npm - @critiq/rules - Versions diffs - 0.0.2 → 0.1.0 - Mend

@critiq/rules 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/rules/php/php.security.wordpress-unprepared-sql.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.wordpress-unprepared-sql
+  title: Use `$wpdb->prepare` for dynamic WordPress SQL
+  summary: >-
+    WordPress SQL calls should not interpolate request values directly into query strings.
+  rationale: >-
+    Dynamic SQL without `$wpdb->prepare` enables injection and unauthorized data access/manipulation.
+  tags:
+    - security
+    - php
+    - wordpress
+    - sql-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.wordpress-unprepared-sql
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - wordpress
+  message:
+    title: Parameterize SQL near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` concatenates request data into a WordPress SQL call without `$wpdb->prepare`."
+  remediation:
+    summary: >-
+      Build SQL through `$wpdb->prepare` placeholders and sanitize scalar inputs before passing them to query execution calls.

package/rules/php/php.testing.curl-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.testing.curl-in-unit-test
+  title: Avoid raw curl calls in PHP unit tests
+  summary: curl_exec in tests should target doubles or local fixtures.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.testing.curl-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.62
+    tags:
+      - testing
+      - php
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses curl primitives inside a test-like path."
+  remediation:
+    summary: Wrap HTTP behind an injectable client and replace curl usage with doubles in unit tests.

package/rules/php/php.testing.mark-test-skipped-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.testing.mark-test-skipped-without-ticket-reference
+  title: markTestSkipped should cite a ticket
+  summary: Empty markTestSkipped() calls without a tracker note are hard to triage.
+  rationale: Skips should carry reviewable intent.
+  tags:
+    - testing
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.testing.mark-test-skipped-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - php
+  message:
+    title: Add a ticket reference to `${captures.issue.text}`
+    summary: "`markTestSkipped()` is used without arguments and without a nearby issue reference."
+  remediation:
+    summary: Pass a reason string with a tracker id or document the suppression inline.

package/rules/php/php.testing.sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.testing.sleep-in-unit-test
+  title: Avoid sleep in PHP unit tests
+  summary: sleep() in tests slows CI and hides synchronization bugs.
+  rationale: Prefer deterministic waits or clock injection.
+  tags:
+    - testing
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.testing.sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.58
+    tags:
+      - testing
+      - php
+  message:
+    title: Replace `sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test-like path."
+  remediation:
+    summary: Inject a clock, shorten waits, or move timing coverage to integration suites.

package/rules/python/py.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for python sources.
+  rationale: Performance hygiene signal for python sources.
+  tags:
+    - performance
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - python
+  message:
+    title: Avoid no regex construction in loop in `python` code
+    summary: "`${captures.issue.text}` matches py.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/python/py.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for python sources.
+  rationale: Performance hygiene signal for python sources.
+  tags:
+    - performance
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - python
+  message:
+    title: Avoid no sync fs in request path in `python` code
+    summary: "`${captures.issue.text}` matches py.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/python/py.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for python sources.
+  rationale: Performance hygiene signal for python sources.
+  tags:
+    - performance
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - python
+  message:
+    title: Avoid no unbounded concurrency in `python` code
+    summary: "`${captures.issue.text}` matches py.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-csrf-exempt-state-changing
+  title: Avoid CSRF exemptions on state-changing Django views
+  summary: Browser-facing Django views that change state should remain CSRF-protected unless they are explicitly token-authenticated APIs.
+  rationale: >-
+    Using django.decorators.csrf.csrf_exempt removes CSRF defenses for session-backed browsers,
+    enabling cross-site request forgery against unsafe methods.
+  tags:
+    - security
+    - python
+    - django
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-csrf-exempt-state-changing
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - django
+      - csrf
+  message:
+    title: Review CSRF exemption `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is applied near code that handles POST/PUT/PATCH/DELETE or `request.POST`, which is risky for browser sessions."
+  remediation:
+    summary: Remove `@csrf_exempt`, enforce CSRF tokens for browser views, or constrain the endpoint to non-session authentication with explicit CSRF policy.

package/rules/python/py.security.django-missing-csrf-middleware.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-missing-csrf-middleware
+  title: Enable Django CSRF middleware for browser apps
+  summary: Django projects using cookie-backed sessions should include `CsrfViewMiddleware` in `MIDDLEWARE`.
+  rationale: Without CSRF middleware, Django cannot enforce CSRF tokens on unsafe HTTP methods for browser clients.
+  tags:
+    - security
+    - python
+    - django
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-missing-csrf-middleware
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - django
+      - csrf
+  message:
+    title: Add CSRF middleware to Django `${captures.issue.text}`
+    summary: "`MIDDLEWARE` is declared without `django.middleware.csrf.CsrfViewMiddleware`, which disables framework CSRF checks."
+  remediation:
+    summary: Insert `django.middleware.csrf.CsrfViewMiddleware` into `MIDDLEWARE` according to the Django deployment checklist ordering guidance.

package/rules/python/py.security.django-unsafe-production-settings.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-unsafe-production-settings
+  title: Avoid unsafe Django production settings
+  summary: Production Django settings should disable debug mode, restrict hosts, protect secrets, and enable HTTPS-aligned cookie flags.
+  rationale: Misconfigured Django defaults expose debug traces, enable host header attacks, leak secrets, and weaken cookie transport protections.
+  tags:
+    - security
+    - python
+    - django
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-unsafe-production-settings
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - django
+      - configuration
+  message:
+    title: Fix risky Django setting `${captures.issue.text}`
+    summary: "`${captures.issue.text}` weakens production security posture for Django deployment."
+  remediation:
+    summary: Align settings with your deployment checklist—disable DEBUG, pin ALLOWED_HOSTS, load secrets from the environment, and enable secure cookie and HTTPS flags.

package/rules/python/py.security.drf-allow-any-default.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.drf-allow-any-default
+  title: Avoid AllowAny as DRF default permission
+  summary: Django REST Framework APIs should default to authenticated permission classes instead of `AllowAny`.
+  rationale: Default `AllowAny` exposes mutation-heavy APIs unless every view overrides permissions explicitly.
+  tags:
+    - security
+    - python
+    - django
+    - drf
+    - authorization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.drf-allow-any-default
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - django
+      - drf
+      - authorization
+  message:
+    title: Replace permissive DRF defaults `${captures.issue.text}`
+    summary: "`REST_FRAMEWORK` enables `AllowAny` via `DEFAULT_PERMISSION_CLASSES`, which is unsafe for default API posture."
+  remediation:
+    summary: Prefer `IsAuthenticated` or another restrictive default, then opt-in public access only where documented.

package/rules/python/py.security.drf-allow-any-unsafe-method.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.drf-allow-any-unsafe-method
+  title: Avoid AllowAny on unsafe DRF methods
+  summary: DRF views that accept POST, PUT, PATCH, or DELETE should not declare `AllowAny` unless the endpoint is intentionally public.
+  rationale: Open unsafe methods allow unauthenticated clients to mutate data and violate least-privilege API access.
+  tags:
+    - security
+    - python
+    - django
+    - drf
+    - authorization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.drf-allow-any-unsafe-method
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - django
+      - drf
+      - authorization
+  message:
+    title: Tighten permissions around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` combines `AllowAny` with an unsafe HTTP method declaration."
+  remediation:
+    summary: Require authentication or scoped permissions for unsafe verbs unless the handler is explicitly public and documented.

package/rules/python/py.security.fastapi-insecure-cors.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.fastapi-insecure-cors
+  title: Avoid permissive FastAPI CORS with credentials
+  summary: FastAPI `CORSMiddleware` should not combine wildcard origins, methods, or headers with `allow_credentials=True`.
+  rationale: Wildcard CORS policies plus credentials mirror insecure browser CORS combinations that attackers can abuse from malicious origins.
+  tags:
+    - security
+    - python
+    - fastapi
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.fastapi-insecure-cors
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.87
+    tags:
+      - security
+      - fastapi
+      - cors
+  message:
+    title: Tighten FastAPI CORS `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures `CORSMiddleware` with wildcards while credentials are enabled."
+  remediation:
+    summary: Replace wildcard origins, methods, and headers with explicit allowlists when credentials are required.

package/rules/python/py.security.flask-missing-upload-body-limit.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-missing-upload-body-limit
+  title: Set Flask MAX_CONTENT_LENGTH for uploads
+  summary: Flask apps handling uploads should configure `MAX_CONTENT_LENGTH` to bound request bodies.
+  rationale: Missing upload limits enables trivial denial-of-service via oversized multipart payloads.
+  tags:
+    - security
+    - python
+    - flask
+    - upload
+    - dos
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-missing-upload-body-limit
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - flask
+      - upload
+  message:
+    title: Add upload size limits near `${captures.issue.text}`
+    summary: "Upload handling references `${captures.issue.text}` but no `MAX_CONTENT_LENGTH` configuration was detected in this file."
+  remediation:
+    summary: Set `app.config["MAX_CONTENT_LENGTH"]` (or equivalent) to a bounded maximum aligned with product limits.

package/rules/python/py.security.flask-unsafe-html-output.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-unsafe-html-output
+  title: Avoid Flask markup helpers fed by request data
+  summary: Flask responses should not bypass escaping when interpolating `request` input into HTML helpers or template strings.
+  rationale: >-
+    Markup helpers, render_template_string, and Jinja safe filters bypass escaping and commonly become XSS sinks.
+  tags:
+    - security
+    - python
+    - flask
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-unsafe-html-output
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - flask
+      - xss
+  message:
+    title: Remove unsafe HTML composition `${captures.issue.text}`
+    summary: "`${captures.issue.text}` mixes request-controlled values with markup helpers or unescaped template paths."
+  remediation:
+    summary: Use automatic escaping, `render_template` with trusted contexts, or a vetted sanitizer instead of raw markup shortcuts.

package/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-unsafe-upload-filename
+  title: Sanitize Flask upload filenames before saving
+  summary: Flask upload handlers should pass filenames through `secure_filename` (or equivalent) before persisting to disk.
+  rationale: Attacker-controlled filenames enable traversal sequences, extension spoofing, and collisions when saved verbatim.
+  tags:
+    - security
+    - python
+    - flask
+    - filesystem
+    - upload
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-unsafe-upload-filename
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - flask
+      - upload
+  message:
+    title: Harden upload save `${captures.issue.text}`
+    summary: "`${captures.issue.text}` persists uploads using an unsanitized client-provided filename."
+  remediation:
+    summary: Generate trusted server-side names or wrap uploads with `werkzeug.utils.secure_filename` before calling `save`.

package/rules/python/py.testing.pytest-skip-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.testing.pytest-skip-without-ticket-reference
+  title: pytest.mark.skip should include a reason or ticket
+  summary: Skips without `reason=` or a nearby tracker reference are hard to triage.
+  rationale: Silent pytest skips accumulate unless they carry reviewable intent.
+  tags:
+    - testing
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.testing.pytest-skip-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.68
+    tags:
+      - testing
+      - python
+  message:
+    title: Document `@pytest.mark.skip` with reason or ticket
+    summary: "`${captures.issue.text}` marks a skip without `reason=` and without a nearby issue reference."
+  remediation:
+    summary: Add `reason=` with a tracker id or move the skip behind a feature flag with expiry notes.