jwt-go-none-algorithm-go

Author: ESS-ENN

rules/go/jwt-go/jwt-go-none-algorithm-go.yml

@@ -0,0 +1,38 @@
+id: jwt-go-none-algorithm-go
+language: go
+severity: warning
+message: >-
+  Detected use of the 'none' algorithm in a JWT token. The 'none'
+  algorithm assumes the integrity of the token has already been verified.
+  This would allow a malicious actor to forge a JWT token that will
+  automatically be verified. Do not explicitly use the 'none' algorithm.
+  Instead, use an algorithm such as 'HS256'.
+note: >-
+  [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+       https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+utils:
+  after_declaration:
+    inside:
+      stopBy: end
+      kind: function_declaration
+      follows:
+        stopBy: end
+        kind: import_declaration
+        has:
+          stopBy: end
+          kind: import_spec_list
+          pattern: $IMPORT_MOD
+rule:
+  kind: selector_expression
+  all:
+    - pattern: $JWT_FUNC
+    - matches: after_declaration
+
+constraints:
+  JWT_FUNC:
+    regex: (jwt.SigningMethodNone|jwt.UnsafeAllowNoneSignatureType)
+  IMPORT_MOD:
+    regex: ("github.com/golang-jwt/jwt"|"github.com/dgrijalva/jwt-go")

tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml

@@ -0,0 +1,9 @@
+id: detect-angular-sce-disabled-typescript
+snapshots:
+  ? |
+    $sceProvider.enabled(false);
+  : labels:
+    - source: $sceProvider.enabled(false);
+      style: primary
+      start: 0
+      end: 28

tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml

@@ -0,0 +1,46 @@
+id: jwt-go-none-algorithm-go
+snapshots:
+  ? |
+    import (
+    "fmt"
+    "github.com/dgrijalva/jwt-go"
+         )
+    func bad1(key []byte) {
+    claims = jwt.StandardClaims{
+       ExpiresAt:15000,
+       Issuer:"test",}
+    token = jwt.NewWithClaims(jwt.SigningMethodNone, claims)
+    ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType)
+    fmt.Printf("%v %v\n", ss, err)}
+  : labels:
+    - source: jwt.SigningMethodNone
+      style: primary
+      start: 170
+      end: 191
+    - source: |-
+        (
+        "fmt"
+        "github.com/dgrijalva/jwt-go"
+             )
+      style: secondary
+      start: 7
+      end: 51
+    - source: |-
+        import (
+        "fmt"
+        "github.com/dgrijalva/jwt-go"
+             )
+      style: secondary
+      start: 0
+      end: 51
+    - source: |-
+        func bad1(key []byte) {
+        claims = jwt.StandardClaims{
+           ExpiresAt:15000,
+           Issuer:"test",}
+        token = jwt.NewWithClaims(jwt.SigningMethodNone, claims)
+        ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType)
+        fmt.Printf("%v %v\n", ss, err)}
+      style: secondary
+      start: 52
+      end: 295

tests/go/jwt-go-none-algorithm-go-test.yml

@@ -0,0 +1,28 @@
+id: jwt-go-none-algorithm-go
+valid:
+  - |
+    import (
+    "fmt"
+    "github.com/dgrijalva/jwt-go"
+         )  
+    func ok1(key []byte){
+    claims = jwt.StandardClaims{
+       ExpiresAt:15000,
+       Issuer:"test",}  
+    token = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+    ss, err = token.SignedString(key)
+    fmt.Printf("%v %v\n", ss, err)}
+
+invalid:
+  - |
+    import (
+    "fmt"
+    "github.com/dgrijalva/jwt-go"
+         )
+    func bad1(key []byte) {
+    claims = jwt.StandardClaims{
+       ExpiresAt:15000,
+       Issuer:"test",}
+    token = jwt.NewWithClaims(jwt.SigningMethodNone, claims)
+    ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType)
+    fmt.Printf("%v %v\n", ss, err)}