go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
178,438
Download Count*

Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.

Run Locally

Run in CI

Defintion

rules:
  - id: grpc-client-insecure-connection
    metadata:
      cwe:
        - "CWE-300: Channel Accessible by Non-Endpoint"
      references:
        - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
      category: security
      technology:
        - grpc
      confidence: HIGH
      owasp:
        - A07:2021 - Identification and Authentication Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    message: "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This
      creates a connection without encryption to a gRPC server. A malicious
      attacker could tamper with the gRPC message, which could compromise the
      machine. Instead, establish a secure connection with an SSL certificate
      using the 'grpc.WithTransportCredentials()' function. You can create a
      create credentials using a 'tls.Config{}' struct with
      'credentials.NewTLS()'. The final fix looks like this:
      'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'."
    languages:
      - go
    severity: ERROR
    pattern: $GRPC.Dial($ADDR, ..., $GRPC.WithInsecure(...), ...)
    fix-regex:
      regex: (.*)WithInsecure\(.*?\)
      replacement: \1WithTransportCredentials(credentials.NewTLS(<your_tls_config_here>))

Examples

grpc-client-insecure-connection.go

package insecuregrpc

import (
    "google.golang.org/grpc"
)

// cf. https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
func unsafe() {
    // ruleid:grpc-client-insecure-connection
    conn, err := grpc.Dial(address, grpc.WithInsecure())
    if err != nil {
        log.Fatalf("did not connect: %v", err)
    }
    defer conn.Close()
}

func safe() {
    // ok:grpc-client-insecure-connection
    conn, err := grpc.Dial(address)
    if err != nil {
        log.Fatalf("did not connect: %v", err)
    }
    defer conn.Close()
}