: jwt-scala-hardcode
patterns:
- pattern-inside: |
import pdi.jwt.$DEPS
...
- pattern-either:
- pattern: $JWT.encode($X, "...", ...)
- pattern: $JWT.decode($X, "...", ...)
- pattern: $JWT.decodeRawAll($X, "...", ...)
- pattern: $JWT.decodeRaw($X, "...", ...)
- pattern: $JWT.decodeAll($X, "...", ...)
- pattern: $JWT.validate($X, "...", ...)
- pattern: $JWT.isValid($X, "...", ...)
- pattern: $JWT.decodeJson($X, "...", ...)
- pattern: $JWT.decodeJsonAll($X, "...", ...)
- patterns:
- pattern-either:
- pattern: $JWT.encode($X, $KEY, ...)
- pattern: $JWT.decode($X, $KEY, ...)
- pattern: $JWT.decodeRawAll($X, $KEY, ...)
- pattern: $JWT.decodeRaw($X, $KEY, ...)
- pattern: $JWT.decodeAll($X, $KEY, ...)
- pattern: $JWT.validate($X, $KEY, ...)
- pattern: $JWT.isValid($X, $KEY, ...)
- pattern: $JWT.decodeJson($X, $KEY, ...)
- pattern: $JWT.decodeJsonAll($X, $KEY, ...)
- pattern: $JWT.encode($X, this.$KEY, ...)
- pattern: $JWT.decode($X, this.$KEY, ...)
- pattern: $JWT.decodeRawAll($X, this.$KEY, ...)
- pattern: $JWT.decodeRaw($X, this.$KEY, ...)
- pattern: $JWT.decodeAll($X, this.$KEY, ...)
- pattern: $JWT.validate($X, this.$KEY, ...)
- pattern: $JWT.isValid($X, this.$KEY, ...)
- pattern: $JWT.decodeJson($X, this.$KEY, ...)
- pattern: $JWT.decodeJsonAll($X, this.$KEY, ...)
- pattern-either:
- pattern-inside: |
class $CL {
...
$KEY = "..."
...
}
- pattern-inside: |
object $CL {
...
$KEY = "..."
...
}
- metavariable-pattern:
metavariable: $JWT
patterns:
- pattern-either:
- pattern: Jwt
- pattern: JwtArgonaut
- pattern: JwtCirce
- pattern: JwtJson4s
- pattern: JwtJson
- pattern: JwtUpickle
message: "Hardcoded JWT secret or private key is used. This is a Insufficiently
Protected Credentials weakness:
https://cwe.mitre.org/data/definitions/522.html Consider using an
appropriate security mechanism to protect the credentials (e.g. keeping
secrets in environment variables)"
languages:
- scala
severity: WARNING
metadata:
references:
- https://jwt-scala.github.io/jwt-scala/
category: security
cwe:
- "CWE-522: Insufficiently Protected Credentials"
owasp:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
technology:
- scala
confidence: HIGH
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
jwt-scala-hardcode.scala
import java.time.Clock
import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut, JwtCirce}
import play.api.libs.json.Json
object Smth {
val secretKey = "foobar"
def run1(token: String) = {
val algo = JwtAlgorithm.HS256
// ruleid: jwt-scala-hardcode
JwtArgonaut.decodeJson(token, secretKey, algo)
}
def run2(token: String) = {
val algo = JwtAlgorithm.HS256
// ok: jwt-scala-hardcode
JwtArgonaut.decodeJson(token, getSecretFromEnv(), algo)
}
}
class FooBar {
private val JWT_KEY = "foobar"
def run1() = {
val claim = Json.obj(("user", 1), ("nbf", 1431520421))
val key1 = "secretKey"
val algo = JwtAlgorithm.HS256
// ruleid: jwt-scala-hardcode
val token = JwtJson.encode(claim, key1, algo)
// ok: jwt-scala-hardcode
JwtJson.decodeJson(token, keyFromEnv, Seq(JwtAlgorithm.HS256))
}
def run2() = {
val claim = Json.obj(("user", 1), ("nbf", 1431520421))
val key2 = getSecretFromEnv()
val algo = JwtAlgorithm.HS256
// ruleid: jwt-scala-hardcode
val token = JwtCirce.encode(claim, this.JWT_KEY, algo)
// ruleid: jwt-scala-hardcode
JwtCirce.decodeJson(token, this.JWT_KEY, Seq(JwtAlgorithm.HS256))
}
def run3() = {
val claim = Json.obj(("user", 1), ("nbf", 1431520421))
val key2 = getSecretFromEnv()
val algo = JwtAlgorithm.HS256
// ok: jwt-scala-hardcode
val token = JwtJson.encode(claim, key2, algo)
// ok: jwt-scala-hardcode
JwtJson.decodeJson(token, key2, Seq(JwtAlgorithm.HS256))
}
}
Short Link: https://sg.run/8zE7