Semgrep Registry - scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret

Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)

Defintion

Open in Playground

rules:
  - id: scala-jwt-hardcoded-secret
    languages:
      - scala
    message: "Hardcoded JWT secret or private key is used. This is a Insufficiently
      Protected Credentials weakness:
      https://cwe.mitre.org/data/definitions/522.html Consider using an
      appropriate security mechanism to protect the credentials (e.g. keeping
      secrets in environment variables)"
    metadata:
      category: security
      cwe:
        - "CWE-522: Insufficiently Protected Credentials"
      owasp:
        - A02:2017 - Broken Authentication
        - A04:2021 - Insecure Design
      source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
      technology:
        - jwt
      confidence: HIGH
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    pattern-either:
      - pattern: |
          com.auth0.jwt.algorithms.Algorithm.HMAC256("...");
      - pattern: |
          $SECRET = "...";
          ...
          com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET);
      - pattern: |
          class $CLASS {
            ...
            $DECL $SECRET = "...";
            ...
            def $FUNC (...): $RETURNTYPE = {
              ...
              com.auth0.jwt.algorithms.Algorithm.HMAC256($SECRET);
              ...
            }
            ...
          }
      - pattern: |
          com.auth0.jwt.algorithms.Algorithm.HMAC384("...");
      - pattern: |
          $SECRET = "...";
          ...
          com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET);
      - pattern: |
          class $CLASS {
            ...
            $DECL $SECRET = "...";
            ...
            def $FUNC (...): $RETURNTYPE = {
              ...
              com.auth0.jwt.algorithms.Algorithm.HMAC384($SECRET);
              ...
            }
            ...
          }
      - pattern: |
          com.auth0.jwt.algorithms.Algorithm.HMAC512("...");
      - pattern: |
          $SECRET = "...";
          ...
          com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET);
      - pattern: |
          class $CLASS {
            ...
            $DECL $SECRET = "...";
            ...
            def $FUNC (...): $RETURNTYPE = {
              ...
              com.auth0.jwt.algorithms.Algorithm.HMAC512($SECRET);
              ...
            }
            ...
          }
    severity: ERROR

package jwt_test.jwt_test_1 import com.auth0.jwt.JWT import com.auth0.jwt.algorithms.Algorithm import com.auth0.jwt.exceptions.JWTCreationException object App { val secret = "secret" } class App { def bad1() = { try { // ruleid: scala-jwt-hardcoded-secret Algorithm algorithm = Algorithm.HMAC256("secret"); String token = JWT.create() .withIssuer("auth0") .sign(algorithm); } catch (exception: JWTCreationException){ //Invalid Signing configuration / Couldn't convert Claims. } } def ok1(secretKey: String) = { try { // ok: scala-jwt-hardcoded-secret Algorithm algorithm = Algorithm.HMAC256(secretKey); String token = JWT.create() .withIssuer("auth0") .sign(algorithm); } catch (exception: JWTCreationException){ //Invalid Signing configuration / Couldn't convert Claims. } } }

scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret

Run Locally

Run in CI

Defintion

Examples

jwt-hardcode.scala