npm - @critiq/rules - Versions diffs - 0.0.2 → 0.1.0 - Mend

@critiq/rules 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-csrf-disabled
+  title: Keep Apollo Server CSRF protections enabled
+  summary: Apollo Server should not explicitly disable CSRF prevention for browser-accessible endpoints.
+  rationale: GraphQL POST endpoints are vulnerable to cross-site writes when CSRF defenses are turned off.
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-csrf-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - graphql
+  message:
+    title: Re-enable Apollo Server CSRF prevention
+    summary: Apollo Server sets `csrfPrevention` to false.
+  remediation:
+    summary: >-
+      Remove `csrfPrevention: false` or replace it with an equivalent POST-only plus preflight strategy documented by Apollo.

package/rules/typescript/ts.security.apollo-server-graphql-dev-tooling-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-graphql-dev-tooling-exposure
+  title: Avoid shipping GraphQL dev landing or playground plugins without a production guard
+  summary: Apollo Server dev landing pages, sandbox UIs, and GraphQL Playground-style plugins should not load unconditionally in production builds.
+  rationale: Interactive GraphQL explorers widen attack surface and often expose schema details beyond what production APIs should advertise by default.
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-graphql-dev-tooling-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - graphql
+  message:
+    title: Gate GraphQL dev tooling away from production
+    summary: Apollo Server registers dev-oriented landing or playground plugins without an obvious environment guard in the same plugin expression.
+  remediation:
+    summary: >-
+      Load sandbox or local landing plugins only outside production, prefer `ApolloServerPluginLandingPageProductionDefault`, or disable interactive explorers behind authentication at the edge.

package/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-introspection-exposure
+  title: Avoid unconditional GraphQL introspection
+  summary: Apollo Server should not hard-enable introspection without environment guards.
+  rationale: Introspection aids attackers in mapping schemas on production deployments.
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-introspection-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-exposure
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - graphql
+  message:
+    title: Gate GraphQL introspection away from production
+    summary: Apollo Server enables introspection with a literal `true` flag.
+  remediation:
+    summary: Bind introspection to non-production environments or protect the endpoint behind authenticated tooling.

package/rules/typescript/ts.security.apollo-server-missing-query-limits.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-missing-query-limits
+  title: Add GraphQL query depth or complexity controls
+  summary: Apollo Server bootstrap should declare validation rules or plugins that bound query cost.
+  rationale: Without depth, complexity, persisted operations, or gateway limits, GraphQL endpoints are easier to abuse with expensive queries.
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-missing-query-limits
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - graphql
+  message:
+    title: Layer defenses against expensive GraphQL queries
+    summary: Apollo Server is constructed without recognizable validation rules or protective plugins.
+  remediation:
+    summary: Add depth limits, query complexity rules, persisted operations, rate limits, or terminate behind a gateway/WAF that enforces GraphQL policies.

package/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.astro-vite-public-secret-define
+  title: Do not inline secrets into Astro PUBLIC import meta defines
+  summary: >-
+    Astro and Vite define entries for import.meta.env.PUBLIC_* must not map to high-risk process.env secrets.
+  rationale: >-
+    PUBLIC_* keys are intended for browser-visible configuration; wiring database passwords or API secrets through vite.define exposes them to client bundles.
+  tags:
+    - security
+    - astro
+    - vite
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.astro-vite-public-secret-define
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.83
+    tags:
+      - security
+      - astro
+  message:
+    title: Remove secret process.env wiring from ${captures.issue.text}
+    summary: >-
+      vite.define maps ${captures.issue.text} to a process.env value that looks like a secret.
+  remediation:
+    summary: >-
+      Keep secrets on the server, use private server-only env vars, and reserve PUBLIC_* keys for intentionally public identifiers such as analytics IDs.

package/rules/typescript/ts.security.debug-statement-in-source.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.debug-statement-in-source
+  title: "Remove leftover `console.trace` calls from production paths"
+  summary: "`console.trace()` calls should not ship in production code outside an explicit dev-only branch."
+  rationale: "`console.trace` dumps a stack trace to stdout/stderr and is almost always leftover developer instrumentation. Stack traces in shipped output disclose internal call structure and inflate logs."
+  tags:
+    - security
+    - logging
+    - diagnostics
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.debug-statement-in-source
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: low
+    confidence: 0.9
+    tags:
+      - security
+      - logging
+      - diagnostics
+  message:
+    title: Remove `${captures.issue.text}` before shipping
+    summary: "`${captures.issue.text}` is leftover developer instrumentation that ships a stack trace to stdout or stderr."
+  remediation:
+    summary: Remove the call or guard it behind an explicit dev-only check (`process.env.NODE_ENV !== 'production'`, `import.meta.env.DEV`, or `__DEV__`).

package/rules/typescript/ts.security.electron-dangerous-webpreferences.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.electron-dangerous-webpreferences
+  title: Harden Electron webPreferences
+  summary: Electron renderers should not run with unsafe webPreferences that weaken isolation or transport protection.
+  rationale: Options such as nodeIntegration, contextIsolation, and webSecurity directly control whether renderer compromise becomes host compromise.
+  tags:
+    - security
+    - electron
+    - desktop
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.electron-dangerous-webpreferences
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - electron
+  message:
+    title: "Harden Electron ${captures.issue.text}"
+    summary: "${captures.issue.text} weakens Electron renderer isolation or transport protection."
+  remediation:
+    summary: Keep contextIsolation and webSecurity enabled, disable nodeIntegration and enableRemoteModule, and prefer sandbox true.

package/rules/typescript/ts.security.electron-insecure-local-state.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.electron-insecure-local-state
+  title: Avoid storing secrets in Electron local stores without hardening
+  summary: electron-store writes that look like credentials should use OS-level secret storage instead.
+  rationale: Local JSON stores are readable by other processes and backups unless encrypted with platform APIs.
+  tags:
+    - security
+    - electron
+    - storage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.electron-insecure-local-state
+    bind: issue
+emit:
+  finding:
+    category: security.data-exposure
+    severity: medium
+    confidence: 0.82
+    tags:
+      - security
+      - electron
+  message:
+    title: "Harden Electron store usage in ${captures.issue.text}"
+    summary: "${captures.issue.text} persists sensitive-looking data through electron-store."
+  remediation:
+    summary: Prefer OS keychains, encrypted vaults, or short-lived session material instead of long-lived plaintext secrets on disk.

package/rules/typescript/ts.security.electron-missing-ipc-origin-check.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.electron-missing-ipc-origin-check
+  title: Validate IPC sender origins in Electron
+  summary: Privileged ipcMain handlers should validate event.sender origins before acting.
+  rationale: Missing origin checks let any loaded renderer invoke privileged main-process behavior.
+  tags:
+    - security
+    - electron
+    - ipc
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.electron-missing-ipc-origin-check
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - electron
+  message:
+    title: "Add origin checks to ${captures.issue.text}"
+    summary: "${captures.issue.text} handles privileged IPC without validating the sender frame origin."
+  remediation:
+    summary: Assert trusted origins or channels before running privileged logic and reject unexpected senders early.

package/rules/typescript/ts.security.electron-shell-open-external-unvalidated.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.electron-shell-open-external-unvalidated
+  title: Do not open external URLs from request data in Electron
+  summary: shell.openExternal should not receive request-controlled URLs without validation.
+  rationale: Open redirects and SSRF-style flows in the main process can pivot to arbitrary system browsers or handlers.
+  tags:
+    - security
+    - electron
+    - open-redirect
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.electron-shell-open-external-unvalidated
+    bind: issue
+emit:
+  finding:
+    category: security.open-redirect
+    severity: high
+    confidence: 0.83
+    tags:
+      - security
+      - electron
+  message:
+    title: "Validate target URL for ${captures.issue.text}"
+    summary: "${captures.issue.text} opens a URL derived from request-controlled input."
+  remediation:
+    summary: Allowlist URL schemes and hosts, normalize targets, and block private IP ranges before calling openExternal.

package/rules/typescript/ts.security.express-error-handler-information-disclosure.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-error-handler-information-disclosure
+  title: Avoid returning raw errors from Express error middleware
+  summary: Express error handlers should not send the err object directly to clients in production paths.
+  rationale: Returning raw errors leaks stack traces, internal identifiers, and implementation details to attackers.
+  tags:
+    - security
+    - express
+    - information-disclosure
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-error-handler-information-disclosure
+    bind: issue
+emit:
+  finding:
+    category: security.information-disclosure
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - express
+  message:
+    title: "Sanitize error responses from ${captures.issue.text}"
+    summary: "${captures.issue.text} forwards the caught error directly to res.send or res.json."
+  remediation:
+    summary: Log detailed errors server-side and return stable, generic client responses with correlation identifiers.

package/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-static-dotfiles-allow
+  title: Do not allow dotfiles in Express static middleware
+  summary: express.static should not serve dotfiles from disk unless explicitly required and reviewed.
+  rationale: Allowing dotfiles can expose hidden configuration and secrets through the static file middleware.
+  tags:
+    - security
+    - express
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-static-dotfiles-allow
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - express
+  message:
+    title: "Restrict dotfiles for ${captures.issue.text}"
+    summary: "${captures.issue.text} is configured with dotfiles allow, which can leak hidden files."
+  remediation:
+    summary: Use the default dotfiles ignore behavior or serve dotfiles from a tightly scoped directory with access controls.

package/rules/typescript/ts.security.express-unbounded-body-parser.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-unbounded-body-parser
+  title: Set explicit Express body parser and multer size limits
+  summary: Express and Body Parser middleware plus Multer should declare explicit payload limits.
+  rationale: Default limits drift across frameworks and deployments; explicit caps reduce oversized-request abuse.
+  tags:
+    - security
+    - express
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-unbounded-body-parser
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - express
+  message:
+    title: Declare explicit payload limits for body parsers and uploads
+    summary: "`${captures.issue.text}` runs without visible size limits."
+  remediation:
+    summary: Pass `limit` options to JSON/urlencoded/raw/text parsers and `limits.fileSize` (or equivalent) to Multer.

package/rules/typescript/ts.security.express-user-controlled-static-mount.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-user-controlled-static-mount
+  title: Avoid request-controlled Express static mount paths
+  summary: The path prefix for express.static should not be derived directly from request objects.
+  rationale: User-controlled mount paths can collapse routing assumptions and expose unintended directories.
+  tags:
+    - security
+    - express
+    - path
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-user-controlled-static-mount
+    bind: issue
+emit:
+  finding:
+    category: security.path-traversal
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - express
+  message:
+    title: "Fix static mount path in ${captures.issue.text}"
+    summary: "${captures.issue.text} mounts express.static under a request-derived URL prefix."
+  remediation:
+    summary: Use fixed, reviewed path prefixes and map external identifiers to internal paths through an allowlist.

package/rules/typescript/ts.security.fastify-excessive-body-limit.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.fastify-excessive-body-limit
+  title: Avoid excessive Fastify body limits
+  summary: Fastify applications should not disable body limits or configure unusually large defaults without compensating controls.
+  rationale: Oversized bodies amplify denial-of-service risk on services without upstream buffering limits.
+  tags:
+    - security
+    - fastify
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.fastify-excessive-body-limit
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.76
+    tags:
+      - security
+      - fastify
+  message:
+    title: Reduce Fastify bodyLimit or add upstream limiting
+    summary: Fastify is configured with an oversized or disabled bodyLimit.
+  remediation:
+    summary: Lower `bodyLimit`, enforce route-specific caps, or terminate traffic behind an API gateway or proxy that caps body size.

package/rules/typescript/ts.security.fastify-public-bind-without-trust-proxy.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.fastify-public-bind-without-trust-proxy
+  title: Enable trust proxy for publicly bound Fastify servers
+  summary: >-
+    Fastify instances listening on all interfaces should enable trustProxy or terminate behind a reverse proxy you register in code.
+  rationale: >-
+    Without trustProxy, client IP and protocol metadata from an edge proxy are easy to misread, and public binds amplify exposure when the process is not intentionally perimeter-hardened.
+  tags:
+    - security
+    - fastify
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.fastify-public-bind-without-trust-proxy
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - fastify
+  message:
+    title: Set trustProxy or proxy middleware before binding Fastify publicly
+    summary: >-
+      Fastify listens on a public host without trustProxy enabled and without @fastify/http-proxy or @fastify/proxy in this file.
+  remediation:
+    summary: >-
+      Set trustProxy when running behind a reverse proxy, prefer non-public bind addresses in development, or register an explicit Fastify proxy plugin so client metadata and TLS termination assumptions stay correct.

package/rules/typescript/ts.security.graphql-upload-without-csrf-guard.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.graphql-upload-without-csrf-guard
+  title: Pair GraphQL multipart uploads with CSRF-safe server posture
+  summary: Legacy GraphQL multipart upload helpers should not run alongside Apollo Server configurations that disable CSRF protections.
+  rationale: Multipart GraphQL requests complicate browser CSRF defenses; when Apollo CSRF prevention is explicitly disabled, upload middleware is a high-risk combination for cross-site writes.
+  tags:
+    - security
+    - graphql
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.graphql-upload-without-csrf-guard
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - graphql
+  message:
+    title: Re-enable Apollo CSRF defenses or remove GraphQL upload middleware from this bootstrap
+    summary: >-
+      GraphQL upload middleware is registered while Apollo Server disables csrfPrevention, or no Apollo bootstrap with safe CSRF defaults is present.
+  remediation:
+    summary: >-
+      Keep Apollo csrfPrevention enabled (default in supported releases), add an explicit preflight header policy, or move uploads behind authenticated, non-browser APIs.

package/rules/typescript/ts.security.iframe-missing-sandbox-attribute.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.iframe-missing-sandbox-attribute
+  title: Add a sandbox attribute to iframes
+  summary: Intrinsic iframe elements should declare a sandbox attribute to reduce blast radius.
+  rationale: Sandboxed iframes limit scripts, forms, and top-level navigation when embedded third-party content is compromised.
+  tags:
+    - security
+    - react
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.iframe-missing-sandbox-attribute
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: low
+    confidence: 0.75
+    tags:
+      - security
+      - react
+  message:
+    title: "Add sandbox to ${captures.issue.text}"
+    summary: "${captures.issue.text} is missing a sandbox attribute."
+  remediation:
+    summary: Add the most restrictive sandbox token set that still allows required behavior, and combine with a strict CSP.