Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-829

Rule S5659: JWT should be signed and verified with strong cipher algorithms

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3
    • Component/s: Rules
    • Labels:

      Description

      This rule detects JWT decoding without verification of the signature.

      jwt

      For the jwt module an issue should be raised:
      1. when verify of the method decode() is set to False

      jwt.decode(token, verify = False)  # Noncompliant
      

      2. when decode() is surrounded by a generic exception catch

      try:
          jwt.decode(token, key, algo)  # Noncompliant; generic exception catch
      except:
          pass
      
      try:
          jwt.decode(token, key, algo)  # Noncompliant; generic exception catch
      except Exception:
          pass
      

      If jwt.InvalidSignatureError is caught that means the developer explicitly handles the case of an invalid signature. If a generic exception is caught it is possible that it was not actually intended for the signature check.

      python_jwt

      For the python_jwt module an issue should be raised if the method process_jwt() is called but not followed (i.e. in the same function) by the method verify_jwt().

      Code samples: https://github.com/SonarSource/security-expected-issues/tree/master/python/rules/vulnerabilities/RSPEC-5659

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pierre-yves.nicolas Pierre-Yves Nicolas
              Reporter:
              hendrik.buchwald Hendrik Buchwald
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: