Spaces:
Sleeping
Sleeping
| """tasks/hard/jwt_validator.py β CWE-352: JWT Algorithm Bypass""" | |
| TASK = { | |
| "id": "jwt_validator", | |
| "difficulty": "hard", | |
| "cwe_targets": ["CWE-347", "CWE-352", "CWE-613"], | |
| "problem_statement": """ | |
| Write a function `validate_jwt(token: str) -> dict | None` that: | |
| 1. Validates a JWT token using HS256 algorithm with secret key: "supersecretkey123" | |
| 2. Returns the decoded payload dict if the token is VALID. | |
| 3. Returns None for ALL of these INVALID cases: | |
| - Expired tokens (exp claim in the past) | |
| - Wrong algorithm (anything other than HS256) β especially alg:none | |
| - Tampered signature | |
| - Malformed token structure | |
| - None or empty input | |
| 4. CRITICAL: Must explicitly reject alg:none tokens. | |
| PyJWT prior to 2.4 accepted alg:none. Never trust the header's alg field. | |
| 5. Must use PyJWT >= 2.4 with algorithms=["HS256"] explicitly specified. | |
| The function name must be exactly: validate_jwt | |
| SECRET_KEY = "supersecretkey123" | |
| CORRECT: | |
| jwt.decode(token, SECRET_KEY, algorithms=["HS256"]) | |
| WRONG: | |
| jwt.decode(token, SECRET_KEY) β no algorithms list | |
| jwt.decode(token, options={"verify_signature": False}) β disables verification | |
| """, | |
| "starter_code": """ | |
| import jwt | |
| SECRET_KEY = "supersecretkey123" | |
| def validate_jwt(token: str) -> dict | None: | |
| # TODO: implement secure JWT validation | |
| # Must reject: alg:none, expired, tampered, malformed | |
| # Must use algorithms=["HS256"] explicitly | |
| try: | |
| pass | |
| except Exception: | |
| return None | |
| """, | |
| "test_cases": [ | |
| {"input": None, "expected": None, "fn": "validate_jwt"}, | |
| {"input": "", "expected": None, "fn": "validate_jwt"}, | |
| {"input": "not.a.jwt", "expected": None, "fn": "validate_jwt"}, | |
| {"input": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.", "expected": None, "fn": "validate_jwt"}, | |
| ], | |
| "naive_baseline": {"time_ms": 5, "memory_kb": 100}, | |
| "perf_input": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.", | |
| } | |