From f125cc0c5c67e6995606f5a4713e62af432aaafb Mon Sep 17 00:00:00 2001 From: clavedeluna Date: Wed, 27 Sep 2023 10:35:43 -0300 Subject: [PATCH] add jwt decode py docs --- .../python/pixee_python_verify-jwt-decode.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/codemods/python/pixee_python_verify-jwt-decode.md diff --git a/docs/codemods/python/pixee_python_verify-jwt-decode.md b/docs/codemods/python/pixee_python_verify-jwt-decode.md new file mode 100644 index 0000000..ef068d8 --- /dev/null +++ b/docs/codemods/python/pixee_python_verify-jwt-decode.md @@ -0,0 +1,38 @@ +--- +title: Verify JWT Decode +sidebar_position: 1 +--- + +## pixee:python/jwt-decode-verify + +| Importance | Review Guidance | Requires SARIF Tool | +|------------|----------------------|---------------------| + | High | Merge Without Review | No | + + +This codemod ensures calls to [jwt.decode](https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode) do not disable signature validation and other +verifications. It checks that both the `verify` parameter (soon to be deprecated) and any key starting with `verify_` in the `options` dict parameter are not assigned to `False`. + +Our change looks as follows: + +```diff + import jwt + ... +- decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=False) ++ decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], verify=True) + ... +- decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": False, "verify_exp": False}) ++ decoded_payload = jwt.decode(encoded_jwt, SECRET_KEY, algorithms=["HS256"], options={"verify_signature": True, "verify_exp": True}) +``` + +If you have feedback on this codemod, [please let us know](mailto:feedback@pixee.ai)! + +## F.A.Q. + +### Why is this codemod marked as Merge Without Review? + +This codemod ensures your code uses all available validations when calling `jwt.decode`. We believe this replacement is safe and should not result in any issues. + +## References +* [https://pyjwt.readthedocs.io/en/stable/api.html](https://pyjwt.readthedocs.io/en/stable/api.html) +* [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens)