go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection
Verifed by r2c
Community Favorite
semgrep
Author
178,438
Download Count*
License
Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.
Run Locally
Run in CI
Defintion
rules:
- id: grpc-client-insecure-connection
metadata:
cwe:
- "CWE-300: Channel Accessible by Non-Endpoint"
references:
- https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
category: security
technology:
- grpc
confidence: HIGH
owasp:
- A07:2021 - Identification and Authentication Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
message: "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This
creates a connection without encryption to a gRPC server. A malicious
attacker could tamper with the gRPC message, which could compromise the
machine. Instead, establish a secure connection with an SSL certificate
using the 'grpc.WithTransportCredentials()' function. You can create a
create credentials using a 'tls.Config{}' struct with
'credentials.NewTLS()'. The final fix looks like this:
'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'."
languages:
- go
severity: ERROR
pattern: $GRPC.Dial($ADDR, ..., $GRPC.WithInsecure(...), ...)
fix-regex:
regex: (.*)WithInsecure\(.*?\)
replacement: \1WithTransportCredentials(credentials.NewTLS(<your_tls_config_here>))
Examples
grpc-client-insecure-connection.go
package insecuregrpc
import (
"google.golang.org/grpc"
)
// cf. https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
func unsafe() {
// ruleid:grpc-client-insecure-connection
conn, err := grpc.Dial(address, grpc.WithInsecure())
if err != nil {
log.Fatalf("did not connect: %v", err)
}
defer conn.Close()
}
func safe() {
// ok:grpc-client-insecure-connection
conn, err := grpc.Dial(address)
if err != nil {
log.Fatalf("did not connect: %v", err)
}
defer conn.Close()
}
Short Link: https://sg.run/J9yZ