检查硬编码
规则
rules:- id: java-jwt-hardcoded-secretlanguages:- javaseverity: ERRORmessage: hardcodepatterns:- pattern: $SENVAR="$VALUE"# 这里可以去掉一些比如 xxxKey="appid"- pattern-regex: ^(?!.*id"$).*$- metavariable-pattern:metavariable: $SENVARpattern-regex: (?i).*(pass|pwd|key|private|key|sharekey|share_key|secret).*
实验代码
package jwt_test.jwt_test_1;import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;public class App
{// ruleid: java-jwt-hardcoded-secretstatic String secret = "secret";// ok: id private String queryKey="appid"private static void bad1() {try {// ruleid: java-jwt-hardcoded-secretString password="Liu123456"Algorithm algorithm = Algorithm.HMAC256("secret");String token = JWT.create().withIssuer("auth0").sign(algorithm);name="LYB"} catch (JWTCreationException exception){//Invalid Signing configuration / Couldn't convert Claims.}}private static void ok1(String secretKey) {try {// ok: java-jwt-hardcoded-secretAlgorithm algorithm = Algorithm.HMAC256(secretKey);String token = JWT.create().withIssuer("auth0").sign(algorithm);} catch (JWTCreationException exception){//Invalid Signing configuration / Couldn't convert Claims.}}public static void main( String[] args ){bad1();ok1(args[0]);}
}abstract class App2
{
// ruleid: java-jwt-hardcoded-secretstatic String secret = "secret";public void bad2() {try {Algorithm algorithm = Algorithm.HMAC256(secret);String token = JWT.create().withIssuer("auth0").sign(algorithm);} catch (JWTCreationException exception){//Invalid Signing configuration / Couldn't convert Claims.}}}