mcp-server-semgrep/semgrep-rules/python/jwt/security/jwt-none-alg.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: jwt-python-none-alg
  message: >-
    Detected use of the 'none' algorithm in a JWT token.
    The 'none' algorithm assumes the integrity of the token has already
    been verified. This would allow a malicious actor to forge a JWT token
    that will automatically be verified. Do not explicitly use the 'none'
    algorithm. Instead, use an algorithm such as 'HS256'.
  metadata:
    cwe:
    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    owasp:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures
    source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
    category: security
    technology:
    - jwt
    references:
    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
    subcategory:
    - vuln
    likelihood: MEDIUM
    impact: MEDIUM
    confidence: MEDIUM
  languages: [python]
  severity: ERROR
  pattern-either:
  - pattern: |
      jwt.encode(...,algorithm="none",...)
  - pattern: |-
      jwt.decode(...,algorithms=[...,"none",...],...)