npm - @critiq/rules - Versions diffs - 0.0.1 - Mend

@critiq/rules 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/rules/typescript/ts.security.import-using-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.import-using-user-input
+  title: Constrain module-loading trust boundaries
+  summary: "`require()` and dynamic `import()` should not resolve modules from untrusted input."
+  rationale: Untrusted module paths let attackers steer module-loading boundaries toward unintended files, packages, or plugins.
+  tags:
+    - security
+    - execution
+    - module-loading
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.import-using-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - execution
+      - module-loading
+  message:
+    title: Resolve `${captures.issue.text}` from a trusted module map
+    summary: "`${captures.issue.text}` crosses a module-loading trust boundary with untrusted input."
+  remediation:
+    summary: Resolve modules from a fixed allowlist or explicit dispatcher instead of untrusted request or event data.

package/rules/typescript/ts.security.information-leakage.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.information-leakage
+  title: Avoid leaking sensitive or diagnostic state
+  summary: Logs, stdout or stderr, and direct response sinks should not expose sensitive fields or internal diagnostic detail.
+  rationale: Stack traces, request metadata, auth or session objects, and environment state are often leaked through "temporary" debugging output that later reaches production paths.
+  tags:
+    - security
+    - privacy
+    - logging
+    - diagnostics
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.information-leakage
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - privacy
+      - logging
+      - diagnostics
+  message:
+    title: Remove sensitive or diagnostic data from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exposes sensitive fields or internal diagnostic detail through a direct sink."
+  remediation:
+    summary: Replace the payload with a fixed summary, redact sensitive fields, and strip stack, env, request, or cookie data from production output.

package/rules/typescript/ts.security.insecure-allow-origin.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-allow-origin
+  title: Do not reflect request origin into CORS policy
+  summary: "`Access-Control-Allow-Origin` should not be set from request-controlled input."
+  rationale: Reflecting the request origin into a CORS allowlist turns origin validation into a no-op.
+  tags:
+    - security
+    - cors
+    - misconfiguration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insecure-allow-origin
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - cors
+      - misconfiguration
+  message:
+    title: Validate the origin before setting `${captures.issue.text}`
+    summary: "`${captures.issue.text}` reflects request input into `Access-Control-Allow-Origin`."
+  remediation:
+    summary: Set CORS origins from a fixed allowlist or explicit trusted origin check.

package/rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-auth-cookie-flags
+  title: Harden auth-bearing cookies
+  summary: Auth and session cookies should set HttpOnly, Secure, and SameSite.
+  rationale: Cookie flags prevent browser scripts, mixed transport, and cross-site requests from exposing session-bearing values.
+  tags:
+    - security
+    - authentication
+    - cookies
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ts.security.insecure-auth-cookie-flags
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - authentication
+      - cookies
+  message:
+    title: Harden `${captures.issue.text}` for auth cookies
+    summary: "`${captures.issue.text}` sets an auth-bearing cookie without the expected protections."
+  remediation:
+    summary: Add `HttpOnly`, `Secure`, and an explicit `SameSite` policy before the cookie is used for session or auth state.

package/rules/typescript/ts.security.insecure-password-hash-configuration.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-password-hash-configuration
+  title: Avoid legacy Argon2 password hash modes
+  summary: Password hashing should not use `argon2i` or `argon2d` when safer modern modes are available.
+  rationale: Older Argon2 modes are weaker choices for password storage than the modern hybrid mode.
+  tags:
+    - security
+    - cryptography
+    - password-storage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insecure-password-hash-configuration
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - cryptography
+      - password-storage
+  message:
+    title: Upgrade the hash mode used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an older Argon2 mode for password hashing."
+  remediation:
+    summary: Prefer `argon2id` and keep the password hash configuration aligned with current password-storage guidance.

package/rules/typescript/ts.security.insecure-websocket-transport.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-websocket-transport
+  title: Use secure WebSocket transport
+  summary: WebSocket clients should not connect over cleartext `ws://` when sensitive application data is involved.
+  rationale: Cleartext WebSocket transport exposes application traffic to interception and manipulation.
+  tags:
+    - security
+    - transport
+    - websocket
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insecure-websocket-transport
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - transport
+      - websocket
+  message:
+    title: Replace `${captures.issue.text}` with a secure WebSocket URL
+    summary: "`${captures.issue.text}` uses cleartext WebSocket transport."
+  remediation:
+    summary: Switch the endpoint to `wss://` and keep certificate validation enabled.

package/rules/typescript/ts.security.insufficiently-random-values.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insufficiently-random-values
+  title: Use enough entropy for secrets and tokens
+  summary: Secret-bearing tokens and secrets should use at least 16 bytes of cryptographic entropy.
+  rationale: Short random values are harder to brute-force than predictable values, but they can still be guessed faster than modern secret-bearing flows should allow.
+  tags:
+    - security
+    - cryptography
+    - randomness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insufficiently-random-values
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - cryptography
+      - randomness
+  message:
+    title: Increase the entropy used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a cryptographically random source, but not enough entropy for a secret-bearing value."
+  remediation:
+    summary: Generate at least 16 bytes of entropy for reset tokens, invitation codes, session secrets, and similar secret-bearing values.

package/rules/typescript/ts.security.jwt-not-revoked.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.jwt-not-revoked
+  title: Add a JWT revocation hook
+  summary: Express JWT middleware should check revocation state when bearer tokens can be invalidated early.
+  rationale: Signature validation alone does not handle logout, compromise, or forced token invalidation.
+  tags:
+    - security
+    - authentication
+    - jwt
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.jwt-not-revoked
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - authentication
+      - jwt
+  message:
+    title: Add revocation handling to `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures Express JWT validation without an `isRevoked` check."
+  remediation:
+    summary: Add an `isRevoked` callback or equivalent revocation check for tokens that can be invalidated before expiry.

package/rules/typescript/ts.security.jwt-sensitive-claims.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.jwt-sensitive-claims
+  title: Remove sensitive claims from JWT payloads
+  summary: JWT payloads should avoid embedding PII or secrets unless absolutely required.
+  rationale: Client-visible tokens often outlive a single request and can leak more data than intended.
+  tags:
+    - security
+    - privacy
+    - jwt
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ts.security.jwt-sensitive-claims
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - privacy
+      - jwt
+  message:
+    title: Remove sensitive claims from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` includes claims that expose personal or secret data in a token payload."
+  remediation:
+    summary: Keep JWT claims minimal. Prefer stable identifiers, not direct PII or secret-bearing fields.

package/rules/typescript/ts.security.manual-html-sanitization.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.manual-html-sanitization
+  title: Avoid ad hoc HTML sanitization
+  summary: Hand-rolled HTML escaping and sanitization should be replaced with vetted sanitizers or safe rendering paths.
+  rationale: String replacement chains miss edge cases and are easy to bypass as rendering behavior evolves.
+  tags:
+    - security
+    - xss
+    - sanitization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.manual-html-sanitization
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - xss
+      - sanitization
+  message:
+    title: Replace `${captures.issue.text}` with a vetted sanitizer
+    summary: "`${captures.issue.text}` performs manual HTML escaping instead of using a trusted sanitization or safe rendering path."
+  remediation:
+    summary: Use a vetted sanitizer or framework-native escaping model instead of string replacement chains.

package/rules/typescript/ts.security.missing-authorization-before-sensitive-action.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.missing-authorization-before-sensitive-action
+  title: Missing authorization before sensitive action
+  summary: Sensitive backend actions should be guarded by an authorization or permission check.
+  rationale: Calling destructive or privileged actions without an authorization guard increases the risk of broken access control.
+  tags:
+    - security
+    - authorization
+    - rules-catalog
+    - crq-sec-021
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.missing-authorization-before-sensitive-action
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.75
+    tags:
+      - security
+      - authorization
+  message:
+    title: Add authorization before sensitive backend actions
+    summary: "`${captures.issue.text}` performs a sensitive action without a matching authorization guard."
+  remediation:
+    summary: Add an explicit authorization or permission check before the sensitive action executes.

package/rules/typescript/ts.security.missing-integrity-check.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.missing-integrity-check
+  title: Use authenticated encryption for secrets and tokens
+  summary: Session, cookie, and token encryption should provide integrity protection in the same helper.
+  rationale: Confidentiality-only encryption leaves secret-bearing values vulnerable to tampering unless the code also applies an integrity check or uses an authenticated mode.
+  tags:
+    - security
+    - cryptography
+    - integrity
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.missing-integrity-check
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - cryptography
+      - integrity
+  message:
+    title: Add integrity protection to `${captures.issue.text}`
+    summary: "`${captures.issue.text}` encrypts a secret-bearing value without authenticated encryption or a same-helper integrity check."
+  remediation:
+    summary: Prefer authenticated encryption such as AES-GCM, or pair non-AEAD encryption with an explicit integrity check in the same helper.

package/rules/typescript/ts.security.missing-message-origin-check.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.missing-message-origin-check
+  title: Verify `message` event origins
+  summary: "`message` handlers should validate `event.origin` before trusting cross-window data."
+  rationale: Without an origin check, hostile pages can post crafted messages into the handler.
+  tags:
+    - security
+    - browser
+    - messaging
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.missing-message-origin-check
+    bind: issue
+emit:
+  finding:
+    category: security.browser
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - browser
+      - messaging
+  message:
+    title: Check `event.origin` before processing `${captures.issue.text}`
+    summary: "`${captures.issue.text}` handles cross-window messages without validating the sender origin."
+  remediation:
+    summary: Gate the handler on a strict allowlist of expected origins before reading `event.data`.

package/rules/typescript/ts.security.missing-ownership-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.missing-ownership-validation
+  title: Missing ownership validation
+  summary: Resource identifiers from request input should be checked against the caller before sensitive actions run.
+  rationale: Authorization alone is not enough when handlers act on caller-provided resource ids that may belong to someone else.
+  tags:
+    - security
+    - authorization
+    - rules-catalog
+    - crq-sec-022
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.missing-ownership-validation
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.75
+    tags:
+      - security
+      - authorization
+  message:
+    title: Validate ownership before acting on caller-supplied resource ids
+    summary: "`${captures.issue.text}` is used in a sensitive path without a matching ownership check."
+  remediation:
+    summary: Compare the request-derived resource id to the authenticated caller or load the resource through an ownership-enforcing query.

package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.missing-request-timeout-or-retry
+  title: Missing request timeout or retry protection
+  summary: External calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows.
+  rationale: Authentication and dependency calls that have neither timeout nor retry protection fail unpredictably under network stress.
+  tags:
+    - security
+    - resilience
+    - rules-catalog
+    - crq-sec-030
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.missing-request-timeout-or-retry
+    bind: issue
+emit:
+  finding:
+    category: security.resilience
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - resilience
+  message:
+    title: Add timeout or retry protection to external calls
+    summary: "`${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
+  remediation:
+    summary: Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical.

package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-dynamic-execution
+  title: Eval or dynamic code execution
+  summary: Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.
+  rationale: Dynamic execution turns data into code, widens the attack surface, and bypasses normal control flow.
+  tags:
+    - security
+    - execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dynamic-execution
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - execution
+  message:
+    title: Avoid `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes dynamic code and should be replaced with a safer alternative."
+  remediation:
+    summary: Replace dynamic execution with explicit parsing, fixed dispatch tables, or normal function callbacks.

package/rules/typescript/ts.security.no-innerhtml-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-innerhtml-assignment
+  title: Avoid unsafe `innerHTML` assignment
+  summary: "`innerHTML` assignments should only use fixed or explicitly sanitized HTML."
+  rationale: Direct HTML injection can allow untrusted or weakly reviewed content to execute in the browser.
+  tags:
+    - security
+    - output-encoding
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.no-innerhtml-assignment
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - xss
+      - output-encoding
+  message:
+    title: Avoid unsafe `innerHTML` assignment in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` inserts non-literal, non-sanitized HTML into `innerHTML`."
+  remediation:
+    summary: Prefer text-only rendering APIs or assign only fixed or explicitly sanitized HTML.

package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.non-literal-fs-filename
+  title: Avoid attacker-controlled filesystem read paths
+  summary: Direct filesystem read APIs should not consume request- or upload-controlled filenames.
+  rationale: Dynamic read paths can expose unintended local files or bypass expected file-selection constraints.
+  tags:
+    - security
+    - filesystem
+    - path-traversal
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.non-literal-fs-filename
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - filesystem
+      - path-traversal
+  message:
+    title: Constrain the filename used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` reads from a filename derived from external input."
+  remediation:
+    summary: Resolve reads from a trusted allowlist or a validated server-controlled mapping instead of external filenames.