contrib.nodejsscan.eval_drpc_deserialize.grpc_insecure_connection

returntocorp

Author

Download Count*

License

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: grpc_insecure_connection
    patterns:
      - pattern-inside: |
          require('grpc');
          ...
      - pattern-either:
          - pattern: |
              $GRPC($ADDR, ..., $CREDENTIALS.createInsecure(), ...);
          - pattern: |
              $CREDS = <... $CREDENTIALS.createInsecure() ...>;
              ...
              $GRPC($ADDR, ..., $CREDS, ...);
    message: Found an insecure gRPC connection. This creates a connection without
      encryption to a gRPC client/server. A malicious attacker could  tamper
      with the gRPC message, which could compromise the machine.
    metadata:
      owasp: A08:2017 - Insecure Deserialization
      cwe: "CWE-502: Deserialization of Untrusted Data"
      category: security
      technology:
        - node.js
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: ERROR
    languages:
      - javascript

Short Link: https://sg.run/3xOo