rspec/rules/S5659/python/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

For https://github.com/jpadilla/pyjwt[pyjwt] module:

[source,python]
----
jwt.decode(token, verify = False)  # Noncompliant
jwt.decode(token, key, options={"verify_signature": False})  # Noncompliant
----
For https://github.com/davedoesdev/python-jwt[python_jwt] module:

[source,python]
----
jwt.process_jwt(token)  # Noncompliant
----

=== Compliant solution

For https://github.com/jpadilla/pyjwt[pyjwt] module:

[source,python]
----
jwt.decode(token, key, algo)
----
For https://github.com/davedoesdev/python-jwt[python_jwt] module:

[source,python]
----
jwt.process_jwt(token)  #  Compliant because followed by verify_jwt()
jwt.verify_jwt(token, key, algo)
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 22 Feb 2021, 11:17:11 Pierre-Yves Nicolas wrote:
The first code example of the current description of the RSPEC links to https://github.com/GehirnInc/python-jwt but this is another JWT implementation.

 There are multiple JWT implementations in Python with very similar names and they sometimes use the same namespace...

* PyJWT: https://github.com/jpadilla/pyjwt
 https://pyjwt.readthedocs.io/en/latest/index.html[doc]

 This is the one which matches the first code example of the current description.

 https://pyjwt.readthedocs.io/en/latest/changelog.html#v2-0-0[Starting with version 2.0], the verify param of the decode function was dropped and replaced with

----
jwt.decode(encoded, key, options={"verify_signature": False}){code}

 * [https://github.com/davedoesdev/python-jwt]
 This is the one which has a process_jwt function.
{quote}From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to avoid conflict with PyJWT.
{quote}

 * [https://github.com/GehirnInc/python-jwt]
 This implementation is wrongly linked in the current description of the ticket.
 It's actually not covered by the current description of the RSPEC.
----

=== on 22 Feb 2021, 14:06:26 Pierre-Yves Nicolas wrote:
\[~hendrik.buchwald] Should we raise an issue on the following code?

----
try:
    jwt.decode(token, key, algo)
except:
    raise Exception("Invalid token")
----
Real world cases:

* \https://github.com/Bounties-Network/BountiesAPI/blob/7931957e56c9fcef574dd3a00ec5ab9a787a365c/bounties_api/user/middleware.py#L20
* \https://github.com/DragonComputer/Dragonfire/blob/dd21f8e88d9b6390bd229ff73f89a8c3c137b89c/dragonfire/api.py#L47
* \https://github.com/JeffVandrewJr/patron/blob/b2545066c8e57e398f4896eb9b25fb4e970e0f06/app/models.py#L125

=== on 22 Feb 2021, 17:31:35 Pierre-Yves Nicolas wrote:
\[~hendrik.buchwald] Shouldn't we drop the last part of the rule title ("with strong cipher algorithms") since we don't check the algorithm?

=== on 24 Feb 2021, 10:42:09 Hendrik Buchwald wrote:
\[~pierre-yves.nicolas] thanks, good catch! Luckily I only confused the links, the first one was supposed to be PyJWT (as that one is used much more often). I will change the name of the rule.


That are nice examples for the exceptions. While they are of course secure I think it might be fine to still raise this issue since there is no reason to not check for the right type of exception (e.g. ``++jwt.InvalidSignatureError++``). The intention of this specification is though to detect cases where the invalid signature exception is caught accidentally. 

=== on 24 Feb 2021, 13:09:31 Hendrik Buchwald wrote:
I have removed the exception case for now.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Nightly update 2021-01-26 04:07:35 +00:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Nightly update 2021-01-26 04:07:35 +00:00
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`For https://github.com/jpadilla/pyjwt[pyjwt] module:`
Nightly update 2021-01-26 04:07:35 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Nightly update 2021-01-26 04:07:35 +00:00			`----`
			`jwt.decode(token, verify = False) # Noncompliant`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`jwt.decode(token, key, options={"verify_signature": False}) # Noncompliant`
Nightly update 2021-01-26 04:07:35 +00:00			`----`
			`For https://github.com/davedoesdev/python-jwt[python_jwt] module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Nightly update 2021-01-26 04:07:35 +00:00			`----`
			`jwt.process_jwt(token) # Noncompliant`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Nightly update 2021-01-26 04:07:35 +00:00
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`For https://github.com/jpadilla/pyjwt[pyjwt] module:`
Nightly update 2021-01-26 04:07:35 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Nightly update 2021-01-26 04:07:35 +00:00			`----`
process the in-line code syntax separately 2021-01-28 15:53:33 +01:00			`jwt.decode(token, key, algo)`
Nightly update 2021-01-26 04:07:35 +00:00			`----`
			`For https://github.com/davedoesdev/python-jwt[python_jwt] module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Nightly update 2021-01-26 04:07:35 +00:00			`----`
process the in-line code syntax separately 2021-01-28 15:53:33 +01:00			`jwt.process_jwt(token) # Compliant because followed by verify_jwt()`
			`jwt.verify_jwt(token, key, algo)`
Nightly update 2021-01-26 04:07:35 +00:00			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 22 Feb 2021, 11:17:11 Pierre-Yves Nicolas wrote:`
			`The first code example of the current description of the RSPEC links to https://github.com/GehirnInc/python-jwt but this is another JWT implementation.`

			`There are multiple JWT implementations in Python with very similar names and they sometimes use the same namespace...`

			`* PyJWT: https://github.com/jpadilla/pyjwt`
			`https://pyjwt.readthedocs.io/en/latest/index.html[doc]`

			`This is the one which matches the first code example of the current description.`

			`https://pyjwt.readthedocs.io/en/latest/changelog.html#v2-0-0[Starting with version 2.0], the verify param of the decode function was dropped and replaced with`

			`----`
			`jwt.decode(encoded, key, options={"verify_signature": False}){code}`

			`* [https://github.com/davedoesdev/python-jwt]`
			`This is the one which has a process_jwt function.`
			`{quote}From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to avoid conflict with PyJWT.`
			`{quote}`

			`* [https://github.com/GehirnInc/python-jwt]`
			`This implementation is wrongly linked in the current description of the ticket.`
			`It's actually not covered by the current description of the RSPEC.`
			`----`

			`=== on 22 Feb 2021, 14:06:26 Pierre-Yves Nicolas wrote:`
			`\[~hendrik.buchwald] Should we raise an issue on the following code?`

			`----`
			`try:`
			`jwt.decode(token, key, algo)`
			`except:`
			`raise Exception("Invalid token")`
			`----`
			`Real world cases:`

			`* \https://github.com/Bounties-Network/BountiesAPI/blob/7931957e56c9fcef574dd3a00ec5ab9a787a365c/bounties_api/user/middleware.py#L20`
			`* \https://github.com/DragonComputer/Dragonfire/blob/dd21f8e88d9b6390bd229ff73f89a8c3c137b89c/dragonfire/api.py#L47`
			`* \https://github.com/JeffVandrewJr/patron/blob/b2545066c8e57e398f4896eb9b25fb4e970e0f06/app/models.py#L125`

			`=== on 22 Feb 2021, 17:31:35 Pierre-Yves Nicolas wrote:`
			`\[~hendrik.buchwald] Shouldn't we drop the last part of the rule title ("with strong cipher algorithms") since we don't check the algorithm?`

			`=== on 24 Feb 2021, 10:42:09 Hendrik Buchwald wrote:`
			`\[~pierre-yves.nicolas] thanks, good catch! Luckily I only confused the links, the first one was supposed to be PyJWT (as that one is used much more often). I will change the name of the rule.`


			That are nice examples for the exceptions. While they are of course secure I think it might be fine to still raise this issue since there is no reason to not check for the right type of exception (e.g. ``++jwt.InvalidSignatureError++``). The intention of this specification is though to detect cases where the invalid signature exception is caught accidentally.

			`=== on 24 Feb 2021, 13:09:31 Hendrik Buchwald wrote:`
			`I have removed the exception case for now.`

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`