r2c-CSE · nnayar-r2c · May 21, 2023
diff --git a/vuln-24.java b/vuln-24.java
@@ -0,0 +1,59 @@
+package jwt_test.jwt_test_1;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTCreationException;
+
+public class App
+{
+
+    static String secret = "secret";
+
+    private static void bad1() {
+        try {
+            // ruleid: java-jwt-hardcoded-secret
+            Algorithm algorithm = Algorithm.HMAC256("secret");
+            String token = JWT.create()
+                .withIssuer("auth0")
+                .sign(algorithm);
+        } catch (JWTCreationException exception){
+            //Invalid Signing configuration / Couldn't convert Claims.
+        }
+    }
+
+    private static void ok1(String secretKey) {
+        try {
+            // ok: java-jwt-hardcoded-secret
+            Algorithm algorithm = Algorithm.HMAC256(secretKey);
+            String token = JWT.create()
+                .withIssuer("auth0")
+                .sign(algorithm);
+        } catch (JWTCreationException exception){
+            //Invalid Signing configuration / Couldn't convert Claims.
+        }
+    }
+
+    public static void main( String[] args )
+    {
+        bad1();
+        ok1(args[0]);
+    }
+}
+
+abstract class App2
+{
+// ruleid: java-jwt-hardcoded-secret
+    static String secret = "secret";
+
+    public void bad2() {
+        try {
+            Algorithm algorithm = Algorithm.HMAC256(secret);
+            String token = JWT.create()
+                .withIssuer("auth0")
+                .sign(algorithm);
+        } catch (JWTCreationException exception){
+            //Invalid Signing configuration / Couldn't convert Claims.
+        }
+    }
+
+}