ajinabraham.njsscan.eval_drpc_deserialize.grpc_insecure_connection

Author
1,129
Download Count*
License
Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
Run Locally
Run in CI
Defintion
rules:
- id: grpc_insecure_connection
patterns:
- pattern-inside: |
require('grpc')
...
- pattern-either:
- pattern: |
$GRPC($ADDR, ..., $CREDENTIALS.createInsecure(), ...)
- pattern: |
$CREDS = <... $CREDENTIALS.createInsecure() ...>;
...
$GRPC($ADDR, ..., $CREDS, ...)
message: Found an insecure gRPC connection. This creates a connection without
encryption to a gRPC client/server. A malicious attacker could tamper
with the gRPC message, which could compromise the machine.
metadata:
owasp: "A8: Insecure Deserialization"
cwe: "CWE-502: Deserialization of Untrusted Data"
severity: ERROR
languages:
- javascript
Short Link: https://sg.run/Q5xd