npm - @critiq/rules - Versions diffs - 0.0.1 - Mend

@critiq/rules 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.observable-timing-discrepancy
+  title: Use constant-time secret comparison
+  summary: Secrets and tokens should not be compared with ordinary equality operators.
+  rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material.
+  tags:
+    - security
+    - cryptography
+    - timing
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.observable-timing-discrepancy
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - cryptography
+      - timing
+  message:
+    title: Replace `${captures.issue.text}` with a constant-time comparison
+    summary: "`${captures.issue.text}` compares a likely secret value with ordinary equality."
+  remediation:
+    summary: Use a constant-time comparison helper such as `crypto.timingSafeEqual` for secrets, tokens, and password hashes.

package/rules/typescript/ts.security.open-redirect.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.open-redirect
+  title: Open redirect via request-controlled target
+  summary: Redirect and navigation sinks should not use request-controlled destinations without validation.
+  rationale: Redirect targets that are derived from user input can send authenticated users to attacker-controlled destinations.
+  tags:
+    - security
+    - input-validation
+    - redirect
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.open-redirect
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - redirect
+      - input-validation
+  message:
+    title: Validate redirect target before using `${captures.issue.text}`
+    summary: "`${captures.issue.text}` redirects to a request-controlled destination without a strict allowlist or internal-path check."
+  remediation:
+    summary: Normalize the target to an internal path or validate it against a trusted origin allowlist before redirecting.

package/rules/typescript/ts.security.permissive-allow-origin.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.permissive-allow-origin
+  title: Do not allow every origin in CORS policy
+  summary: CORS should not fall back to wildcard or implicit allow-all origin settings.
+  rationale: Wildcard or implicit allow-all CORS policies expose authenticated browser responses across origins.
+  tags:
+    - security
+    - cors
+    - misconfiguration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.permissive-allow-origin
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - cors
+      - misconfiguration
+  message:
+    title: Restrict `${captures.issue.text}` to trusted origins
+    summary: "`${captures.issue.text}` allows any origin through wildcard or implicit CORS policy."
+  remediation:
+    summary: Configure an explicit allowlist or validated origin callback instead of allowing all origins.

package/rules/typescript/ts.security.permissive-file-permissions.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.permissive-file-permissions
+  title: Avoid permissive file modes
+  summary: Files that can carry user or security data should not be created with world-accessible modes.
+  rationale: Broad file permissions expose application data to local users or processes that should not read or modify it.
+  tags:
+    - security
+    - filesystem
+    - permissions
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.permissive-file-permissions
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - filesystem
+      - permissions
+  message:
+    title: Tighten the mode used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sets a file mode that grants world access."
+  remediation:
+    summary: Use the minimum required file mode and remove world-readable or world-writable bits.

package/rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.postmessage-wildcard-origin
+  title: Avoid wildcard `postMessage` targets
+  summary: "`postMessage` calls should not use `*` as the target origin when they carry application data."
+  rationale: Wildcard targets allow the browser to deliver the message to any origin that receives the window reference.
+  tags:
+    - security
+    - browser
+    - messaging
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.postmessage-wildcard-origin
+    bind: issue
+emit:
+  finding:
+    category: security.browser
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - browser
+      - messaging
+  message:
+    title: Replace the wildcard target in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses `*` as the `postMessage` target origin."
+  remediation:
+    summary: Set the target origin to a strict expected origin instead of `*`.

package/rules/typescript/ts.security.predictable-token-generation.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.predictable-token-generation
+  title: Avoid predictable token generation
+  summary: Tokens, reset links, and session secrets should be generated from cryptographically strong randomness.
+  rationale: Predictable token material makes it easier to guess reset links, invite codes, and session secrets.
+  tags:
+    - security
+    - authentication
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.predictable-token-generation
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - authentication
+      - crypto
+  message:
+    title: Avoid predictable token generation
+    summary: "`${captures.issue.text}` builds a token-like value from predictable inputs."
+  remediation:
+    summary: Generate the value with `crypto.randomBytes`, `crypto.randomUUID`, or an approved secure token source.

package/rules/typescript/ts.security.raw-html-using-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.raw-html-using-user-input
+  title: Avoid raw HTML with request input
+  summary: Request-derived values should not be interpolated into raw HTML strings.
+  rationale: Raw HTML construction with request data is a common path to reflected and stored XSS.
+  tags:
+    - security
+    - xss
+    - output-encoding
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.raw-html-using-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - xss
+      - output-encoding
+  message:
+    title: Remove request input from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` interpolates request-derived content into raw HTML."
+  remediation:
+    summary: Use framework escaping, a trusted sanitizer, or safe DOM APIs instead of raw HTML interpolation.

package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.sensitive-data-egress
+  title: Sensitive data egress to third-party processors
+  summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
+  rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  tags:
+    - security
+    - privacy
+    - data-exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - privacy
+      - data-exposure
+  message:
+    title: Avoid sending sensitive data through `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sends normalized sensitive datatypes to an outbound processor or external service."
+  remediation:
+    summary: Minimize the payload, redact the sensitive fields, or route the data only to approved processors.

package/rules/typescript/ts.security.sensitive-data-in-exception.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.sensitive-data-in-exception
+  title: Avoid sensitive data in thrown errors
+  summary: Exceptions and rejection payloads should not include raw secrets or personal data.
+  rationale: Exception payloads often reach logs, APM tools, and client responses with less review than normal business data.
+  tags:
+    - security
+    - privacy
+    - errors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.sensitive-data-in-exception
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - privacy
+      - errors
+  message:
+    title: Remove sensitive data from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` includes sensitive values in an exception or rejection payload."
+  remediation:
+    summary: Replace raw secrets and personal data with opaque identifiers or redacted summaries before throwing or rejecting.

package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.sensitive-data-written-to-file
+  title: Avoid writing sensitive data to files
+  summary: Data exports and local file writes should not persist raw secrets or personal fields.
+  rationale: Static files, exports, and backups are easy to copy or retain beyond their intended lifetime.
+  tags:
+    - security
+    - privacy
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.sensitive-data-written-to-file
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - privacy
+      - filesystem
+  message:
+    title: Remove sensitive fields before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` writes sensitive data into a local file sink."
+  remediation:
+    summary: Redact, hash, or exclude the sensitive fields before writing the file.

package/rules/typescript/ts.security.ssrf.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.ssrf
+  title: Server-side request forgery
+  summary: Outbound requests should not use attacker-controlled targets or private hosts.
+  rationale: Request-controlled targets can force the server to call internal services, metadata endpoints, or attacker-controlled infrastructure.
+  tags:
+    - security
+    - network
+    - ssrf
+    - rules-catalog
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.ssrf
+    bind: ssrfCall
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - network
+      - ssrf
+  message:
+    title: Avoid SSRF in `${captures.ssrfCall.text}`
+    summary: "`${captures.ssrfCall.text}` sends an outbound request to a request-controlled or private target."
+  remediation:
+    summary: Resolve URLs against a trusted allowlist, reject private hosts, and proxy outbound requests through a vetted server-side helper.

package/rules/typescript/ts.security.token-or-session-not-validated.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.token-or-session-not-validated
+  title: Token or session not validated
+  summary: Session and token values from external input should be verified before authentication or identity use.
+  rationale: Parsing or loading session state without verification allows forged or stale credentials to influence authorization paths.
+  tags:
+    - security
+    - authentication
+    - rules-catalog
+    - crq-sec-023
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.token-or-session-not-validated
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - authentication
+  message:
+    title: Validate tokens and sessions before use
+    summary: "`${captures.issue.text}` uses token or session input without any preceding validation step."
+  remediation:
+    summary: Verify or authenticate the token or session value before decoding, loading, or deriving identity from it.

package/rules/typescript/ts.security.ui-redress.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.ui-redress
+  title: Do not derive anti-framing headers from request input
+  summary: Framing and CSP headers should not be set from request-controlled values.
+  rationale: Request-controlled anti-framing headers weaken protections against clickjacking and UI redress attacks.
+  tags:
+    - security
+    - clickjacking
+    - headers
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.ui-redress
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - clickjacking
+      - headers
+  message:
+    title: Set `${captures.issue.text}` from trusted policy only
+    summary: "`${captures.issue.text}` derives anti-framing or CSP header values from request input."
+  remediation:
+    summary: Set framing and CSP headers from fixed server policy instead of request data.

package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsanitized-http-response
+  title: Avoid unsafe raw HTTP response output
+  summary: Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.
+  rationale: Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.
+  tags:
+    - security
+    - xss
+    - express
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.unsanitized-http-response
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - xss
+      - express
+  message:
+    title: Remove request data from `${captures.issue.text}` or escape it first
+    summary: "`${captures.issue.text}` writes request-controlled data into a raw HTTP response sink without a trusted HTML escaping model."
+  remediation:
+    summary: Escape or sanitize the data with a trusted helper, or switch to a response format that does not treat it as executable markup.

package/rules/typescript/ts.security.unvalidated-external-input.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unvalidated-external-input
+  title: Validate untrusted input before parser construction
+  summary: Untrusted input should be validated before it is used to construct sensitive parsers or runtime objects.
+  rationale: Passing untrusted text across regex or URL construction boundaries increases the risk of parser abuse, denial of service, and downstream policy bypass.
+  tags:
+    - security
+    - input-validation
+    - rules-catalog
+    - crq-sec-027
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.unvalidated-external-input
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - input-validation
+  message:
+    title: Validate the trust boundary before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` constructs a sensitive parser or runtime object from untrusted input without a trust-boundary check."
+  remediation:
+    summary: Validate, sanitize, or normalize the untrusted value before passing it into URL, RegExp, or similarly sensitive constructors.

package/rules/typescript/ts.security.user-controlled-sendfile.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.user-controlled-sendfile
+  title: Constrain `res.sendFile` to a trusted root
+  summary: "`res.sendFile()` should not resolve filenames or options from request input without a trusted root."
+  rationale: Request-controlled file responses are a common path to path traversal and unintended local file disclosure.
+  tags:
+    - security
+    - filesystem
+    - express
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.user-controlled-sendfile
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - filesystem
+      - express
+  message:
+    title: Validate the file path used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` serves a request-controlled file path or options object without a trusted root."
+  remediation:
+    summary: Resolve files from an allowlisted directory and validate request input before it reaches `res.sendFile()`.

package/rules/typescript/ts.security.user-controlled-view-render.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.user-controlled-view-render
+  title: Constrain `res.render()` trust boundaries
+  summary: Express view names should not cross into server-side rendering from untrusted input.
+  rationale: Untrusted template names can expose internal views, bypass intended route behavior, or widen a server-side template boundary.
+  tags:
+    - security
+    - express
+    - rendering
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.user-controlled-view-render
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - express
+      - rendering
+  message:
+    title: Resolve the view for `${captures.issue.text}` from a trusted route map
+    summary: "`${captures.issue.text}` selects a server-side template across a trust boundary using untrusted input."
+  remediation:
+    summary: Resolve the template from an allowlist or fixed route mapping before calling `res.render()`.

package/rules/typescript/ts.security.weak-cipher-or-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.weak-cipher-or-mode
+  title: Avoid weak cipher algorithms and modes
+  summary: Cryptographic ciphers should use modern authenticated modes and approved algorithms.
+  rationale: Weak modes such as ECB and legacy ciphers such as DES or RC4 do not provide adequate confidentiality.
+  tags:
+    - security
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.weak-cipher-or-mode
+    bind: issue
+emit:
+  finding:
+    category: security.secrets
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - crypto
+      - cipher
+  message:
+    title: Avoid weak cipher algorithms and modes
+    summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
+  remediation:
+    summary: Use modern authenticated encryption such as AES-GCM with approved key sizes and IV handling.