typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property
semgrepAuthor
4,056
Download Count*
License
Property decoded from JWT token without verifying and cannot be trustworthy.
Run Locally
Run in CI
Defintion
rules:
- id: react-jwt-decoded-property
message: Property decoded from JWT token without verifying and cannot be
trustworthy.
metadata:
cwe:
- "CWE-922: Insecure Storage of Sensitive Information"
references:
- https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.html
category: security
owasp:
- A01:2021 - Broken Access Control
technology:
- react
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- typescript
- javascript
severity: INFO
patterns:
- pattern-inside: |
import jwt_decode from "jwt-decode";
...
- pattern-inside: |
$DECODED = jwt_decode($TOKEN,...);
...
- pattern: $DECODED.$PROPERTY
Examples
react-jwt-decoded-property.jsx
import jwt_decode from "jwt-decode";
import { something } from "foobar";
export const testAuth1 = async () => {
const { token } = await retrieveToken();
const decoded = jwt_decode(token);
// ruleid: react-jwt-decoded-property
const exp = decoded.exp * 1000;
return exp;
};
export const okTestAuth1 = async () => {
const { token } = await retrieveToken();
// ok: react-jwt-decoded-property
const decoded = jwt_decode(token);
foobar(decoded);
};
react-jwt-decoded-property.tsx
import jwt_decode from "jwt-decode";
import { something } from "foobar";
export const testAuth1 = async (): Promise<void> => {
const { token } = await retrieveToken();
const decoded = jwt_decode<any>(token);
// ruleid: react-jwt-decoded-property
const exp = decoded.exp * 1000;
return exp;
};
export const okTestAuth1 = async (): Promise<void> => {
const { token } = await retrieveToken();
// ok: react-jwt-decoded-property
const decoded = jwt_decode<any>(token);
foobar(decoded);
};
Short Link: https://sg.run/wx8x