PPL: Fixing a JWT Vulnerability [Sprint 2, Week 1]

Mon, 23 Mar 2026 00:00:00 +0700

What I Worked On

This week I addressed a critical security vulnerability flagged by SonarQube and hardened the CI pipeline so security issues block merges instead of being silently reported.

The JWT Vulnerability (SonarQube S5659)

SonarQube flagged dependencies.py:34 as a CRITICAL vulnerability: jwt.get_unverified_header() reads the JWT header without verifying the signature. This enables the alg:none attack, where an attacker crafts a token with "alg": "none" in the header, causing the library to skip signature verification entirely.

PPL: Security [Sprint 1, Week 3]

Fri, 13 Mar 2026 00:00:00 +0700

What I Worked On

This week addressed four security areas: JWT algorithm validation hardening (reviewed MR !63), encryption key management in CI (MR !68), client PII encryption in the database seeder (reviewed MR !80), and ongoing SAST scanning via the CI pipeline.

JWT Algorithm Validation: Preventing alg:none Attacks

MR !63 (by adipppp, which I reviewed) hardened the JWT decoding logic against the alg:none attack, one of the most well-known JWT vulnerabilities (OWASP A07:2021, Identification and Authentication Failures).

Jwt on Daffa Abhipraya

PPL: Fixing a JWT Vulnerability [Sprint 2, Week 1]

# What I Worked On

# The JWT Vulnerability (SonarQube S5659)

PPL: Security [Sprint 1, Week 3]

# What I Worked On

# JWT Algorithm Validation: Preventing alg:none Attacks

What I Worked On

The JWT Vulnerability (SonarQube S5659)

What I Worked On

JWT Algorithm Validation: Preventing alg:none Attacks