Create rule S6781: JWT secret keys should not be disclosed #8996
Labels
Area: C#
C# rules related issues.
Area: CFG/SE
CFG and SE related issues.
Area: Security
Related to Vulnerability and Security Hotspot rules
Sprint: MMF-3716 crypto rules
https://sonarsource.atlassian.net/browse/MMF-3716
Type: New Rule
Implementation for a rule that HAS been specified.
Projects
Why
As part of MMF-3716, we want to close the gap between C# and other languages regarding cryptography related rules support. S6781 is one of the rules that is not currently supported by this analyzer.
What
S6781 aims to detect when JWT secrets keys are disclosed. We want to add support for this behavior for both .NET core and .NET framework.
Detection logic
We want to raise when the
System.IdentityModel.Tokens.SymmetricSecurityKey
constructor is called with a key that is hard-coded or stored insecurely.This covers the following methods of storing a key:
byte[]
in the source code with a hard-coded value.string
in the source code.<appSettings>
section ofApp.config
/web.config
and obtained via theConfigurationManager.AppSettings
collection.appsettings.json
file and obtained via theIConfiguration
interface.If the value is stored as a string, the following methods can be used to convert it to a
byte[]
:System.Text.Encoding.GetBytes()
System.Convert.FromBase64String()
Example code
.NET Core examples
Compliant: key is obtained from an environment variable
Noncompliant: key is hard-coded in code
Noncompliant: key is stored insecurely in
appsettings.json
.NET Framework examples
Noncompliant: key is stored insecurely in
App.config
/web.config
RSPEC
This rule's RSPEC contains information regarding messages and highlighting.
The text was updated successfully, but these errors were encountered: