javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
45,880
Download Count*

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

Run Locally

Run in CI

Defintion

rules:
  - id: grpc-nodejs-insecure-connection
    message: Found an insecure gRPC connection. This creates a connection without
      encryption to a gRPC client/server. A malicious attacker could tamper with
      the gRPC message, which could compromise the machine.
    metadata:
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      category: security
      technology:
        - grpc
      references:
        - https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    languages:
      - javascript
      - typescript
    severity: ERROR
    pattern-either:
      - pattern: |
          require('grpc');
          ...
          $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...);
      - pattern: |
          require('grpc');
          ...
          new $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...);
      - pattern: |-
          require('grpc');
          ...
          $CREDS = <... $CREDENTIALS.createInsecure() ...>;
          ...
          $GRPC($ADDR,...,$CREDS,...);
      - pattern: |-
          require('grpc');
          ...
          $CREDS = <... $CREDENTIALS.createInsecure() ...>;
          ...
          new $GRPC($ADDR,...,$CREDS,...);

Examples

grpc-nodejs-insecure-connection.js

function test1() {
    // ruleid: grpc-nodejs-insecure-connection
    var grpc = require('grpc');

    var booksProto = grpc.load('books.proto');

    var client = new booksProto.books.BookService('127.0.0.1:50051', grpc.credentials.createInsecure());

    client.list({}, function(error, books) {
        if (error)
            console.log('Error: ', error);
        else
            console.log(books);
    });
}

function test2() {
    // ruleid: grpc-nodejs-insecure-connection
    var {credentials, load, Client} = require('grpc');

    var creds = someFunc() || credentials.createInsecure();

    var client = new Client('127.0.0.1:50051', creds);

    client.list({}, function(error, books) {
        if (error)
            console.log('Error: ', error);
        else
            console.log(books);
    });
}

function test3() {
    // ruleid: grpc-nodejs-insecure-connection
    var grpc = require('grpc');

    var booksProto = grpc.load('books.proto');

    var server = new grpc.Server();

    server.addProtoService(booksProto.books.BookService.service, {});

    server.bind('0.0.0.0:50051', grpc.ServerCredentials.createInsecure());
    server.start();
}

function testOk1() {
    // ok: grpc-nodejs-insecure-connection
    var {credentials, Client} = require('grpc');
    var channel_creds = credentials.createSsl(root_certs);
    var client = new Client(address, channel_creds);

    client.list({}, function(error, books) {
        if (error)
            console.log('Error: ', error);
        else
            console.log(books);
    });
}