Create rule S6781: JWT secret keys should not be disclosed (#3101)

SonarSource · Sep 25, 2023 · 4f164ef · 4f164ef
1 parent 83ff995
commit 4f164ef
Show file tree

Hide file tree

Showing 3 changed files with 127 additions and 0 deletions.
diff --git a/rules/S6781/metadata.json b/rules/S6781/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S6781/python/metadata.json b/rules/S6781/python/metadata.json
@@ -0,0 +1,57 @@
+{
+  "title": "JWT secret keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ]
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6781",
+  "sqKey": "S6781",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
diff --git a/rules/S6781/python/rule.adoc b/rules/S6781/python/rule.adoc
@@ -0,0 +1,68 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+If a JWT secret key leaks to an unintended audience, it can have serious
+security implications for the corresponding application. The secret key is used
+to encode and decode JWTs when using a symmetric signing algorithm, and an
+attacker could potentially use it to perform malicious actions.
+
+For example, an attacker could use the secret key to create their own
+authentication tokens that appear to be legitimate, allowing them to bypass
+authentication and gain access to sensitive data or functionality.
+
+In the worst-case scenario, an attacker could be able to execute arbitrary code
+on the application by abusing administrative features, and take over its hosting
+server.
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+Changing the secret value is sufficient to invalidate any data that it protected.
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant,subs="attributes"]
+----
+from flask import Flask
+
+app = Flask(__name__)
+app.config['JWT_SECRET_KEY'] = "secret"  # Noncompliant
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant,subs="attributes"]
+----
+from flask import Flask
+import os
+
+app = Flask(__name__)
+app.config['JWT_SECRET_KEY'] = os.environ["JWT_SECRET_KEY"]
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+=== Documentation
+
+* Flask JWT documentation - https://flask-jwt-extended.readthedocs.io/en/stable/options.html#jwt-secret-key[Config - JWT_SECRET_KEY]
+
+//=== Benchmarks