ajinabraham.njsscan.eval_drpc_deserialize.grpc_insecure_connection

ajinabraham

Author

1,129

Download Count*

License

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: grpc_insecure_connection
    patterns:
      - pattern-inside: |
          require('grpc')
          ...
      - pattern-either:
          - pattern: |
              $GRPC($ADDR, ..., $CREDENTIALS.createInsecure(), ...)
          - pattern: |
              $CREDS = <... $CREDENTIALS.createInsecure() ...>;
              ...
              $GRPC($ADDR, ..., $CREDS, ...)
    message: Found an insecure gRPC connection. This creates a connection without
      encryption to a gRPC client/server. A malicious attacker could  tamper
      with the gRPC message, which could compromise the machine.
    metadata:
      owasp: "A8: Insecure Deserialization"
      cwe: "CWE-502: Deserialization of Untrusted Data"
    severity: ERROR
    languages:
      - javascript

Short Link: https://sg.run/Q5xd