{"title":"JWT Verification Bypass via Disabled Signature Verification","language":"Python","severity":"Critical","cwe":"CWE-347","source_lines":[9],"flow_lines":[9,11],"sink_lines":[11],"vulnerable_code":"import jwt\nfrom flask import request, jsonify\n\ndef validate_iot_device_token():\n    device_token = request.headers.get('X-Device-Auth')\n    if not device_token:\n        return jsonify({'error': 'Missing token'}), 401\n    try:\n        decoded = jwt.decode(device_token, options={'verify_signature': False})\n        device_id = decoded.get('device_id')\n        if device_id:\n            return jsonify({'status': 'authenticated', 'device': device_id, 'admin': decoded.get('is_admin', False)})\n    except jwt.InvalidTokenError:\n        return jsonify({'error': 'Invalid token'}), 403\n    return jsonify({'error': 'Authentication failed'}), 401","explanation":"The code accepts JWT tokens from untrusted IoT devices and decodes them with signature verification explicitly disabled (`verify_signature': False`). This allows attackers to forge arbitrary JWT tokens with elevated privileges (e.g., `is_admin': True`) without needing the secret key, completely bypassing authentication.","remediation":"The fix enables proper JWT signature verification by providing a secret key loaded from an environment variable and explicitly restricting allowed algorithms to HS256, preventing both the 'none' algorithm bypass and signature skipping. A server configuration check is added to fail safely if no secret key is available.","secure_code":"import jwt\nimport os\nfrom flask import request, jsonify\n\nDEVICE_SECRET_KEY = os.environ.get('DEVICE_JWT_SECRET_KEY')\nALLOWED_ALGORITHMS = ['HS256']\n\ndef validate_iot_device_token():\n    device_token = request.headers.get('X-Device-Auth')\n    if not device_token:\n        return jsonify({'error': 'Missing token'}), 401\n    if not DEVICE_SECRET_KEY:\n        return jsonify({'error': 'Server configuration error'}), 500\n    try:\n        decoded = jwt.decode(\n            device_token,\n            DEVICE_SECRET_KEY,\n            algorithms=ALLOWED_ALGORITHMS,\n            options={'verify_signature': True}\n        )\n        device_id = decoded.get('device_id')\n        if device_id:\n            return jsonify({'status': 'authenticated', 'device': device_id, 'admin': decoded.get('is_admin', False)})\n    except jwt.InvalidTokenError:\n        return jsonify({'error': 'Invalid token'}), 403\n    return jsonify({'error': 'Authentication failed'}), 401"}