ajinabraham.njsscan.eval.eval_grpc_deserialize.grpc_insecure_connection

ajinabraham

Author

unknown

Download Count*

License

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: grpc_insecure_connection
    patterns:
      - pattern-inside: |
          require('grpc')
          ...
      - pattern: $CREDENTIALS.createInsecure()
    message: Found an insecure gRPC connection. This creates a connection without
      encryption to a gRPC client/server. A malicious attacker could  tamper
      with the gRPC message, which could compromise the machine.
    metadata:
      owasp-web: a8
      cwe: cwe-502
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other
    severity: ERROR
    languages:
      - javascript

Short Link: https://sg.run/wzQP