npm - @critiq/rules - Versions diffs - 0.0.1 - Mend

@critiq/rules 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/rules/typescript/ts.security.debug-mode-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.debug-mode-enabled
+  title: Do not expose debug routes or middleware in production
+  summary: Debug handlers, stack-showing middleware, and diagnostic endpoints should stay behind explicit development-only guards.
+  rationale: Debug endpoints and stack-showing middleware can disclose internal topology, environment details, and request data with very little attacker effort.
+  tags:
+    - security
+    - express
+    - diagnostics
+    - misconfiguration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.debug-mode-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.92
+    tags:
+      - security
+      - express
+      - diagnostics
+      - misconfiguration
+  message:
+    title: Guard `${captures.issue.text}` behind an explicit development-only check
+    summary: "`${captures.issue.text}` enables debug or diagnostic exposure without a visible same-file development guard."
+  remediation:
+    summary: Wrap the registration in an explicit development-only guard or remove the endpoint or middleware from production builds.

package/rules/typescript/ts.security.dynamodb-query-injection.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.dynamodb-query-injection
+  title: Avoid request-driven DynamoDB queries
+  summary: DynamoDB query and scan inputs should not be built directly from request input.
+  rationale: Raw request data in DynamoDB helpers can widen query scope or let attackers control expressions, filters, and key conditions.
+  tags:
+    - security
+    - injection
+    - dynamodb
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dynamodb-query-injection
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: critical
+    confidence: 0.9
+    tags:
+      - security
+      - injection
+      - dynamodb
+  message:
+    title: Constrain `${captures.issue.text}` to a fixed DynamoDB query shape
+    summary: "`${captures.issue.text}` receives request-controlled DynamoDB input without narrowing it to trusted expressions or key maps."
+  remediation:
+    summary: Build DynamoDB requests from fixed expressions and allowlisted fields instead of forwarding request-shaped input.

package/rules/typescript/ts.security.exposed-directory-listing.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.exposed-directory-listing
+  title: Avoid exposed directory listings
+  summary: Directory listing middleware should not be enabled on public paths without a deliberate review.
+  rationale: Directory listings expose internal file names and make unintended resources easier to discover and fetch.
+  tags:
+    - security
+    - express
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.exposed-directory-listing
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.95
+    tags:
+      - security
+      - express
+      - filesystem
+  message:
+    title: Review `${captures.issue.text}` before exposing directory listings
+    summary: "`${captures.issue.text}` enables public directory listing behavior."
+  remediation:
+    summary: Remove directory listing middleware or protect it behind strict authorization and path scoping.

package/rules/typescript/ts.security.express-cookie-missing-http-only.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-cookie-missing-http-only
+  title: Set `HttpOnly` on Express session cookies
+  summary: Express session and cookie-session configs should not disable the `HttpOnly` flag.
+  rationale: Script-readable session cookies are easier to steal after an XSS bug.
+  tags:
+    - security
+    - authentication
+    - cookies
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-cookie-missing-http-only
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - authentication
+      - cookies
+  message:
+    title: Turn `HttpOnly` back on for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables the `HttpOnly` cookie flag in Express session configuration."
+  remediation:
+    summary: "Set `httpOnly: true` so browser scripts cannot read the session cookie."

package/rules/typescript/ts.security.express-default-cookie-config.rule.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-default-cookie-config
+  title: Override Express cookie defaults
+  summary: Express session cookie settings should not omit explicit lifetime, scope, and transport attributes.
+  rationale: Implicit cookie defaults vary by middleware and make auth state harder to audit consistently.
+  tags:
+    - security
+    - authentication
+    - express
+    - cookies
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-default-cookie-config
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - authentication
+      - express
+      - cookies
+  message:
+    title: Make the cookie policy explicit in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` leaves key Express cookie settings at implicit defaults."
+  remediation:
+    summary: Set explicit cookie lifetime, scope, and transport attributes instead of relying on middleware defaults.

package/rules/typescript/ts.security.express-default-session-config.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-default-session-config
+  title: Override Express session defaults
+  summary: Express session middleware should not rely on default session naming and configuration.
+  rationale: Default session settings make applications easier to fingerprint and often skip explicit hardening choices.
+  tags:
+    - security
+    - authentication
+    - express
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-default-session-config
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - authentication
+      - express
+  message:
+    title: Replace the defaults in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` relies on default Express session configuration."
+  remediation:
+    summary: Set an explicit session name and hardening options instead of relying on middleware defaults.

package/rules/typescript/ts.security.express-insecure-cookie.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-insecure-cookie
+  title: Set `Secure` on Express session cookies
+  summary: Express session and cookie-session configs should not disable the `Secure` flag.
+  rationale: Cookies sent over non-HTTPS transport are easier to intercept or replay.
+  tags:
+    - security
+    - authentication
+    - cookies
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-insecure-cookie
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - authentication
+      - cookies
+  message:
+    title: Turn `Secure` back on for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables the `Secure` cookie flag in Express session configuration."
+  remediation:
+    summary: "Set `secure: true` and serve the cookie only over HTTPS."

package/rules/typescript/ts.security.express-missing-helmet.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-missing-helmet
+  title: Apply Helmet to Express apps
+  summary: Express apps should use Helmet or equivalent header hardening middleware.
+  rationale: Helmet packages several response-header protections that are easy to miss or drift when managed ad hoc.
+  tags:
+    - security
+    - express
+    - headers
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-missing-helmet
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.82
+    tags:
+      - security
+      - express
+      - headers
+  message:
+    title: Add Helmet or equivalent header hardening to this Express app
+    summary: This Express app is initialized without visible Helmet-style header hardening.
+  remediation:
+    summary: Apply `helmet()` or an equivalent set of header protections near application startup.

package/rules/typescript/ts.security.express-nosql-injection.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-nosql-injection
+  title: Avoid request-driven model queries
+  summary: Express handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines.
+  rationale: Request-shaped filters, operators, or pipelines can expand query scope and inject unintended behavior.
+  tags:
+    - security
+    - injection
+    - nosql
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-nosql-injection
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: critical
+    confidence: 0.92
+    tags:
+      - security
+      - injection
+      - nosql
+  message:
+    title: Narrow the query passed to `${captures.issue.text}`
+    summary: "`${captures.issue.text}` receives request-controlled query input without an allowlisted query or pipeline shape."
+  remediation:
+    summary: Build the NoSQL query or aggregation pipeline from fixed fields or validated filter builders instead of passing request data directly.

package/rules/typescript/ts.security.express-permissive-cookie-config.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-permissive-cookie-config
+  title: Avoid permissive Express session cookie scope
+  summary: Express session cookies should not explicitly opt into cross-site or wildcard-style scope.
+  rationale: Broad cookie scope increases where session cookies are sent and makes cross-site misuse harder to contain.
+  tags:
+    - security
+    - authentication
+    - express
+    - cookies
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-permissive-cookie-config
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.89
+    tags:
+      - security
+      - authentication
+      - express
+      - cookies
+  message:
+    title: Tighten cookie scope in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` explicitly widens session cookie scope with cross-site or wildcard-style settings."
+  remediation:
+    summary: Prefer exact cookie domains and `SameSite=Lax` or `Strict` unless a reviewed cross-site requirement exists.

package/rules/typescript/ts.security.express-reduce-fingerprint.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-reduce-fingerprint
+  title: Reduce Express fingerprinting
+  summary: Express apps should disable `x-powered-by` or equivalent fingerprinting headers.
+  rationale: Framework fingerprinting gives attackers unnecessary detail about the stack they are targeting.
+  tags:
+    - security
+    - express
+    - headers
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-reduce-fingerprint
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - express
+      - headers
+  message:
+    title: Disable default Express fingerprinting headers
+    summary: This Express app does not visibly disable `x-powered-by` or equivalent fingerprinting behavior.
+  remediation:
+    summary: Disable `x-powered-by` or use equivalent middleware to reduce framework fingerprinting.

package/rules/typescript/ts.security.express-static-assets-after-session.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-static-assets-after-session
+  title: Serve static assets before session middleware
+  summary: Static assets should be mounted before session middleware when they do not need session state.
+  rationale: Serving public assets after session middleware broadens the session surface and adds unnecessary auth-state handling to static traffic.
+  tags:
+    - security
+    - express
+    - middleware-order
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-static-assets-after-session
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - express
+      - middleware-order
+  message:
+    title: Move static asset middleware ahead of session handling
+    summary: Static asset middleware is mounted after session middleware in this file.
+  remediation:
+    summary: Mount `express.static()` before session middleware unless the static path genuinely requires session state.

package/rules/typescript/ts.security.external-file-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.external-file-upload
+  title: Do not persist upload filenames directly
+  summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
+  rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  tags:
+    - security
+    - filesystem
+    - upload
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.external-file-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.93
+    tags:
+      - security
+      - filesystem
+      - upload
+  message:
+    title: Generate a trusted local filename for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
+  remediation:
+    summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.

package/rules/typescript/ts.security.file-generation.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.file-generation
+  title: Constrain local file generation paths
+  summary: Local file writes should not derive their destination path from request or upload input.
+  rationale: Attacker-controlled write paths can overwrite local state, escape intended directories, or create files in sensitive locations.
+  tags:
+    - security
+    - filesystem
+    - file-write
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.file-generation
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - filesystem
+      - file-write
+  message:
+    title: Validate the local write path used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` writes to a path derived from external input without a trusted local filename."
+  remediation:
+    summary: Generate the destination name on the server or constrain writes to an allowlisted directory and filename set.

package/rules/typescript/ts.security.format-string-using-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.format-string-using-user-input
+  title: Avoid request-controlled format strings
+  summary: Logging and formatting helpers should not take request input as the format string itself.
+  rationale: Request-controlled format strings can corrupt logs, leak structure, or produce unexpected formatting behavior.
+  tags:
+    - security
+    - logging
+    - input-validation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.format-string-using-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - logging
+      - input-validation
+  message:
+    title: Treat `${captures.issue.text}` as data, not a format string
+    summary: "`${captures.issue.text}` uses request-controlled input as the formatting template."
+  remediation:
+    summary: Keep the format string fixed and pass request data as ordinary arguments or structured fields.

package/rules/typescript/ts.security.frontend-only-authorization.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.frontend-only-authorization
+  title: Authorization enforced only on frontend
+  summary: Backend routes should enforce authorization directly instead of relying on frontend gating alone.
+  rationale: Frontend checks are easy to bypass, so sensitive routes need server-side authorization on the backend path itself.
+  tags:
+    - security
+    - authorization
+    - rules-catalog
+    - crq-sec-024
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.frontend-only-authorization
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.65
+    tags:
+      - security
+      - authorization
+  message:
+    title: Backend authorization must not live only in the frontend
+    summary: "Route `${captures.issue.text}` appears gated in frontend code but not on the backend handler."
+  remediation:
+    summary: Add a backend authorization or permission check on the matching route handler.

package/rules/typescript/ts.security.handlebars-no-escape.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.handlebars-no-escape
+  title: Keep Handlebars escaping enabled at template trust boundaries
+  summary: "Server-side Handlebars compilation should not disable HTML escaping with `noEscape: true`."
+  rationale: Disabling Handlebars escaping weakens the template trust boundary and can turn server-rendered output into attacker-controlled HTML.
+  tags:
+    - security
+    - xss
+    - templating
+    - output-encoding
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.handlebars-no-escape
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - xss
+      - templating
+      - output-encoding
+  message:
+    title: Keep escaping enabled in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables Handlebars escaping at a server-template trust boundary."
+  remediation:
+    summary: Leave Handlebars escaping enabled, or treat raw HTML rendering as an explicit, narrowly reviewed trust boundary.

package/rules/typescript/ts.security.hardcoded-auth-secret.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.hardcoded-auth-secret
+  title: Avoid hardcoded auth secrets
+  summary: JWT, session, and strategy secrets should not be embedded directly in source code.
+  rationale: Hardcoded auth secrets are hard to rotate and are exposed whenever the codebase or build artifacts leak.
+  tags:
+    - security
+    - authentication
+    - secrets
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.hardcoded-auth-secret
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - authentication
+      - secrets
+  message:
+    title: Move the secret used by `${captures.issue.text}` out of source
+    summary: "`${captures.issue.text}` uses an inline authentication secret instead of loading it from configuration or a secret manager."
+  remediation:
+    summary: Load the secret from environment-backed configuration or a secret manager and rotate the exposed value.