Avoid hardcoding secrets in JWT signing algorithms

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Avoid hardcoding secrets in JWT signing algorithms

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: kotlin-security/no-hardcoded-secret

Language: Kotlin

Severity: Error

Category: Security

CWE: 798

Description

Hardcoding secrets in JWT (JSON Web Token) signing algorithms can expose sensitive data and compromise your application’s security. JWTs are used for authorization, and if their secrets are exposed, unauthorized parties can manipulate these tokens and gain access to your system.

Hardcoding secrets in your code means they are directly included in your source code. This practice is dangerous because if your code is exposed or your system is breached, these secrets can be found and exploited by attackers. Additionally, hard-coded secrets are difficult to rotate or change without updating and redeploying your code.

To adhere to this rule, always load secrets from a secure configuration that is separate from your code. This can be done using secret management systems, environment variables, or secure configuration files. In the case of JWT signing, use a secure method to retrieve the signing secret just before you create the JWT. This ensures that your secret is not stored in an insecure location and that it can be changed without updating your code.

Non-Compliant Code Examples

// Non-compliant: Hardcoded secrets in JWT algorithms
class UnsafeJwtManager {
    fun createToken(userId: String): String {
        try {
            // Dangerous: Using hardcoded secret
            val algorithm = Algorithm.HMAC256("my_super_secret_key_123")
            return JWT.create()
                .withSubject(userId)
                .sign(algorithm)
        } catch (e: JWTCreationException) {
            throw SecurityException("Token creation failed", e)
        }
    }
}

Compliant Code Examples

// Compliant: Secrets loaded from secure configuration
class SecureJwtManager(
    private val secretProvider: SecretProvider // Interface to secret management system
) {
    fun createToken(userId: String): String {
        try {
            // Safe: Secret retrieved from secure storage
            val jwtSecret = secretProvider.getSecret("jwt_signing_key")
            val algorithm = Algorithm.HMAC256(jwtSecret)
            return JWT.create()
                .withSubject(userId)
                .sign(algorithm)
        } catch (e: JWTCreationException) {
            throw SecurityException("Token creation failed", e)
        }
    }
}