- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/jwt-no-verify
Language: Ruby
Severity: Warning
Category: Security
CWE: 345
The rule requires that JSON Web Tokens (JWT) should always be verified in Ruby applications. Verification is a crucial security measure that ensures the authenticity of the JWT. If a JWT is not verified, it could be tampered with or manipulated, leading to potential security risks such as unauthorized access or data leakage.
This rule is essential because it directly relates to the security of your application. JWTs are often used to store sensitive information and are used for authentication and authorization purposes. If they are not correctly verified, it could lead to serious security breaches. Therefore, it’s crucial to always verify the JWT to ensure that it hasn’t been tampered with and is from a trusted source.
To avoid violating this rule, always include the true
flag when decoding a JWT to ensure that it is verified. For example, use JWT.decode raw_token, secret, true, { algorithm: 'HS256' }
. The true
flag indicates that the JWT should be verified. Never set this flag to false
as it will skip the verification process, which could lead to security vulnerabilities.
jwt_token = JWT.decode raw_token, secret, false, { algorithm: 'HS256' }
jwt_token = JWT.decode raw_token, secret, true, { algorithm: 'HS256' }
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products