Skip to content

Commit bb6e977

Browse files
ESS-ENNESS-ENN
committed
jwt-python-hardcoded-secret-python
1 parent 72ac6bb commit bb6e977

File tree

3 files changed

+325
-0
lines changed

3 files changed

+325
-0
lines changed

rules/python/security/jwt-python-hardcoded-secret-python.yml

Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
id: jwt-python-hardcoded-secret-python
2+
severity: warning
3+
language: python
4+
message: >-
5+
Hardcoded JWT secret or private key is used. This is a Insufficiently
6+
Protected Credentials weakness:
7+
https://cwe.mitre.org/data/definitions/522.html Consider using an
8+
appropriate security mechanism to protect the credentials (e.g. keeping
9+
secrets in environment variables).
10+
note: >-
11+
[CWE-522] Insufficiently Protected Credentials.
12+
[REFERENCES]
13+
- https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
14+
utils:
15+
MATCH_SECRET_DIRECTLY:
16+
kind: expression_statement
17+
all:
18+
- has:
19+
stopBy: end
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: attribute
25+
all:
26+
- has:
27+
stopBy: neighbor
28+
kind: identifier
29+
regex: '^jwt$'
30+
- has:
31+
stopBy: neighbor
32+
kind: identifier
33+
regex: '^encode$'
34+
- has:
35+
stopBy: neighbor
36+
kind: argument_list
37+
all:
38+
- has:
39+
stopBy: neighbor
40+
pattern: $W
41+
- has:
42+
stopBy: neighbor
43+
kind: string
44+
nthChild: 2
45+
MATCH_SECRET_WITH_INSTANCE:
46+
kind: expression_statement
47+
all:
48+
- has:
49+
stopBy: end
50+
kind: call
51+
all:
52+
- has:
53+
stopBy: neighbor
54+
kind: attribute
55+
all:
56+
- has:
57+
stopBy: neighbor
58+
kind: identifier
59+
regex: '^jwt$'
60+
- has:
61+
stopBy: neighbor
62+
kind: identifier
63+
regex: '^encode$'
64+
- has:
65+
stopBy: neighbor
66+
kind: argument_list
67+
all:
68+
- has:
69+
stopBy: neighbor
70+
pattern: $W
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
nthChild: 2
75+
pattern: $S
76+
- any:
77+
- follows:
78+
stopBy: end
79+
kind: expression_statement
80+
has:
81+
stopBy: neighbor
82+
kind: assignment
83+
all:
84+
- has:
85+
stopBy: neighbor
86+
kind: identifier
87+
pattern: $S
88+
- has:
89+
stopBy: neighbor
90+
kind: string
91+
has:
92+
stopBy: neighbor
93+
kind: string_content
94+
- inside:
95+
stopBy: end
96+
kind: module
97+
has:
98+
stopBy: end
99+
kind: expression_statement
100+
has:
101+
stopBy: neighbor
102+
kind: assignment
103+
all:
104+
- has:
105+
stopBy: neighbor
106+
kind: identifier
107+
pattern: $S
108+
- has:
109+
stopBy: neighbor
110+
kind: string
111+
has:
112+
stopBy: neighbor
113+
kind: string_content
114+
rule:
115+
kind: expression_statement
116+
any:
117+
- matches: MATCH_SECRET_DIRECTLY
118+
- matches: MATCH_SECRET_WITH_INSTANCE

tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml

Lines changed: 185 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,185 @@
1+
id: jwt-python-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
5+
: labels:
6+
- source: 'encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")'
7+
style: primary
8+
start: 0
9+
end: 70
10+
- source: jwt
11+
style: secondary
12+
start: 10
13+
end: 13
14+
- source: encode
15+
style: secondary
16+
start: 14
17+
end: 20
18+
- source: jwt.encode
19+
style: secondary
20+
start: 10
21+
end: 20
22+
- source: '{"some": "payload"}'
23+
style: secondary
24+
start: 21
25+
end: 40
26+
- source: '"secret"'
27+
style: secondary
28+
start: 42
29+
end: 50
30+
- source: '({"some": "payload"}, "secret", algorithm="HS256")'
31+
style: secondary
32+
start: 20
33+
end: 70
34+
- source: 'jwt.encode({"some": "payload"}, "secret", algorithm="HS256")'
35+
style: secondary
36+
start: 10
37+
end: 70
38+
? |
39+
encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
40+
: labels:
41+
- source: 'encoded = jwt.encode({''some'': ''payload''}, ''secret'', algorithm=''HS256'')'
42+
style: primary
43+
start: 0
44+
end: 70
45+
- source: jwt
46+
style: secondary
47+
start: 10
48+
end: 13
49+
- source: encode
50+
style: secondary
51+
start: 14
52+
end: 20
53+
- source: jwt.encode
54+
style: secondary
55+
start: 10
56+
end: 20
57+
- source: '{''some'': ''payload''}'
58+
style: secondary
59+
start: 21
60+
end: 40
61+
- source: '''secret'''
62+
style: secondary
63+
start: 42
64+
end: 50
65+
- source: '({''some'': ''payload''}, ''secret'', algorithm=''HS256'')'
66+
style: secondary
67+
start: 20
68+
end: 70
69+
- source: 'jwt.encode({''some'': ''payload''}, ''secret'', algorithm=''HS256'')'
70+
style: secondary
71+
start: 10
72+
end: 70
73+
? |
74+
secret = "secret"
75+
encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")
76+
: labels:
77+
- source: 'encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")'
78+
style: primary
79+
start: 18
80+
end: 86
81+
- source: jwt
82+
style: secondary
83+
start: 28
84+
end: 31
85+
- source: encode
86+
style: secondary
87+
start: 32
88+
end: 38
89+
- source: jwt.encode
90+
style: secondary
91+
start: 28
92+
end: 38
93+
- source: '{"some": "payload"}'
94+
style: secondary
95+
start: 39
96+
end: 58
97+
- source: secret
98+
style: secondary
99+
start: 60
100+
end: 66
101+
- source: '({"some": "payload"}, secret, algorithm="HS256")'
102+
style: secondary
103+
start: 38
104+
end: 86
105+
- source: 'jwt.encode({"some": "payload"}, secret, algorithm="HS256")'
106+
style: secondary
107+
start: 28
108+
end: 86
109+
- source: secret
110+
style: secondary
111+
start: 0
112+
end: 6
113+
- source: secret
114+
style: secondary
115+
start: 10
116+
end: 16
117+
- source: '"secret"'
118+
style: secondary
119+
start: 9
120+
end: 17
121+
- source: secret = "secret"
122+
style: secondary
123+
start: 0
124+
end: 17
125+
- source: secret = "secret"
126+
style: secondary
127+
start: 0
128+
end: 17
129+
? |
130+
secret_const = "this-is-secret"
131+
def bad2():
132+
encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")
133+
: labels:
134+
- source: 'encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")'
135+
style: primary
136+
start: 44
137+
end: 118
138+
- source: jwt
139+
style: secondary
140+
start: 54
141+
end: 57
142+
- source: encode
143+
style: secondary
144+
start: 58
145+
end: 64
146+
- source: jwt.encode
147+
style: secondary
148+
start: 54
149+
end: 64
150+
- source: '{"some": "payload"}'
151+
style: secondary
152+
start: 65
153+
end: 84
154+
- source: secret_const
155+
style: secondary
156+
start: 86
157+
end: 98
158+
- source: '({"some": "payload"}, secret_const, algorithm="HS256")'
159+
style: secondary
160+
start: 64
161+
end: 118
162+
- source: 'jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")'
163+
style: secondary
164+
start: 54
165+
end: 118
166+
- source: secret_const
167+
style: secondary
168+
start: 0
169+
end: 12
170+
- source: this-is-secret
171+
style: secondary
172+
start: 16
173+
end: 30
174+
- source: '"this-is-secret"'
175+
style: secondary
176+
start: 15
177+
end: 31
178+
- source: secret_const = "this-is-secret"
179+
style: secondary
180+
start: 0
181+
end: 31
182+
- source: secret_const = "this-is-secret"
183+
style: secondary
184+
start: 0
185+
end: 31

tests/python/jwt-python-hardcoded-secret-python-test.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: jwt-python-hardcoded-secret-python
2+
valid:
3+
- |
4+
encoded = jwt.encode({"some": "payload"}, secret_key, algorithm="HS256")
5+
secret_const = 3
6+
- |
7+
encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")
8+
return encoded
9+
10+
invalid:
11+
- |
12+
encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
13+
- |
14+
encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
15+
- |
16+
secret = "secret"
17+
encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")
18+
- |
19+
secret_const = "this-is-secret"
20+
def bad2():
21+
encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")
22+

0 commit comments

Comments
 (0)