Insufficiently protected credentials Medium

An object attribute constructed from a user-provided input should be considered unsafe to be passed in a method, since it can pass sensitive information.

Detector ID
javascript/insufficiently-protected-credentials@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1var express = require('express')
2var loginController = express.Router()
3var jwt = require("jsonwebtoken")
4function insufficientlyProtectedCredentialsNoncompliant() {
5    loginController.post('/', async (req, res, next) => {
6        var email = req.body.email
7        // Noncompliant: JWT is not signed with a strong cipher algorithm.
8        var token = jwt.sign(email, process.env.JWT_SECRET, { algorithm: 'none' })
9        return token
10    })
11}

Compliant example

1var express = require('express')
2var loginController = express.Router()
3var jwt = require("jsonwebtoken")
4function insufficientlyProtectedCredentialsCompliant() {
5    loginController.post('/', async (req, res, next) => {
6        var email = req.body.email
7        // Compliant: JWT is signed with a strong cipher algorithm.
8        var token = jwt.sign(email, process.env.JWT_SECRET, { algorithm: 'RS256' })
9        return token
10    })
11}