Skip to content

Commit 88bd8dc

Browse files
committed
jwt-go-none-algorithm-go
1 parent c3aaeba commit 88bd8dc

4 files changed

+121
-0
lines changed
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
id: jwt-go-none-algorithm-go
2+
language: go
3+
severity: warning
4+
message: >-
5+
Detected use of the 'none' algorithm in a JWT token. The 'none'
6+
algorithm assumes the integrity of the token has already been verified.
7+
This would allow a malicious actor to forge a JWT token that will
8+
automatically be verified. Do not explicitly use the 'none' algorithm.
9+
Instead, use an algorithm such as 'HS256'.
10+
note: >-
11+
[CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
12+
[OWASP A03:2017]: Sensitive Data Exposure
13+
[OWASP A02:2021]: Cryptographic Failures
14+
[REFERENCES]
15+
https://owasp.org/Top10/A02_2021-Cryptographic_Failures
16+
utils:
17+
after_declaration:
18+
inside:
19+
stopBy: end
20+
kind: function_declaration
21+
follows:
22+
stopBy: end
23+
kind: import_declaration
24+
has:
25+
stopBy: end
26+
kind: import_spec_list
27+
pattern: $IMPORT_MOD
28+
rule:
29+
kind: selector_expression
30+
all:
31+
- pattern: $JWT_FUNC
32+
- matches: after_declaration
33+
34+
constraints:
35+
JWT_FUNC:
36+
regex: (jwt.SigningMethodNone|jwt.UnsafeAllowNoneSignatureType)
37+
IMPORT_MOD:
38+
regex: ("github.com/golang-jwt/jwt"|"github.com/dgrijalva/jwt-go")
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: detect-angular-sce-disabled-typescript
2+
snapshots:
3+
? |
4+
$sceProvider.enabled(false);
5+
: labels:
6+
- source: $sceProvider.enabled(false);
7+
style: primary
8+
start: 0
9+
end: 28
Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
id: jwt-go-none-algorithm-go
2+
snapshots:
3+
? |
4+
import (
5+
"fmt"
6+
"github.com/dgrijalva/jwt-go"
7+
)
8+
func bad1(key []byte) {
9+
claims = jwt.StandardClaims{
10+
ExpiresAt:15000,
11+
Issuer:"test",}
12+
token = jwt.NewWithClaims(jwt.SigningMethodNone, claims)
13+
ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType)
14+
fmt.Printf("%v %v\n", ss, err)}
15+
: labels:
16+
- source: jwt.SigningMethodNone
17+
style: primary
18+
start: 170
19+
end: 191
20+
- source: |-
21+
(
22+
"fmt"
23+
"github.com/dgrijalva/jwt-go"
24+
)
25+
style: secondary
26+
start: 7
27+
end: 51
28+
- source: |-
29+
import (
30+
"fmt"
31+
"github.com/dgrijalva/jwt-go"
32+
)
33+
style: secondary
34+
start: 0
35+
end: 51
36+
- source: |-
37+
func bad1(key []byte) {
38+
claims = jwt.StandardClaims{
39+
ExpiresAt:15000,
40+
Issuer:"test",}
41+
token = jwt.NewWithClaims(jwt.SigningMethodNone, claims)
42+
ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType)
43+
fmt.Printf("%v %v\n", ss, err)}
44+
style: secondary
45+
start: 52
46+
end: 295
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
id: jwt-go-none-algorithm-go
2+
valid:
3+
- |
4+
import (
5+
"fmt"
6+
"github.com/dgrijalva/jwt-go"
7+
)
8+
func ok1(key []byte){
9+
claims = jwt.StandardClaims{
10+
ExpiresAt:15000,
11+
Issuer:"test",}
12+
token = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
13+
ss, err = token.SignedString(key)
14+
fmt.Printf("%v %v\n", ss, err)}
15+
16+
invalid:
17+
- |
18+
import (
19+
"fmt"
20+
"github.com/dgrijalva/jwt-go"
21+
)
22+
func bad1(key []byte) {
23+
claims = jwt.StandardClaims{
24+
ExpiresAt:15000,
25+
Issuer:"test",}
26+
token = jwt.NewWithClaims(jwt.SigningMethodNone, claims)
27+
ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType)
28+
fmt.Printf("%v %v\n", ss, err)}

0 commit comments

Comments
 (0)