From 4f164efd1fd6d937f596219f0dbc5ebeaebba0f4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 12:31:17 +0200 Subject: [PATCH] Create rule S6781: JWT secret keys should not be disclosed (#3101) --- rules/S6781/metadata.json | 2 + rules/S6781/python/metadata.json | 57 ++++++++++++++++++++++++++ rules/S6781/python/rule.adoc | 68 ++++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+) create mode 100644 rules/S6781/metadata.json create mode 100644 rules/S6781/python/metadata.json create mode 100644 rules/S6781/python/rule.adoc diff --git a/rules/S6781/metadata.json b/rules/S6781/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6781/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6781/python/metadata.json b/rules/S6781/python/metadata.json new file mode 100644 index 00000000000..64d7f37effd --- /dev/null +++ b/rules/S6781/python/metadata.json @@ -0,0 +1,57 @@ +{ + "title": "JWT secret keys should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6781", + "sqKey": "S6781", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} \ No newline at end of file diff --git a/rules/S6781/python/rule.adoc b/rules/S6781/python/rule.adoc new file mode 100644 index 00000000000..b9fa10b098b --- /dev/null +++ b/rules/S6781/python/rule.adoc @@ -0,0 +1,68 @@ +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If a JWT secret key leaks to an unintended audience, it can have serious +security implications for the corresponding application. The secret key is used +to encode and decode JWTs when using a symmetric signing algorithm, and an +attacker could potentially use it to perform malicious actions. + +For example, an attacker could use the secret key to create their own +authentication tokens that appear to be legitimate, allowing them to bypass +authentication and gain access to sensitive data or functionality. + +In the worst-case scenario, an attacker could be able to execute arbitrary code +on the application by abusing administrative features, and take over its hosting +server. + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +Changing the secret value is sufficient to invalidate any data that it protected. + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant,subs="attributes"] +---- +from flask import Flask + +app = Flask(__name__) +app.config['JWT_SECRET_KEY'] = "secret" # Noncompliant +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant,subs="attributes"] +---- +from flask import Flask +import os + +app = Flask(__name__) +app.config['JWT_SECRET_KEY'] = os.environ["JWT_SECRET_KEY"] +---- + + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +=== Documentation + +* Flask JWT documentation - https://flask-jwt-extended.readthedocs.io/en/stable/options.html#jwt-secret-key[Config - JWT_SECRET_KEY] + +//=== Benchmarks