# JWT的kid参数在用于从数据库获取公钥时允许SQL注入

- **ID:** `security/jwt-kid-parameter-sql-injection`
- **领域:** security
- **类别:** data_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

JWT头部的kid（密钥ID）参数被直接拼接到SQL查询中以获取验证密钥，如果kid值被恶意构造，则允许SQL注入。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| jsonwebtoken 9.0.0 | active | — | — |
| PyJWT 2.8.0 | active | — | — |
| jjwt 0.12.3 | active | — | — |
| Spring Security 6.2.0 | active | — | — |

## 解决方案

1. ```
   使用参数化查询（预编译语句）获取公钥。Python中使用psycopg2的示例：cursor.execute('SELECT key FROM keys WHERE kid = %s', (jwt_header['kid'],))
   ```
2. ```
   在使用kid之前，根据允许的密钥ID白名单进行验证。
   ```

## 无效尝试

- **Validating kid format with regex but still using string concatenation in SQL** — Regex validation can be bypassed (e.g., with encoded characters); the fundamental issue is parameterized queries not used. (70% 失败率)
- **Escaping the kid value manually with backslashes or quotes** — Escaping is error-prone and database-specific; a crafted input can still break out of the string context. (90% 失败率)