All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.codemodder.codemods.codeql.CodeQLUnverifiedJwtCodemod.description.md Maven / Gradle / Ivy

The newest version!
This change switches to Json Web Token (JWT) parsing APIs that perform signature validation.

Unfortunately the method names in JWT parsing with the `io.jsonwebtoken.jjwt` library don't convey the risk difference in usage. Although the `parseClaimsJws()` and `parseClaimsJwt()` methods perform signature validation, the `parse()` method does not.

Changing out these methods is easy and our changes look something like this:

```diff
  JwtParser parser = Jwts.parser();
  JwtParser jwtParser = parser.setSigningKey(JWT_PASSWORD);
- Jwt jwt = jwtParser.parse(token);
+ Jwt jwt = jwtParser.parseClaimsJwt(token);
```




© 2015 - 2024 Weber Informatics LLC | Privacy Policy