@critiq/rules 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (203) hide show
  1. package/README.md +52 -4
  2. package/catalog.yaml +985 -19
  3. package/package.json +6 -1
  4. package/rules/go/go.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  5. package/rules/go/go.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  6. package/rules/go/go.performance.no-unbounded-concurrency.rule.yaml +33 -0
  7. package/rules/go/go.security.echo-sensitive-binding-without-validation.rule.yaml +46 -0
  8. package/rules/go/go.security.echo-unsafe-multipart-upload.rule.yaml +45 -0
  9. package/rules/go/go.security.fiber-sensitive-binding-without-validation.rule.yaml +45 -0
  10. package/rules/go/go.security.fiber-unsafe-multipart-upload.rule.yaml +45 -0
  11. package/rules/go/go.security.gin-sensitive-binding-without-validation.rule.yaml +45 -0
  12. package/rules/go/go.security.gin-trust-all-proxies.rule.yaml +45 -0
  13. package/rules/go/go.security.gin-wildcard-cors-with-credentials.rule.yaml +47 -0
  14. package/rules/go/go.security.net-http-missing-timeouts.rule.yaml +45 -0
  15. package/rules/go/go.security.sensitive-data-egress.rule.yaml +46 -0
  16. package/rules/go/go.security.tar-path-traversal.rule.yaml +45 -0
  17. package/rules/go/go.security.template-unescaped-request-value.rule.yaml +45 -0
  18. package/rules/go/go.testing.real-network-in-unit-test.rule.yaml +33 -0
  19. package/rules/go/go.testing.t-skip-without-ticket-reference.rule.yaml +33 -0
  20. package/rules/go/go.testing.time-sleep-in-unit-test.rule.yaml +33 -0
  21. package/rules/java/java.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  22. package/rules/java/java.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  23. package/rules/java/java.performance.no-unbounded-concurrency.rule.yaml +33 -0
  24. package/rules/java/java.security.android-screenshot-exposure.rule.yaml +35 -0
  25. package/rules/java/java.security.android-world-readable-mode.rule.yaml +35 -0
  26. package/rules/java/java.security.jpa-concatenated-query.rule.yaml +47 -0
  27. package/rules/java/java.security.reflected-output-from-request.rule.yaml +35 -0
  28. package/rules/java/java.security.servlet-insecure-cookie.rule.yaml +35 -0
  29. package/rules/java/java.security.spring-actuator-health-details-always.rule.yaml +40 -0
  30. package/rules/java/java.security.spring-actuator-sensitive-exposure.rule.yaml +40 -0
  31. package/rules/java/java.security.spring-csrf-globally-disabled.rule.yaml +49 -0
  32. package/rules/java/java.security.spring-debug-exposure.rule.yaml +35 -0
  33. package/rules/java/java.security.spring-permit-all-default.rule.yaml +47 -0
  34. package/rules/java/java.security.spring-webmvc-unrestricted-data-binding.rule.yaml +47 -0
  35. package/rules/java/java.security.template-unescaped-user-output.rule.yaml +49 -0
  36. package/rules/java/java.testing.disabled-without-ticket-reference.rule.yaml +33 -0
  37. package/rules/java/java.testing.http-client-in-unit-test.rule.yaml +33 -0
  38. package/rules/java/java.testing.thread-sleep-in-unit-test.rule.yaml +33 -0
  39. package/rules/php/php.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  40. package/rules/php/php.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  41. package/rules/php/php.performance.no-unbounded-concurrency.rule.yaml +33 -0
  42. package/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml +41 -0
  43. package/rules/php/php.security.insecure-mail-or-file-transport.rule.yaml +41 -0
  44. package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml +42 -0
  45. package/rules/php/php.security.laravel-sensitive-csrf-exclusion.rule.yaml +42 -0
  46. package/rules/php/php.security.laravel-unsafe-blade-output.rule.yaml +42 -0
  47. package/rules/php/php.security.laravel-unsafe-mass-assignment.rule.yaml +45 -0
  48. package/rules/php/php.security.sensitive-data-egress.rule.yaml +42 -0
  49. package/rules/php/php.security.symfony-csrf-disabled.rule.yaml +42 -0
  50. package/rules/php/php.security.symfony-debug-exposure.rule.yaml +44 -0
  51. package/rules/php/php.security.unsafe-file-upload-handling.rule.yaml +41 -0
  52. package/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml +42 -0
  53. package/rules/php/php.security.wordpress-unprepared-sql.rule.yaml +42 -0
  54. package/rules/php/php.testing.curl-in-unit-test.rule.yaml +33 -0
  55. package/rules/php/php.testing.mark-test-skipped-without-ticket-reference.rule.yaml +33 -0
  56. package/rules/php/php.testing.sleep-in-unit-test.rule.yaml +33 -0
  57. package/rules/python/py.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  58. package/rules/python/py.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  59. package/rules/python/py.performance.no-unbounded-concurrency.rule.yaml +33 -0
  60. package/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml +46 -0
  61. package/rules/python/py.security.django-missing-csrf-middleware.rule.yaml +47 -0
  62. package/rules/python/py.security.django-unsafe-production-settings.rule.yaml +47 -0
  63. package/rules/python/py.security.drf-allow-any-default.rule.yaml +46 -0
  64. package/rules/python/py.security.drf-allow-any-unsafe-method.rule.yaml +46 -0
  65. package/rules/python/py.security.fastapi-insecure-cors.rule.yaml +43 -0
  66. package/rules/python/py.security.flask-missing-upload-body-limit.rule.yaml +44 -0
  67. package/rules/python/py.security.flask-unsafe-html-output.rule.yaml +44 -0
  68. package/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml +44 -0
  69. package/rules/python/py.testing.pytest-skip-without-ticket-reference.rule.yaml +33 -0
  70. package/rules/python/py.testing.real-network-in-unit-test.rule.yaml +33 -0
  71. package/rules/python/py.testing.time-sleep-in-unit-test.rule.yaml +33 -0
  72. package/rules/ruby/ruby.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  73. package/rules/ruby/ruby.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  74. package/rules/ruby/ruby.performance.no-unbounded-concurrency.rule.yaml +33 -0
  75. package/rules/ruby/ruby.security.rails-csrf-disabled.rule.yaml +45 -0
  76. package/rules/ruby/ruby.security.rails-detailed-exceptions-enabled.rule.yaml +44 -0
  77. package/rules/ruby/ruby.security.rails-open-redirect.rule.yaml +45 -0
  78. package/rules/ruby/ruby.security.rails-unsafe-html-output.rule.yaml +46 -0
  79. package/rules/ruby/ruby.security.rails-unsafe-render.rule.yaml +45 -0
  80. package/rules/ruby/ruby.security.rails-unsafe-session-or-cookie-store.rule.yaml +45 -0
  81. package/rules/ruby/ruby.security.rails-unsafe-strong-parameters.rule.yaml +46 -0
  82. package/rules/ruby/ruby.security.sensitive-data-egress.rule.yaml +45 -0
  83. package/rules/ruby/ruby.security.sidekiq-web-unauthenticated-mount.rule.yaml +45 -0
  84. package/rules/ruby/ruby.testing.focused-example.rule.yaml +33 -0
  85. package/rules/ruby/ruby.testing.pending-without-ticket-reference.rule.yaml +33 -0
  86. package/rules/ruby/ruby.testing.real-network-in-unit-test.rule.yaml +33 -0
  87. package/rules/ruby/ruby.testing.skip-without-ticket-reference.rule.yaml +33 -0
  88. package/rules/ruby/ruby.testing.sleep-in-unit-test.rule.yaml +33 -0
  89. package/rules/rust/rust.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  90. package/rules/rust/rust.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  91. package/rules/rust/rust.performance.no-unbounded-concurrency.rule.yaml +33 -0
  92. package/rules/rust/rust.security.actix-wildcard-cors-with-credentials.rule.yaml +47 -0
  93. package/rules/rust/rust.security.axum-body-limit-disabled.rule.yaml +45 -0
  94. package/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml +47 -0
  95. package/rules/rust/rust.security.rocket-panic-prone-request-handler.rule.yaml +45 -0
  96. package/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml +47 -0
  97. package/rules/rust/rust.security.sqlx-diesel-raw-interpolated-query.rule.yaml +47 -0
  98. package/rules/rust/rust.security.template-unescaped-request-value.rule.yaml +47 -0
  99. package/rules/rust/rust.security.warp-blocking-or-panic-in-async-handler.rule.yaml +45 -0
  100. package/rules/rust/rust.testing.ignore-without-ticket-reference.rule.yaml +33 -0
  101. package/rules/rust/rust.testing.real-network-in-unit-test.rule.yaml +33 -0
  102. package/rules/rust/rust.testing.thread-sleep-in-unit-test.rule.yaml +33 -0
  103. package/rules/shared/security.archive-path-traversal.rule.yaml +41 -0
  104. package/rules/shared/security.external-file-upload.rule.yaml +40 -0
  105. package/rules/shared/security.permissive-file-permissions.rule.yaml +40 -0
  106. package/rules/shared/security.sensitive-data-egress.rule.yaml +36 -0
  107. package/rules/typescript/ts.correctness.assignment-in-condition.rule.yaml +36 -0
  108. package/rules/typescript/ts.correctness.assignment-to-import-binding.rule.yaml +36 -0
  109. package/rules/typescript/ts.correctness.async-promise-executor.rule.yaml +36 -0
  110. package/rules/typescript/ts.correctness.duplicate-function-parameter.rule.yaml +36 -0
  111. package/rules/typescript/ts.correctness.duplicate-import-source.rule.yaml +36 -0
  112. package/rules/typescript/ts.correctness.duplicate-object-key.rule.yaml +36 -0
  113. package/rules/typescript/ts.correctness.duplicate-switch-case.rule.yaml +36 -0
  114. package/rules/typescript/ts.correctness.empty-block-statement.rule.yaml +35 -0
  115. package/rules/typescript/ts.correctness.identical-comparison-operands.rule.yaml +36 -0
  116. package/rules/typescript/ts.correctness.reassign-catch-binding.rule.yaml +35 -0
  117. package/rules/typescript/ts.correctness.regexp-pattern-unusual-control-character.rule.yaml +35 -0
  118. package/rules/typescript/ts.correctness.self-assignment.rule.yaml +36 -0
  119. package/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml +35 -0
  120. package/rules/typescript/ts.performance.no-array-spread-in-hot-loop.rule.yaml +32 -0
  121. package/rules/typescript/ts.performance.no-cache-miss-from-unstable-key.rule.yaml +32 -0
  122. package/rules/typescript/ts.performance.no-expensive-sort-in-render-path.rule.yaml +32 -0
  123. package/rules/typescript/ts.performance.no-json-parse-stringify-clone.rule.yaml +32 -0
  124. package/rules/typescript/ts.performance.no-large-object-spread-in-loop.rule.yaml +32 -0
  125. package/rules/typescript/ts.performance.no-n-plus-one-await-in-map.rule.yaml +32 -0
  126. package/rules/typescript/ts.performance.no-redundant-network-fetch.rule.yaml +32 -0
  127. package/rules/typescript/ts.performance.no-regex-construction-in-loop.rule.yaml +32 -0
  128. package/rules/typescript/ts.performance.no-sync-fs-in-request-path.rule.yaml +32 -0
  129. package/rules/typescript/ts.performance.no-unbounded-concurrency.rule.yaml +32 -0
  130. package/rules/typescript/ts.quality.no-ambiguous-abbreviations.rule.yaml +27 -0
  131. package/rules/typescript/ts.quality.no-barrel-file-cycle.rule.yaml +27 -0
  132. package/rules/typescript/ts.quality.no-boolean-parameter-trap.rule.yaml +27 -0
  133. package/rules/typescript/ts.quality.no-dead-export.rule.yaml +27 -0
  134. package/rules/typescript/ts.quality.no-hidden-side-effect-import.rule.yaml +27 -0
  135. package/rules/typescript/ts.quality.no-inconsistent-error-shape.rule.yaml +27 -0
  136. package/rules/typescript/ts.quality.no-mixed-abstraction-level.rule.yaml +27 -0
  137. package/rules/typescript/ts.quality.no-primitive-obsession-in-domain-model.rule.yaml +27 -0
  138. package/rules/typescript/ts.quality.no-temporal-coupling.rule.yaml +27 -0
  139. package/rules/typescript/ts.quality.no-wide-public-surface.rule.yaml +27 -0
  140. package/rules/typescript/ts.react.no-accessibility-label-missing.rule.yaml +36 -0
  141. package/rules/typescript/ts.react.no-activedescendant-on-non-focusable-host.rule.yaml +36 -0
  142. package/rules/typescript/ts.react.no-click-without-keyboard-handler.rule.yaml +36 -0
  143. package/rules/typescript/ts.react.no-deprecated-create-factory.rule.yaml +34 -0
  144. package/rules/typescript/ts.react.no-deprecated-react-dom-root-api.rule.yaml +34 -0
  145. package/rules/typescript/ts.react.no-derived-state-from-props.rule.yaml +34 -0
  146. package/rules/typescript/ts.react.no-effect-fetch-without-cancellation.rule.yaml +35 -0
  147. package/rules/typescript/ts.react.no-find-dom-node.rule.yaml +34 -0
  148. package/rules/typescript/ts.react.no-img-missing-alt-text.rule.yaml +36 -0
  149. package/rules/typescript/ts.react.no-index-as-key-in-dynamic-list.rule.yaml +34 -0
  150. package/rules/typescript/ts.react.no-interactive-role-on-static-semantics.rule.yaml +36 -0
  151. package/rules/typescript/ts.react.no-invalid-anchor-href.rule.yaml +36 -0
  152. package/rules/typescript/ts.react.no-keyboard-interaction-without-widget-role.rule.yaml +36 -0
  153. package/rules/typescript/ts.react.no-legacy-lifecycle.rule.yaml +34 -0
  154. package/rules/typescript/ts.react.no-missing-error-boundary.rule.yaml +36 -0
  155. package/rules/typescript/ts.react.no-positive-tabindex.rule.yaml +36 -0
  156. package/rules/typescript/ts.react.no-static-element-with-synthetic-handlers.rule.yaml +36 -0
  157. package/rules/typescript/ts.react.no-string-ref.rule.yaml +34 -0
  158. package/rules/typescript/ts.react.no-uncontrolled-to-controlled-input.rule.yaml +34 -0
  159. package/rules/typescript/ts.react.no-widget-role-without-tabindex.rule.yaml +36 -0
  160. package/rules/typescript/ts.security.ajv-insecure-configuration.rule.yaml +34 -0
  161. package/rules/typescript/ts.security.angular-dom-sanitizer-bypass-untrusted-input.rule.yaml +35 -0
  162. package/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml +36 -0
  163. package/rules/typescript/ts.security.apollo-server-graphql-dev-tooling-exposure.rule.yaml +36 -0
  164. package/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml +35 -0
  165. package/rules/typescript/ts.security.apollo-server-missing-query-limits.rule.yaml +35 -0
  166. package/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml +39 -0
  167. package/rules/typescript/ts.security.debug-statement-in-source.rule.yaml +36 -0
  168. package/rules/typescript/ts.security.electron-dangerous-webpreferences.rule.yaml +35 -0
  169. package/rules/typescript/ts.security.electron-insecure-local-state.rule.yaml +35 -0
  170. package/rules/typescript/ts.security.electron-missing-ipc-origin-check.rule.yaml +35 -0
  171. package/rules/typescript/ts.security.electron-shell-open-external-unvalidated.rule.yaml +35 -0
  172. package/rules/typescript/ts.security.express-error-handler-information-disclosure.rule.yaml +35 -0
  173. package/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml +35 -0
  174. package/rules/typescript/ts.security.express-unbounded-body-parser.rule.yaml +34 -0
  175. package/rules/typescript/ts.security.express-user-controlled-static-mount.rule.yaml +35 -0
  176. package/rules/typescript/ts.security.fastify-excessive-body-limit.rule.yaml +34 -0
  177. package/rules/typescript/ts.security.fastify-public-bind-without-trust-proxy.rule.yaml +38 -0
  178. package/rules/typescript/ts.security.graphql-upload-without-csrf-guard.rule.yaml +36 -0
  179. package/rules/typescript/ts.security.iframe-missing-sandbox-attribute.rule.yaml +35 -0
  180. package/rules/typescript/ts.security.insecure-content-security-policy-literal.rule.yaml +35 -0
  181. package/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml +36 -0
  182. package/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml +35 -0
  183. package/rules/typescript/ts.security.legacy-buffer-constructor.rule.yaml +35 -0
  184. package/rules/typescript/ts.security.log-injection.rule.yaml +36 -0
  185. package/rules/typescript/ts.security.nestjs-helmet-after-route-mount.rule.yaml +34 -0
  186. package/rules/typescript/ts.security.nestjs-missing-global-validation-pipe.rule.yaml +35 -0
  187. package/rules/typescript/ts.security.nestjs-skip-throttle-sensitive-route.rule.yaml +35 -0
  188. package/rules/typescript/ts.security.nestjs-validation-pipe-without-whitelist.rule.yaml +36 -0
  189. package/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml +38 -0
  190. package/rules/typescript/ts.security.open-redirect.rule.yaml +2 -0
  191. package/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml +33 -0
  192. package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml +1 -0
  193. package/rules/typescript/ts.security.ssrf.rule.yaml +1 -0
  194. package/rules/typescript/ts.security.unsafe-dompurify-version.rule.yaml +36 -0
  195. package/rules/typescript/ts.security.unsafe-marked-version.rule.yaml +36 -0
  196. package/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml +35 -0
  197. package/rules/typescript/ts.testing.no-flaky-timer-test.rule.yaml +38 -0
  198. package/rules/typescript/ts.testing.no-focused-test.rule.yaml +34 -0
  199. package/rules/typescript/ts.testing.no-missing-edge-case-tests.rule.yaml +35 -0
  200. package/rules/typescript/ts.testing.no-network-call-in-unit-test.rule.yaml +38 -0
  201. package/rules/typescript/ts.testing.no-skipped-test-without-ticket.rule.yaml +34 -0
  202. package/rules/typescript/ts.testing.no-snapshot-without-intent.rule.yaml +34 -0
  203. package/rules/typescript/ts.testing.no-test-only-code-in-production.rule.yaml +38 -0
package/rules/typescript/ts.testing.no-skipped-test-without-ticket.rule.yaml ADDED
@@ -0,0 +1,34 @@
1
+ apiVersion: critiq.dev/v1alpha1
2
+ kind: Rule
3
+ metadata:
4
+ id: ts.testing.no-skipped-test-without-ticket
5
+ title: Skipped tests should cite a ticket or timed suppression
6
+ summary: Skipped or disabled tests should reference a tracked issue, expiry, or accepted suppression comment.
7
+ rationale: Silent skips decay into permanent holes in coverage unless they carry reviewable intent.
8
+ tags:
9
+ - testing
10
+ - quality
11
+ - rules-catalog
12
+ stability: experimental
13
+ appliesTo: block
14
+ scope:
15
+ languages:
16
+ - typescript
17
+ - javascript
18
+ match:
19
+ fact:
20
+ kind: testing.skipped-without-ticket-reference
21
+ bind: issue
22
+ emit:
23
+ finding:
24
+ category: quality.testing
25
+ severity: medium
26
+ confidence: 0.72
27
+ tags:
28
+ - testing
29
+ - coverage
30
+ message:
31
+ title: Add a ticket or suppression note for `${captures.issue.text}`
32
+ summary: "`${captures.issue.text}` skips a test without an adjacent issue key, GitHub issue URL, or TODO(expires) style note."
33
+ remediation:
34
+ summary: Link the skip to a tracker id, add a short expiry note, or replace the skip with a focused assertion.
package/rules/typescript/ts.testing.no-snapshot-without-intent.rule.yaml ADDED
@@ -0,0 +1,34 @@
1
+ apiVersion: critiq.dev/v1alpha1
2
+ kind: Rule
3
+ metadata:
4
+ id: ts.testing.no-snapshot-without-intent
5
+ title: Snapshot assertions should name intent
6
+ summary: Snapshot matchers without a snapshot name or preceding intent comment are hard to review in diffs.
7
+ rationale: Anonymous snapshots churn without communicating what behavior reviewers should protect.
8
+ tags:
9
+ - testing
10
+ - quality
11
+ - rules-catalog
12
+ stability: experimental
13
+ appliesTo: block
14
+ scope:
15
+ languages:
16
+ - typescript
17
+ - javascript
18
+ match:
19
+ fact:
20
+ kind: testing.snapshot-without-review-intent
21
+ bind: issue
22
+ emit:
23
+ finding:
24
+ category: quality.testing
25
+ severity: low
26
+ confidence: 0.65
27
+ tags:
28
+ - testing
29
+ - snapshots
30
+ message:
31
+ title: Clarify snapshot intent for `${captures.issue.text}`
32
+ summary: "`${captures.issue.text}` uses a snapshot matcher without a string name and without a `// snapshot:` review comment on the previous line."
33
+ remediation:
34
+ summary: Add a named snapshot, or place `// snapshot:` on the preceding line describing what the snapshot protects.
package/rules/typescript/ts.testing.no-test-only-code-in-production.rule.yaml ADDED
@@ -0,0 +1,38 @@
1
+ apiVersion: critiq.dev/v1alpha1
2
+ kind: Rule
3
+ metadata:
4
+ id: ts.testing.no-test-only-code-in-production
5
+ title: Keep test-only modules and guards out of production paths
6
+ summary: Production modules should not import test doubles or gate behavior on test-only environment flags.
7
+ rationale: Test-only imports and NODE_ENV test branches can ship dead paths or accidental coupling to test harnesses.
8
+ tags:
9
+ - testing
10
+ - quality
11
+ - rules-catalog
12
+ stability: experimental
13
+ appliesTo: project
14
+ scope:
15
+ languages:
16
+ - typescript
17
+ - javascript
18
+ match:
19
+ any:
20
+ - fact:
21
+ kind: testing.production-imports-test-code
22
+ bind: issue
23
+ - fact:
24
+ kind: testing.test-only-env-branch-in-production
25
+ bind: issue
26
+ emit:
27
+ finding:
28
+ category: quality.testing
29
+ severity: high
30
+ confidence: 0.8
31
+ tags:
32
+ - testing
33
+ - boundaries
34
+ message:
35
+ title: Remove test-only coupling in `${captures.issue.text}`
36
+ summary: "`${captures.issue.text}` imports a test-only module or compares runtime mode against `test` outside test paths."
37
+ remediation:
38
+ summary: Move helpers into shared neutral modules, guard test utilities behind dev-only entrypoints, and keep production code free of `NODE_ENV === 'test'` branches.