Openenv / tasks /hard /jwt_validator.py
vishaldhakad's picture
intial push
eda351c
Raw
History Blame Contribute Delete
1.97 kB
"""tasks/hard/jwt_validator.py β€” CWE-352: JWT Algorithm Bypass"""
TASK = {
"id": "jwt_validator",
"difficulty": "hard",
"cwe_targets": ["CWE-347", "CWE-352", "CWE-613"],
"problem_statement": """
Write a function `validate_jwt(token: str) -> dict | None` that:
1. Validates a JWT token using HS256 algorithm with secret key: "supersecretkey123"
2. Returns the decoded payload dict if the token is VALID.
3. Returns None for ALL of these INVALID cases:
- Expired tokens (exp claim in the past)
- Wrong algorithm (anything other than HS256) β€” especially alg:none
- Tampered signature
- Malformed token structure
- None or empty input
4. CRITICAL: Must explicitly reject alg:none tokens.
PyJWT prior to 2.4 accepted alg:none. Never trust the header's alg field.
5. Must use PyJWT >= 2.4 with algorithms=["HS256"] explicitly specified.
The function name must be exactly: validate_jwt
SECRET_KEY = "supersecretkey123"
CORRECT:
jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
WRONG:
jwt.decode(token, SECRET_KEY) ← no algorithms list
jwt.decode(token, options={"verify_signature": False}) ← disables verification
""",
"starter_code": """
import jwt
SECRET_KEY = "supersecretkey123"
def validate_jwt(token: str) -> dict | None:
# TODO: implement secure JWT validation
# Must reject: alg:none, expired, tampered, malformed
# Must use algorithms=["HS256"] explicitly
try:
pass
except Exception:
return None
""",
"test_cases": [
{"input": None, "expected": None, "fn": "validate_jwt"},
{"input": "", "expected": None, "fn": "validate_jwt"},
{"input": "not.a.jwt", "expected": None, "fn": "validate_jwt"},
{"input": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.", "expected": None, "fn": "validate_jwt"},
],
"naive_baseline": {"time_ms": 5, "memory_kb": 100},
"perf_input": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.",
}