"""tasks/hard/jwt_validator.py — CWE-352: JWT Algorithm Bypass""" TASK = { "id": "jwt_validator", "difficulty": "hard", "cwe_targets": ["CWE-347", "CWE-352", "CWE-613"], "problem_statement": """ Write a function `validate_jwt(token: str) -> dict | None` that: 1. Validates a JWT token using HS256 algorithm with secret key: "supersecretkey123" 2. Returns the decoded payload dict if the token is VALID. 3. Returns None for ALL of these INVALID cases: - Expired tokens (exp claim in the past) - Wrong algorithm (anything other than HS256) — especially alg:none - Tampered signature - Malformed token structure - None or empty input 4. CRITICAL: Must explicitly reject alg:none tokens. PyJWT prior to 2.4 accepted alg:none. Never trust the header's alg field. 5. Must use PyJWT >= 2.4 with algorithms=["HS256"] explicitly specified. The function name must be exactly: validate_jwt SECRET_KEY = "supersecretkey123" CORRECT: jwt.decode(token, SECRET_KEY, algorithms=["HS256"]) WRONG: jwt.decode(token, SECRET_KEY) ← no algorithms list jwt.decode(token, options={"verify_signature": False}) ← disables verification """, "starter_code": """ import jwt SECRET_KEY = "supersecretkey123" def validate_jwt(token: str) -> dict | None: # TODO: implement secure JWT validation # Must reject: alg:none, expired, tampered, malformed # Must use algorithms=["HS256"] explicitly try: pass except Exception: return None """, "test_cases": [ {"input": None, "expected": None, "fn": "validate_jwt"}, {"input": "", "expected": None, "fn": "validate_jwt"}, {"input": "not.a.jwt", "expected": None, "fn": "validate_jwt"}, {"input": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.", "expected": None, "fn": "validate_jwt"}, ], "naive_baseline": {"time_ms": 5, "memory_kb": 100}, "perf_input": "eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiJ9.", }