npm - @critiq/rules - Versions diffs - 0.0.1 → 0.1.0 - Mend

@critiq/rules 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

package/rules/typescript/ts.security.insecure-content-security-policy-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-content-security-policy-literal
+  title: Avoid unsafe Content-Security-Policy literals
+  summary: Static CSP header values should not rely on unsafe-inline, unsafe-eval, or unsafe-hashes without nonces.
+  rationale: Permissive CSP keywords weaken XSS defenses for every response that carries the header.
+  tags:
+    - security
+    - csp
+    - headers
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insecure-content-security-policy-literal
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - csp
+  message:
+    title: "Tighten Content-Security-Policy in ${captures.issue.text}"
+    summary: "${captures.issue.text} sets a CSP that includes unsafe directives without a nonce-based escape hatch."
+  remediation:
+    summary: Prefer nonces or hashes, remove unsafe-inline and unsafe-eval, and scope directives to the smallest required surface.

package/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-helmet-hardening-options
+  title: Avoid disabling core Helmet protections
+  summary: Helmet should keep nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy enabled unless another gateway enforces them.
+  rationale: Turning off individual Helmet middlewares removes baseline HTTP hardening that is a high-signal misconfiguration risk.
+  tags:
+    - security
+    - express
+    - headers
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insecure-helmet-hardening-options
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - express
+      - headers
+  message:
+    title: "Review disabled Helmet option in ${captures.issue.text}"
+    summary: "${captures.issue.text} disables a Helmet protection that should usually remain enabled."
+  remediation:
+    summary: Remove false overrides for nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy unless a documented compensating control applies.

package/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.jwt-insecure-signing-algorithm
+  title: Do not sign JWTs with the none algorithm
+  summary: JSON Web Token signing options must not enable the none algorithm.
+  rationale: The none algorithm allows tokens to be accepted without verification, defeating authentication.
+  tags:
+    - security
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ts.security.jwt-insecure-signing-algorithm
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - jwt
+  message:
+    title: "Remove insecure JWT algorithm from ${captures.issue.text}"
+    summary: "${captures.issue.text} is configured with the none algorithm or algorithm list."
+  remediation:
+    summary: Require asymmetric or HMAC algorithms explicitly and reject none at signing and verification layers.

package/rules/typescript/ts.security.legacy-buffer-constructor.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.legacy-buffer-constructor
+  title: Replace legacy Buffer constructors
+  summary: Use Buffer.from, Buffer.alloc, or Buffer.allocUnsafe instead of the deprecated Buffer constructor.
+  rationale: Legacy constructors behave differently across Node versions and are harder to audit for safe allocation.
+  tags:
+    - security
+    - node
+    - memory
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.legacy-buffer-constructor
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - node
+  message:
+    title: "Replace ${captures.issue.text}"
+    summary: "${captures.issue.text} uses the deprecated Buffer constructor API."
+  remediation:
+    summary: Prefer Buffer.from for encoded data and Buffer.alloc for zero-filled buffers sized by trusted logic.

package/rules/typescript/ts.security.log-injection.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.log-injection
+  title: Sanitize user-controlled values before they reach log messages
+  summary: Logger calls in pino, winston, bunyan, and consola should not interpolate or concatenate request input directly into the message text.
+  rationale: Unsanitized request data in log messages enables CRLF injection, control-character smuggling, and downstream log-parser confusion. Wrapping the value with a structured field, JSON encoder, or CRLF-stripping replace neutralizes the vector.
+  tags:
+    - security
+    - logging
+    - input-validation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.log-injection
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - logging
+      - input-validation
+  message:
+    title: Sanitize user-controlled values before reaching `${captures.issue.text}`
+    summary: "`${captures.issue.text}` interpolates request data into a log message without an obvious sanitizer."
+  remediation:
+    summary: Pass request data as a structured field, JSON-encode it, or strip CRLF and control characters before concatenating it into the log message.

package/rules/typescript/ts.security.nestjs-helmet-after-route-mount.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-helmet-after-route-mount
+  title: Register Helmet before Nest route mounts
+  summary: Nest bootstrap files should apply Helmet before mounting path-bound routers.
+  rationale: Middleware order determines whether framed routes inherit Helmet protections; mounting routers too early widens exposure.
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-helmet-after-route-mount
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - nestjs
+  message:
+    title: Move Helmet ahead of routed middleware
+    summary: Helmet runs after a route-mounted `app.use` in this Nest bootstrap.
+  remediation:
+    summary: Call `helmet()` before registering routers bound to external paths unless another gateway applies equivalent protections.

package/rules/typescript/ts.security.nestjs-missing-global-validation-pipe.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-missing-global-validation-pipe
+  title: Add a global Nest ValidationPipe
+  summary: Nest bootstrap entries should register `ValidationPipe` globally when controllers parse bodies or DTOs.
+  rationale: Without a validation pipe unexpected fields can reach controllers and weaken input hygiene.
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-missing-global-validation-pipe
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.68
+    tags:
+      - security
+      - nestjs
+  message:
+    title: Register `useGlobalPipes` with ValidationPipe
+    summary: Nest bootstrap completes without calling `useGlobalPipes`.
+  remediation:
+    summary: >-
+      Call app.useGlobalPipes with ValidationPipe using whitelist and forbidNonWhitelisted flags near bootstrap completion.

package/rules/typescript/ts.security.nestjs-skip-throttle-sensitive-route.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-skip-throttle-sensitive-route
+  title: Do not skip throttling on credential routes
+  summary: Sensitive Nest routes should not disable `@nestjs/throttler` protections without a compensating throttle.
+  rationale: Authentication endpoints are brute-force magnets; removing throttling removes basic abuse resistance.
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-skip-throttle-sensitive-route
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.79
+    tags:
+      - security
+      - nestjs
+      - throttling
+  message:
+    title: Restore throttling for brute-force sensitive handlers
+    summary: "`${captures.issue.text}` disables throttling on an authentication-sensitive route."
+  remediation:
+    summary: Remove `@SkipThrottle()` or pair it with an explicit `@Throttle` policy tuned for the handler.

package/rules/typescript/ts.security.nestjs-validation-pipe-without-whitelist.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-validation-pipe-without-whitelist
+  title: Harden Nest ValidationPipe with whitelist mode
+  summary: Global ValidationPipe instances should enable whitelist-style stripping for unexpected fields.
+  rationale: Allowing undeclared fields preserves attack surface for mass-assignment style bugs.
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-validation-pipe-without-whitelist
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - nestjs
+  message:
+    title: Enable ValidationPipe whitelist hardening
+    summary: >-
+      ValidationPipe is configured without literal whitelist true.
+  remediation:
+    summary: >-
+      Enable whitelist true and usually forbidNonWhitelisted true on the global ValidationPipe.

package/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nuxt-public-runtime-secret
+  title: Keep secrets out of Nuxt public runtime config
+  summary: >-
+    Sensitive credentials must not be exposed through runtimeConfig.public, which is visible to client bundles.
+  rationale: >-
+    Nuxt exposes runtimeConfig.public to the browser; placing secret material there leaks API keys, database passwords, and signing material to every visitor.
+  tags:
+    - security
+    - nuxt
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nuxt-public-runtime-secret
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - nuxt
+  message:
+    title: Move ${captures.issue.text} out of runtimeConfig.public
+    summary: >-
+      runtimeConfig.public declares ${captures.issue.text}, which looks like a secret or private credential.
+  remediation:
+    summary: >-
+      Keep secrets in the private runtimeConfig tree (non-public) and expose only publishable identifiers to the client after reviewing Nuxt runtime config documentation.

package/rules/typescript/ts.security.open-redirect.rule.yaml CHANGED Viewed

@@ -16,6 +16,8 @@ scope:
   languages:
     - typescript
     - javascript
+    - java
+    - go
 match:
   fact:
     kind: security.open-redirect

package/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.request-driven-array-index-access
+  title: Avoid request-driven array indexing without bounds checks
+  summary: Arrays indexed with request-derived keys can read or write out-of-bounds entries.
+  rationale: Attacker-controlled indexes bypass assumptions about array length and element initialization.
+  tags:
+    - security
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.request-driven-array-index-access
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+  message:
+    title: "Validate index ${captures.issue.text} before use"
+    summary: "Array access uses a computed index derived from ${captures.issue.text}."
+  remediation:
+    summary: Parse and bound-check indexes, prefer maps keyed by stable identifiers, or avoid indexing arrays with request data.

package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -16,6 +16,7 @@ scope:
   languages:
     - typescript
     - javascript
+    - java
 match:
   fact:
     kind: security.sensitive-data-egress

package/rules/typescript/ts.security.ssrf.rule.yaml CHANGED Viewed

@@ -14,6 +14,7 @@ scope:
   languages:
     - typescript
     - javascript
+    - go
 match:
   fact:
     kind: security.ssrf

package/rules/typescript/ts.security.unsafe-dompurify-version.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-dompurify-version
+  title: Upgrade DOM sanitization dependency
+  summary: DOM sanitization libraries should stay on patched versions before they are trusted for untrusted HTML.
+  rationale: Older sanitizer versions can miss browser parsing edge cases and leave XSS protections incomplete.
+  tags:
+    - security
+    - dependency
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dependency.dompurify-unsafe-version
+    bind: issue
+emit:
+  finding:
+    category: security.dependency
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - dependency
+      - xss
+  message:
+    title: Upgrade `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is below the minimum sanitizer version Critiq treats as safe for untrusted HTML."
+  remediation:
+    summary: Upgrade the package, then keep HTML sanitizer usage behind a small reviewed wrapper.

package/rules/typescript/ts.security.unsafe-marked-version.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-marked-version
+  title: Upgrade Markdown rendering dependency
+  summary: Markdown renderers should stay on patched versions before rendering untrusted content.
+  rationale: Older Markdown renderer versions can expose unsafe HTML handling and parser edge cases.
+  tags:
+    - security
+    - dependency
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dependency.marked-unsafe-version
+    bind: issue
+emit:
+  finding:
+    category: security.dependency
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - dependency
+      - xss
+  message:
+    title: Upgrade `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is below the minimum Markdown renderer version Critiq treats as safe for untrusted content."
+  remediation:
+    summary: Upgrade the package and keep untrusted Markdown rendering behind explicit sanitization.

package/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.xml-parse-string-with-untrusted-input
+  title: Do not parse untrusted XML with permissive parsers
+  summary: parseString and similar XML helpers should not consume request-controlled payloads without hardening.
+  rationale: Untrusted XML can enable XXE-style parser abuse depending on the underlying implementation and parser flags.
+  tags:
+    - security
+    - xml
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.xml-parse-string-with-untrusted-input
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - xml
+  message:
+    title: "Validate XML parsing for ${captures.issue.text}"
+    summary: "${captures.issue.text} parses XML that appears request-driven."
+  remediation:
+    summary: Disable external entities, validate payloads against a strict schema, and parse with a hardened XML configuration.

package/rules/typescript/ts.testing.no-flaky-timer-test.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-flaky-timer-test
+  title: Prefer fake timers in unit tests
+  summary: Real timers, sleeps, or wall-clock reads in unit tests are flaky unless fake timers are enabled for the file.
+  rationale: Wall-clock based tests race CI load and parallelization; fake timers keep behavior deterministic.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/e2e/**"
+      - "**/*.integration.test.*"
+match:
+  fact:
+    kind: testing.flaky-timer-in-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.68
+    tags:
+      - testing
+      - timers
+  message:
+    title: Stabilize timer usage in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses real timers or wall-clock reads without `jest.useFakeTimers` / `vi.useFakeTimers` in the same file."
+  remediation:
+    summary: Enable fake timers for the suite, inject a clock abstraction, or move timing assertions behind a test double.

package/rules/typescript/ts.testing.no-focused-test.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-focused-test
+  title: Remove focused or exclusive tests before merge
+  summary: Focused tests such as it.only or describe.only should not ship because they silence the rest of the suite in CI.
+  rationale: Exclusive tests hide failures in sibling cases and are a common accidental merge footgun.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: testing.focused-only-invocation
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.88
+    tags:
+      - testing
+      - ci
+  message:
+    title: Remove focused test `${captures.issue.text}`
+    summary: "`${captures.issue.text}` runs in exclusive mode so other tests in the file or suite are skipped."
+  remediation:
+    summary: Remove `.only` / `fit` / `fdescribe` style exclusivity and rely on the full suite in CI.

package/rules/typescript/ts.testing.no-missing-edge-case-tests.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-missing-edge-case-tests
+  title: Update tests when branch-heavy service logic changes
+  summary: Diffs that touch many branches in critical service paths should update paired tests in the same change.
+  rationale: Branch-heavy edits without test updates often miss boundary and failure behavior reviewers expect.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+  changedLinesOnly: false
+match:
+  fact:
+    kind: testing.missing-edge-case-tests-for-changes
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.66
+    tags:
+      - testing
+      - diff
+  message:
+    title: Exercise new branches in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` changes branch-heavy logic on a critical path without a corresponding test file change."
+  remediation:
+    summary: Extend the paired unit test with cases for new branches, guards, and failure paths touched by the diff.

package/rules/typescript/ts.testing.no-network-call-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-network-call-in-unit-test
+  title: Avoid real network calls in unit tests
+  summary: Unit tests should not open real sockets; prefer doubles, recordings, or local fakes.
+  rationale: Real network calls make tests flaky, slow, and unsafe against live systems.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/e2e/**"
+      - "**/*.integration.test.*"
+match:
+  fact:
+    kind: testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.74
+    tags:
+      - testing
+      - network
+  message:
+    title: Replace live network call `${captures.issue.text}`
+    summary: "`${captures.issue.text}` performs an outbound HTTP style call inside a unit test path."
+  remediation:
+    summary: Mock HTTP clients, use an in-memory server, or relocate the scenario to an explicit integration suite.