security
data_error
ai_generated
true
JWT的kid参数在用于从数据库获取公钥时允许SQL注入
JWT kid parameter allows SQL injection when used to fetch public key from database
ID: security/jwt-kid-parameter-sql-injection
90%修复率
88%置信度
1证据数
2024-06-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| jsonwebtoken 9.0.0 | active | — | — | — |
| PyJWT 2.8.0 | active | — | — | — |
| jjwt 0.12.3 | active | — | — | — |
| Spring Security 6.2.0 | active | — | — | — |
根因分析
JWT头部的kid(密钥ID)参数被直接拼接到SQL查询中以获取验证密钥,如果kid值被恶意构造,则允许SQL注入。
English
The JWT header's kid (key ID) parameter is directly concatenated into a SQL query to fetch the verification key, enabling SQL injection if the kid value is maliciously crafted.
官方文档
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/解决方案
-
使用参数化查询(预编译语句)获取公钥。Python中使用psycopg2的示例:cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],)) -
在使用kid之前,根据允许的密钥ID白名单进行验证。
无效尝试
常见但无效的做法:
-
Validating kid format with regex but still using string concatenation in SQL
70% 失败
Regex validation can be bypassed (e.g., with encoded characters); the fundamental issue is parameterized queries not used.
-
Escaping the kid value manually with backslashes or quotes
90% 失败
Escaping is error-prone and database-specific; a crafted input can still break out of the string context.