mirror of
https://github.com/pushbits/server.git
synced 2025-04-29 10:16:50 +02:00
41 lines
1.4 KiB
YAML
41 lines
1.4 KiB
YAML
rules:
|
|
- id: grpc-server-insecure-connection
|
|
metadata:
|
|
cwe: "CWE-300: Channel Accessible by Non-Endpoint"
|
|
references:
|
|
- https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
|
|
category: security
|
|
technology:
|
|
- grpc
|
|
confidence: HIGH
|
|
message: >-
|
|
Found an insecure gRPC server without 'grpc.Creds()' or options with credentials.
|
|
This allows for a connection without
|
|
encryption to this server.
|
|
A malicious attacker could tamper with the gRPC message, which could compromise
|
|
the machine. Include credentials derived
|
|
from an SSL certificate in order to create a secure gRPC connection. You can create
|
|
credentials using 'credentials.NewServerTLSFromFile("cert.pem",
|
|
"cert.key")'.
|
|
languages:
|
|
- go
|
|
severity: ERROR
|
|
patterns:
|
|
- pattern-not: grpc.NewServer(..., grpc.Creds(...), ...)
|
|
- pattern-not-inside: |
|
|
$OPTS := []grpc.ServerOption{
|
|
...,
|
|
grpc.Creds(credentials.NewClientTLSFromCert(...)),
|
|
...,
|
|
}
|
|
grpc.NewServer($OPTS...)
|
|
- pattern-not-inside: |
|
|
$CREDS := credentials.NewClientTLSFromCert(...)
|
|
...
|
|
$OPTS := []grpc.ServerOption{
|
|
...,
|
|
$CREDS,
|
|
...,
|
|
}
|
|
grpc.NewServer($OPTS...)
|
|
- pattern: grpc.NewServer(...)
|