Missing JWT signature check¶
ID: go/missing-jwt-signature-check
Kind: path-problem
Security severity: 7.8
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-347
Query suites:
   - go-code-scanning.qls
   - go-security-extended.qls
   - go-security-and-quality.qls
Click to see the query in the CodeQL repository
Applications decoding a JSON Web Token (JWT) may be vulnerable when the signature is not correctly verified.
Recommendation¶
Always verify the signature by using the appropriate methods provided by the JWT library, or use a library that verifies it by default.
Example¶
The following (bad) example shows a case where a JWT is parsed without verifying the signature.
package main
import (
	"fmt"
	"log"
	"github.com/golang-jwt/jwt/v5"
)
type User struct{}
func decodeJwt(token string) {
	// BAD: JWT is only decoded without signature verification
	fmt.Println("only decoding JWT")
	DecodedToken, _, err := jwt.NewParser().ParseUnverified(token, &User{})
	if claims, ok := DecodedToken.Claims.(*User); ok {
		fmt.Printf("DecodedToken:%v\n", claims)
	} else {
		log.Fatal("error", err)
	}
}
The following (good) example uses the appropriate function for parsing a JWT and verifying its signature.
package main
import (
	"fmt"
	"log"
	"github.com/golang-jwt/jwt/v5"
)
type User struct{}
func parseJwt(token string, jwtKey []byte) {
	// GOOD: JWT is parsed with signature verification using jwtKey
	DecodedToken, err := jwt.ParseWithClaims(token, &User{}, func(token *jwt.Token) (interface{}, error) {
		return jwtKey, nil
	})
	if claims, ok := DecodedToken.Claims.(*User); ok && DecodedToken.Valid && !err {
		fmt.Printf("DecodedToken:%v\n", claims)
	} else {
		log.Fatal(err)
	}
}
References¶
- JWT IO: Introduction to JSON Web Tokens. 
- jwt-go: Documentation. 
- Go JOSE: Documentation. 
- Common Weakness Enumeration: CWE-347.