Avoid insecure GRPC server
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: go-security/grpc-server-insecure
Language: Go
Severity: Info
Category: Security
CWE: 300
Description
The provided code snippet creates a new gRPC server instance without any transport security options, which makes it insecure. By default, the server will use an insecure communication channel, allowing data to be transmitted without encryption.
To fix this security issue, it is crucial to enable transport security using TLS (Transport Layer Security) in the gRPC server. Here’s an example of how the code can be updated to ensure a secure connection:
tlsCredentials, err := credentials.NewServerTLSFromFile("cert.pem", "key.pem")
if err != nil {
// handle error
}
s := grpc.NewServer(grpc.Creds(tlsCredentials))
In the updated code, TLS credentials are loaded from the “cert.pem” and “key.pem” files. These credentials contain the server’s certificate and private key necessary for TLS encryption. By passing the TLS credentials to grpc.Creds()
, the gRPC server is configured to use transport security, ensuring that all incoming connections are secured.
It is important to generate valid TLS certificates and private keys from a trusted certificate authority (CA), or self-sign the certificates for development/testing purposes. Additionally, make sure to keep the private key file secure and protect it from unauthorized access.
Enabling transport security with TLS in the gRPC server helps protect sensitive data exchanged between clients and the server by encrypting it, preventing unauthorized users from intercepting or tampering with the communication.
Non-Compliant Code Examples
func main() {
s := grpc.NewServer()
}
Compliant Code Examples
func main() {
options := []grpc.ServerOption{
grpc.Creds(credentials.NewClientTLSFromCert(ceertificatePool, address)),
}
server := grpc.NewServer(options...)
}
// filename is not_compliant_test.go
func main() {
s := grpc.NewServer()
}