io.codemodder.codemods.codeql.CodeQLUnverifiedJwtCodemod.description.md Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of core-codemods Show documentation
Show all versions of core-codemods Show documentation
Codemods for fixing common errors across many Java projects
The newest version!
This change switches to Json Web Token (JWT) parsing APIs that perform signature validation.
Unfortunately the method names in JWT parsing with the `io.jsonwebtoken.jjwt` library don't convey the risk difference in usage. Although the `parseClaimsJws()` and `parseClaimsJwt()` methods perform signature validation, the `parse()` method does not.
Changing out these methods is easy and our changes look something like this:
```diff
JwtParser parser = Jwts.parser();
JwtParser jwtParser = parser.setSigningKey(JWT_PASSWORD);
- Jwt jwt = jwtParser.parse(token);
+ Jwt jwt = jwtParser.parseClaimsJwt(token);
```