npm - @critiq/rules - Versions diffs - 0.0.2 → 0.1.0 - Mend

@critiq/rules 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/rules/java/java.testing.disabled-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.testing.disabled-without-ticket-reference
+  title: JUnit @Disabled should cite a ticket
+  summary: Disabled tests without a reason string or nearby tracker note are hard to triage.
+  rationale: Disabled tests should carry reviewable intent.
+  tags:
+    - testing
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.testing.disabled-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - java
+  message:
+    title: Add a reason or ticket to `${captures.issue.text}`
+    summary: "`@Disabled` is used without a documented reason containing a tracker reference."
+  remediation:
+    summary: Add `@Disabled("JIRA-123 ...")` or a nearby suppression comment with an issue id.

package/rules/java/java.testing.http-client-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.testing.http-client-in-unit-test
+  title: Avoid live HTTP clients in Java unit tests
+  summary: HttpClient/URL/RestTemplate usage in unit tests should target fakes or embedded servers.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.testing.http-client-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.62
+    tags:
+      - testing
+      - java
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a live HTTP client inside a `*Test.java` file."
+  remediation:
+    summary: Use MockWebServer, WireMock, or injected clients with deterministic responses.

package/rules/java/java.testing.thread-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.testing.thread-sleep-in-unit-test
+  title: Avoid Thread.sleep in Java unit tests
+  summary: Sleeping in tests slows CI and hides synchronization bugs.
+  rationale: Prefer Awaitility, latches, or deterministic test doubles.
+  tags:
+    - testing
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.testing.thread-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - java
+  message:
+    title: Replace `Thread.sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a `*Test.java` file."
+  remediation:
+    summary: Use synchronization primitives, timeouts with polling, or move timing coverage to integration tests.

package/rules/php/php.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for php sources.
+  rationale: Performance hygiene signal for php sources.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid no regex construction in loop in `php` code
+    summary: "`${captures.issue.text}` matches php.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/php/php.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for php sources.
+  rationale: Performance hygiene signal for php sources.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid no sync fs in request path in `php` code
+    summary: "`${captures.issue.text}` matches php.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/php/php.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for php sources.
+  rationale: Performance hygiene signal for php sources.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid no unbounded concurrency in `php` code
+    summary: "`${captures.issue.text}` matches php.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-cors-wildcard-with-credentials
+  title: Do not combine wildcard CORS origin with credentials
+  summary: >-
+    PHP CORS responses should not allow credentials when origin is set to `*`.
+  rationale: >-
+    Wildcard origins with credential support break origin isolation and can expose authenticated data cross-site.
+  tags:
+    - security
+    - php
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-cors-wildcard-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.data-exposure
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - php
+      - cors
+  message:
+    title: Fix unsafe CORS configuration in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` allows wildcard origin and credentials together."
+  remediation:
+    summary: >-
+      Replace wildcard origins with explicit allowlists and keep credentials disabled unless strictly required.

package/rules/php/php.security.insecure-mail-or-file-transport.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-mail-or-file-transport
+  title: Avoid insecure PHP FTP/SMTP or plaintext transport patterns
+  summary: >-
+    Outbound mail/file transfer code should not rely on plaintext transport endpoints for sensitive traffic.
+  rationale: >-
+    Unencrypted transfer channels expose credentials and payloads to interception or tampering.
+  tags:
+    - security
+    - php
+    - transport
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-mail-or-file-transport
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - php
+      - transport
+  message:
+    title: Prefer encrypted transport in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses plaintext FTP/SMTP/HTTP transport for potentially sensitive operations."
+  remediation:
+    summary: >-
+      Use encrypted transport endpoints and modern client libraries with certificate validation enabled.

package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-session-or-cookie-config
+  title: Harden PHP session and cookie security flags
+  summary: >-
+    Session/cookie configuration should keep secure, httpOnly, and safe same-site posture for authenticated contexts.
+  rationale: >-
+    Weak cookie/session flags increase theft and replay risk across XSS, mixed transport, and cross-site request contexts.
+  tags:
+    - security
+    - php
+    - session
+    - cookies
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-session-or-cookie-config
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: medium
+    confidence: 0.76
+    tags:
+      - security
+      - php
+      - session
+  message:
+    title: Tighten cookie/session configuration in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures cookies or sessions with insecure defaults."
+  remediation:
+    summary: >-
+      Set `secure=true`, `httponly=true`, and a restrictive same-site policy for authentication cookies in production traffic.

package/rules/php/php.security.laravel-sensitive-csrf-exclusion.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.laravel-sensitive-csrf-exclusion
+  title: Avoid broad Laravel CSRF exclusions on sensitive routes
+  summary: >-
+    Wildcard CSRF exclusions should not cover account, billing, admin, password, or profile endpoints.
+  rationale: >-
+    Over-broad CSRF exemptions remove request integrity checks from high-impact authenticated actions.
+  tags:
+    - security
+    - php
+    - laravel
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.laravel-sensitive-csrf-exclusion
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - laravel
+  message:
+    title: Narrow CSRF exclusions near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exempts sensitive route patterns from CSRF verification."
+  remediation:
+    summary: >-
+      Limit CSRF exceptions to explicitly signed webhook endpoints and avoid wildcard exclusions on authenticated user flows.

package/rules/php/php.security.laravel-unsafe-blade-output.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.laravel-unsafe-blade-output
+  title: Avoid unescaped Laravel Blade output from request or model data
+  summary: >-
+    Raw Blade rendering (`{!! !!}`) should not directly render request, model, or translated user content.
+  rationale: >-
+    Unescaped template output can enable stored or reflected XSS when user-controlled values are rendered as HTML.
+  tags:
+    - security
+    - php
+    - laravel
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.laravel-unsafe-blade-output
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.84
+    tags:
+      - security
+      - php
+      - laravel
+  message:
+    title: Escape template output in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` emits raw HTML from potentially untrusted values."
+  remediation:
+    summary: >-
+      Prefer escaped Blade output (`{{ }}`) and sanitizer wrappers before rendering user-influenced HTML.

package/rules/php/php.security.laravel-unsafe-mass-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.laravel-unsafe-mass-assignment
+  title: Avoid mass-assigning full Laravel request payloads
+  summary: >-
+    Eloquent writes should not use `$request->all()` or fully unguarded models for sensitive records.
+  rationale: >-
+    Raw request mass assignment lets attackers set privileged fields like role or account ownership.
+  tags:
+    - security
+    - php
+    - laravel
+    - mass-assignment
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: php.security.laravel-unsafe-mass-assignment
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - laravel
+  message:
+    title: Restrict model assignment in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` writes unfiltered request attributes into a model."
+  remediation:
+    summary: >-
+      Use validated DTO/request objects and explicit allowlists (`only`) for model writes, and avoid `$guarded = []` on sensitive models.

package/rules/php/php.security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.sensitive-data-egress
+  title: Avoid relaying request-derived sensitive data in outbound PHP HTTP calls
+  summary: >-
+    Outbound HTTP clients should not forward tainted request/session material without validation or redaction.
+  rationale: >-
+    Unchecked egress forwarding can leak tokens, credentials, or personal data to external systems.
+  tags:
+    - security
+    - php
+    - privacy
+    - egress
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - php
+      - privacy
+  message:
+    title: Validate outbound payloads in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards tainted or sensitive values to an external HTTP client."
+  remediation:
+    summary: >-
+      Scrub secrets, restrict outbound destinations, and centralize external integrations behind audited request builders.

package/rules/php/php.security.symfony-csrf-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.symfony-csrf-disabled
+  title: Keep Symfony CSRF enabled on state-changing form flows
+  summary: >-
+    Symfony forms and controllers handling state changes should not disable CSRF protection without a clear API token boundary.
+  rationale: >-
+    Disabling CSRF for authenticated browser flows enables cross-site request forgery on sensitive actions.
+  tags:
+    - security
+    - php
+    - symfony
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.symfony-csrf-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.84
+    tags:
+      - security
+      - php
+      - symfony
+  message:
+    title: Re-enable CSRF guard around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables CSRF protection for a state-changing Symfony surface."
+  remediation:
+    summary: >-
+      Keep CSRF enabled for browser forms/controllers and only exempt endpoints that are explicitly authenticated by signed tokens.

package/rules/php/php.security.symfony-debug-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.symfony-debug-exposure
+  title: Disable Symfony debug and profiler in production-like configs
+  summary: >-
+    Production-like Symfony configuration should not enable debug mode or web profiler surfaces.
+  rationale: >-
+    Debug and profiler exposure can leak internals, stack traces, secrets, and request details.
+  tags:
+    - security
+    - php
+    - symfony
+    - debug
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+      - "**/.env"
+      - "**/.env.*"
+match:
+  fact:
+    kind: php.security.symfony-debug-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-leakage
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - php
+      - symfony
+  message:
+    title: Disable debug exposure in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables Symfony debug or profiler behavior in a production-like surface."
+  remediation:
+    summary: >-
+      Keep `APP_DEBUG=0` in production and disable profiler bundles/toolbars outside local dev/test environments.

package/rules/php/php.security.unsafe-file-upload-handling.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-file-upload-handling
+  title: Validate uploaded filenames and content before storing files
+  summary: >-
+    PHP upload handlers should not persist raw `$_FILES` names without validation and normalization.
+  rationale: >-
+    Unsafely handled uploads can enable path traversal, executable file placement, and malicious payload storage.
+  tags:
+    - security
+    - php
+    - file-upload
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-file-upload-handling
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - file-upload
+  message:
+    title: Harden upload handling in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` stores uploaded files without strong filename/content validation."
+  remediation:
+    summary: >-
+      Normalize filenames, enforce extension and MIME allowlists, and route uploads through dedicated validated storage helpers.

package/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.wordpress-missing-nonce-or-capability
+  title: Require nonce and capability checks in sensitive WordPress mutation callbacks
+  summary: >-
+    WordPress admin/AJAX mutation callbacks should verify nonce tokens and enforce capability checks.
+  rationale: >-
+    Missing nonce or authorization checks let attackers trigger privileged actions through forged or unauthorized requests.
+  tags:
+    - security
+    - php
+    - wordpress
+    - authorization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.wordpress-missing-nonce-or-capability
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - wordpress
+  message:
+    title: Protect WordPress action `${captures.issue.text}`
+    summary: "`${captures.issue.text}` handles a mutation callback without complete nonce and capability enforcement."
+  remediation:
+    summary: >-
+      Add nonce verification (`check_ajax_referer`/`check_admin_referer`) and explicit capability checks (`current_user_can`) before performing mutations.