sdk/python/Cryptography/PyJose

PyJose

python-jose implements JWT / JWS / JWE. jwt.decode() is the canonical validation entry point. Finding when algorithms=['none'] is passed (unsigned token acceptance) or verify_signature=False.

2 sources1 sanitizer

Taint flow2 sources → 1 sanitizer → 0 sinks

Sources — untrusted input

.get_unverified_header()Reads the JWT header without verifying the signature

.get_unverified_claims()Reads claims without verifying

Sanitizers — blocks taint

.decode()

Sources

— user-controlled input enters here

.get_unverified_header()Source

Signature

jose.jwt.get_unverified_header(token) -> dict

Reads the JWT header without verifying the signature. Finding when return value drives auth decisions.

tracks:return

.get_unverified_claims()Source

Signature

jose.jwt.get_unverified_claims(token) -> dict

Reads claims without verifying. Finding for authz code.

tracks:return

Sanitizers

— functions that neutralize taint

.decode()Sanitizer

Signature

jose.jwt.decode(token, key, algorithms=None, options=None, ...) -> dict

Verifies and decodes a JWT. Finding when algorithms contains 'none' or options disable verification.

tracks:return

Other Methods

.encode()Neutral

Signature

jose.jwt.encode(claims, key, algorithm='HS256', ...) -> str

Signs a JWT. Safe with a proper algorithm.

Fully-Qualified Names

FQN	Field
jose	fqns[0]
jose.jwt	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyJose

← PreviousPyJks

Next →PyJwcrypto