npm - @critiq/rules - Versions diffs - 0.0.1 → 0.1.0 - Mend

@critiq/rules 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

package/package.json CHANGED Viewed

@@ -1,8 +1,14 @@
 {
   "name": "@critiq/rules",
-  "version": "0.0.1",
+  "version": "0.1.0",
   "private": false,
   "description": "Public OSS Critiq rule catalog with catalog metadata, shipped rule YAML files, and preset membership.",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/critiq-dev/critiq-rules.git"
+  },
+  "homepage": "https://github.com/critiq-dev/critiq-rules#readme",
   "type": "commonjs",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",

package/rules/go/go.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for go sources.
+  rationale: Performance hygiene signal for go sources.
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - go
+  message:
+    title: Avoid no regex construction in loop in `go` code
+    summary: "`${captures.issue.text}` matches go.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/go/go.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for go sources.
+  rationale: Performance hygiene signal for go sources.
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - go
+  message:
+    title: Avoid no sync fs in request path in `go` code
+    summary: "`${captures.issue.text}` matches go.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/go/go.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for go sources.
+  rationale: Performance hygiene signal for go sources.
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - go
+  message:
+    title: Avoid no unbounded concurrency in `go` code
+    summary: "`${captures.issue.text}` matches go.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/go/go.security.echo-sensitive-binding-without-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.echo-sensitive-binding-without-validation
+  title: Echo handlers should validate sensitive request bodies
+  summary: >-
+    Sensitive Echo binds should use struct tags or validators so mutations cannot accept empty or malformed credentials and roles.
+  rationale: >-
+    Regex-based heuristics flag Echo `Bind` usage when the file defines structs with sensitive fields that omit `validate` or `binding` style tags.
+    This is intentionally conservative and may miss cross-file structs or middleware-protected routes.
+  tags:
+    - security
+    - go
+    - echo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.echo-sensitive-binding-without-validation
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - echo
+  message:
+    title: Add validation tags for sensitive Echo binds in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds request data without validation tags on sensitive struct fields."
+  remediation:
+    summary: >-
+      Add `validate` tags, use Echo's binding helpers with explicit validation, or route through a hardened DTO layer.

package/rules/go/go.security.echo-unsafe-multipart-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.echo-unsafe-multipart-upload
+  title: Harden Echo multipart uploads
+  summary: >-
+    Multipart handlers should cap body size, sanitize filenames with `filepath.Base`, and avoid concatenating user filenames into destination paths.
+  rationale: >-
+    Unbounded multipart reads and raw `FormFile().Filename` usage enable DoS and path traversal when combined with predictable upload directories.
+  tags:
+    - security
+    - go
+    - echo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.echo-unsafe-multipart-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - echo
+  message:
+    title: Harden Echo upload handling in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` writes multipart uploads without `MaxBytesReader`, basename hardening, or equivalent guards."
+  remediation:
+    summary: >-
+      Wrap the request body with `http.MaxBytesReader`, normalize filenames with `filepath.Base`, enforce extension allowlists, and prefer storage APIs that never trust client paths.

package/rules/go/go.security.fiber-sensitive-binding-without-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.fiber-sensitive-binding-without-validation
+  title: Fiber handlers should validate sensitive request bodies
+  summary: >-
+    Sensitive Fiber parsers should pair structs with validator tags or explicit validation so roles and secrets cannot be silently omitted.
+  rationale: >-
+    Regex heuristics flag `BodyParser`/`JSON` usage when structs in the same file define sensitive fields without `validate` or `binding` style tags.
+  tags:
+    - security
+    - go
+    - fiber
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.fiber-sensitive-binding-without-validation
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - fiber
+  message:
+    title: Add validation tags for sensitive Fiber binds in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses request bodies without validation tags on sensitive struct fields."
+  remediation:
+    summary: >-
+      Add `validate` struct tags, use Fiber validator middleware, or centralize DTO validation before business logic.

package/rules/go/go.security.fiber-unsafe-multipart-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.fiber-unsafe-multipart-upload
+  title: Harden Fiber multipart uploads
+  summary: >-
+    Fiber upload helpers should enforce size limits and never persist client-controlled filenames without normalization.
+  rationale: >-
+    `FormFile`/`SaveFile` flows that concatenate `Filename` into paths or skip `filepath.Base` are a common path traversal and storage abuse vector.
+  tags:
+    - security
+    - go
+    - fiber
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.fiber-unsafe-multipart-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.76
+    tags:
+      - security
+      - go
+      - fiber
+  message:
+    title: Harden Fiber upload handling in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` handles multipart uploads without basename hardening or byte limits in the local handler window."
+  remediation:
+    summary: >-
+      Apply `filepath.Base`, cap reader sizes, allowlist extensions, and store uploads using server-generated object keys.

package/rules/go/go.security.gin-sensitive-binding-without-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.gin-sensitive-binding-without-validation
+  title: Gin handlers should validate sensitive request bodies
+  summary: >-
+    Sensitive Gin binds should use `binding` or validator tags so authentication and mutation payloads cannot be silently empty.
+  rationale: >-
+    Regex heuristics flag `ShouldBindJSON`/`BindJSON` usage when structs in the same file omit `binding`/`validate` tags on sensitive fields such as passwords or roles.
+  tags:
+    - security
+    - go
+    - gin
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.gin-sensitive-binding-without-validation
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - go
+      - gin
+  message:
+    title: Add validation tags for sensitive Gin binds in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds JSON without validation tags on sensitive struct fields."
+  remediation:
+    summary: >-
+      Add `binding`/`validate` tags, register validators, or reject requests before they reach persistence layers.

package/rules/go/go.security.gin-trust-all-proxies.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.gin-trust-all-proxies
+  title: Avoid trust-all Gin reverse proxy settings
+  summary: >-
+    `SetTrustedProxies` should list real upstreams instead of `nil` or `0.0.0.0/0` style catch-alls that spoof `X-Forwarded-For`.
+  rationale: >-
+    Trusting every proxy allows clients to forge client IP headers and bypass IP-based controls or auditing.
+  tags:
+    - security
+    - go
+    - gin
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.gin-trust-all-proxies
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - go
+      - gin
+  message:
+    title: Restrict Gin trusted proxies in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` trusts all proxies or nil, which enables forwarded header spoofing."
+  remediation:
+    summary: >-
+      Replace catch-all trusted proxy lists with explicit CIDRs for your ingress tier and document the expected hop count.

package/rules/go/go.security.gin-wildcard-cors-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.gin-wildcard-cors-with-credentials
+  title: Avoid wildcard CORS origins with credentials in Gin
+  summary: >-
+    `gin-contrib/cors` configurations must not combine wildcard origins with `AllowCredentials: true`.
+  rationale: >-
+    Wildcard origins with credentials violate browser CORS safety expectations and often mask missing origin allowlists in APIs that should be locked down.
+  tags:
+    - security
+    - go
+    - gin
+    - cors
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.gin-wildcard-cors-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - go
+      - gin
+      - cors
+  message:
+    title: Fix permissive CORS with credentials in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` pairs wildcard origins with `AllowCredentials`, which is unsafe for browser clients."
+  remediation:
+    summary: >-
+      Replace wildcard origins with explicit HTTPS origins, disable credentials when public anonymous access is intended, or move token APIs to header-only auth without credentialed CORS.

package/rules/go/go.security.net-http-missing-timeouts.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.net-http-missing-timeouts
+  title: Configure HTTP server timeouts for public listeners
+  summary: >-
+    Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.
+  rationale: >-
+    Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.
+  tags:
+    - security
+    - go
+    - net/http
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.net-http-missing-timeouts
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.7
+    tags:
+      - security
+      - go
+      - net/http
+  message:
+    title: Add HTTP timeouts around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exposes a listener without full `http.Server` timeout coverage suitable for public networks."
+  remediation:
+    summary: >-
+      Construct `http.Server` with `ReadHeaderTimeout`, `ReadTimeout`, `WriteTimeout`, and `IdleTimeout`, and prefer `ListenAndServe` on that configured instance.

package/rules/go/go.security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.sensitive-data-egress
+  title: Avoid relaying request-controlled data through outbound Go HTTP clients
+  summary: >-
+    Outbound `http.Post` bodies should not be built directly from request values without validation or redaction.
+  rationale: >-
+    Tainted POST bodies can exfiltrate secrets, replay cookies, or forward attacker payloads to internal integrations.
+  tags:
+    - security
+    - go
+    - privacy
+    - egress
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - privacy
+  message:
+    title: Validate outbound HTTP payloads in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards tainted values into an outbound HTTP client body."
+  remediation:
+    summary: >-
+      Allowlist outbound hosts, strip secrets from relayed payloads, and route integrations through audited helpers.

package/rules/go/go.security.tar-path-traversal.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tar-path-traversal
+  title: Sanitize archive entry paths before writing to disk
+  summary: >-
+    Tar extraction must normalize `header.Name` with `filepath.Base` or `filepath.Clean` before opening destination files.
+  rationale: >-
+    Writing `hdr.Name` directly enables `../` traversal that escapes intended extraction directories.
+  tags:
+    - security
+    - go
+    - archive
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tar-path-traversal
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - archive
+  message:
+    title: Normalize tar entry paths in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opens a filesystem path using raw tar header names without `filepath.Base`/`filepath.Clean`."
+  remediation:
+    summary: >-
+      Join destinations using a fixed root with `filepath.Join`, reject absolute paths, and always apply `filepath.Base` before `os.Create`.

package/rules/go/go.security.template-unescaped-request-value.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.template-unescaped-request-value
+  title: Avoid feeding request data into trusted template types
+  summary: >-
+    `template.HTML`, `template.JS`, and `template.CSS` should not wrap request-derived strings unless they were sanitized first.
+  rationale: >-
+    Trusted template types disable escaping and turn reflected input into cross-site scripting when executed in browsers.
+  tags:
+    - security
+    - go
+    - templates
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.template-unescaped-request-value
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - templates
+  message:
+    title: Sanitize before using trusted template types in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` wraps request-controlled data in `template.HTML`/`JS`/`CSS` without an obvious sanitizer."
+  remediation:
+    summary: >-
+      Run untrusted strings through an HTML sanitizer such as bluemonday, prefer typed templates, or keep data in plain escaped fields.

package/rules/go/go.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.testing.real-network-in-unit-test
+  title: Avoid live network clients in Go unit tests
+  summary: Unit tests should not dial the real network; prefer fakes or httptest servers.
+  rationale: Live network calls make tests flaky and couple CI to external availability.
+  tags:
+    - testing
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.68
+    tags:
+      - testing
+      - go
+  message:
+    title: Stub outbound network in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a real HTTP or dial client inside a `_test.go` file."
+  remediation:
+    summary: Use `httptest`, interface fakes, or recorded fixtures instead of live hosts.