/
grpc-server-insecure-connection.yaml
43 lines (42 loc) · 1.29 KB
/
grpc-server-insecure-connection.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rules:
- id: grpc-server-insecure-connection
metadata:
cwe:
- 'CWE-300: Channel Accessible by Non-Endpoint'
references:
- https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
category: security
technology:
- grpc
confidence: HIGH
owasp:
- A07:2021 - Identification and Authentication Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
message: >-
Found an insecure gRPC server without 'grpc.Creds()' or options with credentials.
This allows for a connection without
encryption to this server.
A malicious attacker could tamper with the gRPC message, which could compromise
the machine. Include credentials derived
from an SSL certificate in order to create a secure gRPC connection. You can create
credentials using 'credentials.NewServerTLSFromFile("cert.pem",
"cert.key")'.
languages:
- go
severity: ERROR
mode: taint
pattern-sinks:
- requires: OPTIONS and not CREDS
pattern: grpc.NewServer($OPT, ...)
- requires: EMPTY_CONSTRUCTOR
pattern: grpc.NewServer()
pattern-sources:
- label: OPTIONS
pattern: grpc.ServerOption{ ... }
- label: CREDS
pattern: grpc.Creds(...)
- label: EMPTY_CONSTRUCTOR
pattern: grpc.NewServer()