npm - @critiq/rules - Versions diffs - 0.0.2 → 0.1.0 - Mend

@critiq/rules 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/rules/python/py.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.testing.real-network-in-unit-test
+  title: Avoid live HTTP clients in Python unit tests
+  summary: requests/httpx/urllib calls in unit tests should be doubled or recorded.
+  rationale: Live HTTP couples CI to the network and slows feedback.
+  tags:
+    - testing
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.66
+    tags:
+      - testing
+      - python
+  message:
+    title: Mock outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` performs a live HTTP style call inside a test module."
+  remediation:
+    summary: Use responses/httpretty/pytest-httpserver or dependency-injected clients with fakes.

package/rules/python/py.testing.time-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.testing.time-sleep-in-unit-test
+  title: Avoid time.sleep in Python unit tests
+  summary: Sleeping in tests slows suites and hides synchronization bugs.
+  rationale: Prefer deterministic waits, polling helpers, or clock fakes.
+  tags:
+    - testing
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.testing.time-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - python
+  message:
+    title: Replace `time.sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test module."
+  remediation:
+    summary: Inject a clock, shorten waits, or move timing-sensitive coverage to integration tests.

package/rules/ruby/ruby.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for ruby sources.
+  rationale: Performance hygiene signal for ruby sources.
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Avoid no regex construction in loop in `ruby` code
+    summary: "`${captures.issue.text}` matches ruby.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/ruby/ruby.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for ruby sources.
+  rationale: Performance hygiene signal for ruby sources.
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Avoid no sync fs in request path in `ruby` code
+    summary: "`${captures.issue.text}` matches ruby.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/ruby/ruby.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for ruby sources.
+  rationale: Performance hygiene signal for ruby sources.
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Avoid no unbounded concurrency in `ruby` code
+    summary: "`${captures.issue.text}` matches ruby.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/ruby/ruby.security.rails-csrf-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-csrf-disabled
+  title: Do not disable Rails CSRF protection on browser controllers
+  summary: >-
+    Browser-facing Rails controllers should keep forgery protection enabled with a safe strategy.
+  rationale: >-
+    Skipping CSRF verification or downgrading to `null_session` lets attackers replay cross-site requests against authenticated sessions.
+  tags:
+    - security
+    - ruby
+    - rails
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-csrf-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Re-enable CSRF protections around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` weakens or skips Rails CSRF defenses outside an API-only controller surface."
+  remediation:
+    summary: >-
+      Remove broad `skip_forgery_protection` usage, prefer `protect_from_forgery with: :exception`, and keep `verify_authenticity_token` enabled for state-changing browser actions.

package/rules/ruby/ruby.security.rails-detailed-exceptions-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-detailed-exceptions-enabled
+  title: Keep production Rails exception disclosure minimal
+  summary: >-
+    Production environments should not enable local-style exception pages or verbose Action Dispatch exception rendering.
+  rationale: >-
+    Detailed exceptions leak stack traces, secrets, and implementation details that attackers can use to refine exploits.
+  tags:
+    - security
+    - ruby
+    - rails
+    - misconfiguration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/config/environments/production.rb"
+    exclude:
+      - "**/vendor/**"
+match:
+  fact:
+    kind: ruby.security.rails-detailed-exceptions-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Disable verbose exceptions for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables detailed exceptions or local request handling in the production environment file."
+  remediation:
+    summary: >-
+      Set `consider_all_requests_local` and `show_detailed_exceptions` to safe defaults, route errors through monitored handlers, and keep `config.action_dispatch.show_exceptions` off verbose modes in production.

package/rules/ruby/ruby.security.rails-open-redirect.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-open-redirect
+  title: Avoid open redirects from request-controlled targets
+  summary: >-
+    Redirect helpers must not send users to hosts or paths derived directly from request input without validation.
+  rationale: >-
+    `redirect_to` and `redirect_back` calls that honor `params`, `request` URLs, or `allow_other_host: true` with tainted data are a common phishing and OAuth bypass vector.
+  tags:
+    - security
+    - ruby
+    - rails
+    - open-redirect
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-open-redirect
+    bind: issue
+emit:
+  finding:
+    category: security.url-redirection
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Validate redirect targets in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards users using request-derived data or cross-host redirects without a safe allowlist."
+  remediation:
+    summary: >-
+      Use an allowlisted path helper, reject off-host targets, and avoid pairing `allow_other_host: true` with user-controlled URLs.

package/rules/ruby/ruby.security.rails-unsafe-html-output.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-unsafe-html-output
+  title: Avoid unescaped HTML built from request or tainted data
+  summary: >-
+    Do not mark request-driven strings as HTML safe or bypass sanitization in views or helpers.
+  rationale: >-
+    `raw`, `html_safe`, `sanitize: false`, and ERB double-equals disable escaping and commonly become reflected XSS sinks.
+  tags:
+    - security
+    - ruby
+    - rails
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+      - "**/*.erb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-unsafe-html-output
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Encode or sanitize HTML instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` mixes tainted or request data with helpers that disable Rails HTML escaping."
+  remediation:
+    summary: >-
+      Prefer default escaping, pass sanitized fragments, or centralize HTML generation through a vetted sanitizer instead of `raw`/`html_safe`.

package/rules/ruby/ruby.security.rails-unsafe-render.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-unsafe-render
+  title: Avoid rendering raw HTML or bodies from request input
+  summary: >-
+    `render` options such as `html:`, `plain:`, or `inline:` must not consume unvalidated request data.
+  rationale: >-
+    These render modes bypass templates and can reflect attacker-controlled markup or scripts when fed tainted strings.
+  tags:
+    - security
+    - ruby
+    - rails
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-unsafe-render
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.83
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Sanitize render payloads in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` renders dynamic HTML or text modes using tainted or request-derived values."
+  remediation:
+    summary: >-
+      Prefer templates with escaping, sanitize any rich text, or map request identifiers to trusted server-side content instead of rendering raw params.

package/rules/ruby/ruby.security.rails-unsafe-session-or-cookie-store.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-unsafe-session-or-cookie-store
+  title: Do not store raw request params in session or cookies
+  summary: >-
+    Session and signed cookie stores should not persist raw `params` blobs that attackers can influence.
+  rationale: >-
+    Writing `params` directly into `session` or `cookies` enables tampering, fixation, and oversized payload attacks unless additional integrity controls exist.
+  tags:
+    - security
+    - ruby
+    - rails
+    - session
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-unsafe-session-or-cookie-store
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Avoid persisting raw params in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` assigns request `params` directly into session or cookie storage."
+  remediation:
+    summary: >-
+      Store opaque identifiers, use signed or encrypted cookie jars appropriately, and validate any user-derived values before persistence.

package/rules/ruby/ruby.security.rails-unsafe-strong-parameters.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-unsafe-strong-parameters
+  title: Avoid unsafe Rails strong parameters and mass assignment
+  summary: >-
+    Strong parameters and mass assignment sinks should not accept unfiltered request hashes or privileged attributes.
+  rationale: >-
+    Permissive `permit!`, privileged `permit` fields, and direct `params` mass assignment enable attackers to escalate privileges or overwrite protected columns.
+  tags:
+    - security
+    - ruby
+    - rails
+    - mass-assignment
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+      - "**/*.erb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-unsafe-strong-parameters
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - ruby
+      - rails
+  message:
+    title: Fix unsafe parameter filtering in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` permits privileged fields, uses `permit!`, or assigns raw `params` into a model."
+  remediation:
+    summary: >-
+      Replace `permit!` with an explicit attribute list, drop privileged symbols from `permit`, and route updates through vetted strong-parameter helpers instead of raw `params`.

package/rules/ruby/ruby.security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.sensitive-data-egress
+  title: Avoid relaying request-controlled data through outbound Ruby HTTP clients
+  summary: >-
+    Outbound HTTP helpers should not receive URLs or bodies directly from `params` or other tainted sources without validation.
+  rationale: >-
+    User-controlled egress enables SSRF, data exfiltration, and token theft when combined with open HTTP clients.
+  tags:
+    - security
+    - ruby
+    - privacy
+    - egress
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - ruby
+      - privacy
+  message:
+    title: Validate outbound HTTP data in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards tainted values into an outbound HTTP client."
+  remediation:
+    summary: >-
+      Allowlist hosts, strip secrets from outbound payloads, and route external calls through audited integration points.

package/rules/ruby/ruby.security.sidekiq-web-unauthenticated-mount.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.sidekiq-web-unauthenticated-mount
+  title: Protect Sidekiq::Web mounts with authentication
+  summary: >-
+    Sidekiq Web must not be exposed on public routes without an authentication or network guard.
+  rationale: >-
+    Unauthenticated Sidekiq Web consoles expose queues and often lead to remote code execution via job replay or configuration changes.
+  tags:
+    - security
+    - ruby
+    - rails
+    - sidekiq
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.sidekiq-web-unauthenticated-mount
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - ruby
+      - sidekiq
+  message:
+    title: Authenticate Sidekiq Web before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` mounts the Sidekiq console without a visible authentication or constraint guard."
+  remediation:
+    summary: >-
+      Wrap mounts in `authenticate`, add route constraints, use basic auth or VPN-only routing, and keep consoles off public networks.

package/rules/ruby/ruby.testing.focused-example.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.testing.focused-example
+  title: Remove focused RSpec examples before merge
+  summary: fit and fdescribe skip the rest of the suite and should not ship.
+  rationale: Focused examples hide failures in sibling specs.
+  tags:
+    - testing
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.testing.focused-example
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.85
+    tags:
+      - testing
+      - ruby
+  message:
+    title: Remove focused RSpec call `${captures.issue.text}`
+    summary: "`${captures.issue.text}` runs only the focused block and skips other examples."
+  remediation:
+    summary: Delete `fit` / `fdescribe` usage and rely on the full spec suite in CI.

package/rules/ruby/ruby.testing.pending-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.testing.pending-without-ticket-reference
+  title: pending examples should cite a ticket
+  summary: pending without a tracker reference is easy to forget.
+  rationale: Pending specs should carry reviewable intent like skips elsewhere.
+  tags:
+    - testing
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.testing.pending-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - ruby
+  message:
+    title: Add a ticket reference to `${captures.issue.text}`
+    summary: "`pending` is used without an adjacent issue key or accepted suppression comment."
+  remediation:
+    summary: Link pending work to a tracker id or convert to a skip with reason.

package/rules/ruby/ruby.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.testing.real-network-in-unit-test
+  title: Avoid live HTTP clients in Ruby unit tests
+  summary: Net::HTTP, Faraday, or HTTParty usage in specs should be doubled or recorded.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - ruby
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a live HTTP client inside a spec-like path."
+  remediation:
+    summary: Use WebMock/VCR or dependency-injected doubles instead of live calls.