npm - @critiq/rules - Versions diffs - 0.0.2 → 0.1.0 - Mend

@critiq/rules 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/rules/ruby/ruby.testing.skip-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.testing.skip-without-ticket-reference
+  title: RSpec skip should cite a ticket
+  summary: skip(...) without a nearby tracker reference is hard to triage.
+  rationale: Skips without traceability tend to linger.
+  tags:
+    - testing
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.testing.skip-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.66
+    tags:
+      - testing
+      - ruby
+  message:
+    title: Add a ticket reference to `${captures.issue.text}`
+    summary: "`skip` is used without an adjacent issue key or accepted suppression comment."
+  remediation:
+    summary: Link the skip to a tracker id or document the temporary bypass with an owner.

package/rules/ruby/ruby.testing.sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.testing.sleep-in-unit-test
+  title: Avoid sleep in Ruby unit tests
+  summary: sleep in specs slows CI and hides synchronization bugs.
+  rationale: Prefer deterministic waits or travel_to style time helpers.
+  tags:
+    - testing
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.testing.sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.58
+    tags:
+      - testing
+      - ruby
+  message:
+    title: Replace `sleep` in specs
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a spec-like path."
+  remediation:
+    summary: Use event-driven waits, shorten delays, or move timing coverage to integration suites.

package/rules/rust/rust.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for rust sources.
+  rationale: Performance hygiene signal for rust sources.
+  tags:
+    - performance
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - rust
+  message:
+    title: Avoid no regex construction in loop in `rust` code
+    summary: "`${captures.issue.text}` matches rust.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/rust/rust.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for rust sources.
+  rationale: Performance hygiene signal for rust sources.
+  tags:
+    - performance
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - rust
+  message:
+    title: Avoid no sync fs in request path in `rust` code
+    summary: "`${captures.issue.text}` matches rust.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/rust/rust.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for rust sources.
+  rationale: Performance hygiene signal for rust sources.
+  tags:
+    - performance
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - rust
+  message:
+    title: Avoid no unbounded concurrency in `rust` code
+    summary: "`${captures.issue.text}` matches rust.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/rust/rust.security.actix-wildcard-cors-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.actix-wildcard-cors-with-credentials
+  title: Avoid Actix any-origin CORS with credentials enabled
+  summary: >-
+    `actix_cors` configurations must not combine `allow_any_origin` with `supports_credentials`.
+  rationale: >-
+    Wildcard origins with credentials violate browser CORS expectations and usually indicate a missing explicit origin allowlist.
+  tags:
+    - security
+    - rust
+    - actix
+    - cors
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.actix-wildcard-cors-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.84
+    tags:
+      - security
+      - rust
+      - actix
+      - cors
+  message:
+    title: Replace wildcard Actix CORS with explicit origins in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables credentials on an any-origin CORS policy."
+  remediation:
+    summary: >-
+      Use `allowed_origin` with explicit HTTPS origins, or disable credentials when anonymous public access is intended.

package/rules/rust/rust.security.axum-body-limit-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.axum-body-limit-disabled
+  title: Do not disable Axum default body limits for untrusted uploads
+  summary: >-
+    Axum apps should keep a finite `DefaultBodyLimit` (or equivalent) so request bodies cannot exhaust memory.
+  rationale: >-
+    `DefaultBodyLimit::disable()` removes the framework guardrail against huge bodies and is unsafe on routes that accept untrusted input.
+  tags:
+    - security
+    - rust
+    - axum
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.axum-body-limit-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - rust
+      - axum
+  message:
+    title: Restore a body size limit instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables Axum body limits; prefer `DefaultBodyLimit::max(...)` or a reverse-proxy limit."
+  remediation:
+    summary: >-
+      Set an explicit max body size with `DefaultBodyLimit::max`, add `tower_http::limit::RequestBodyLimitLayer`, or enforce limits at your edge proxy before accepting large uploads.

package/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.axum-insecure-cors-with-credentials
+  title: Avoid permissive tower-http CORS with credentials in Axum
+  summary: >-
+    Do not pair wildcard or `very_permissive` origin policies with credentialed CORS or private-network access in `tower-http`.
+  rationale: >-
+    Browsers treat credentialed CORS as trusted cross-origin behavior; permissive origin lists undermine that contract and often hide missing explicit allowlists.
+  tags:
+    - security
+    - rust
+    - axum
+    - cors
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.axum-insecure-cors-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - rust
+      - axum
+      - cors
+  message:
+    title: Tighten CORS configuration around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` combines permissive origins with credentialed or private-network CORS behavior."
+  remediation:
+    summary: >-
+      Prefer explicit HTTPS `AllowOrigin` lists, avoid `CorsLayer::very_permissive` with `allow_credentials(true)`, and only enable `allow_private_network` with strict origin controls.

package/rules/rust/rust.security.rocket-panic-prone-request-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.rocket-panic-prone-request-handler
+  title: Avoid panicking on request-derived data in Rocket handlers
+  summary: >-
+    Rocket route handlers should not `unwrap`, `expect`, or otherwise panic on values derived from the HTTP request.
+  rationale: >-
+    Panics become hard failures and can be abused for denial-of-service or to leak error detail; prefer `Result` and typed rejections.
+  tags:
+    - security
+    - rust
+    - rocket
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.rocket-panic-prone-request-handler
+    bind: issue
+emit:
+  finding:
+    category: security.error-handling
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - rust
+      - rocket
+  message:
+    title: Replace infallible unwraps in Rocket handler near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` can panic on malformed or hostile input in a Rocket request handler."
+  remediation:
+    summary: >-
+      Return `Result`, `Option`, or `status::Custom`, map errors to HTTP responses, and reserve `unwrap` for tests or statically known invariants.

package/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.rocket-unsafe-template-output
+  title: Avoid raw HTML built from Rocket route parameters
+  summary: >-
+    Do not wrap request-sourced strings in `RawHtml` (or similar) without escaping in Rocket handlers.
+  rationale: >-
+    Raw HTML bypasses Rocket's escaping defaults and is a common XSS footgun when fed from path, query, or body inputs.
+  tags:
+    - security
+    - rust
+    - rocket
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.rocket-unsafe-template-output
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.76
+    tags:
+      - security
+      - rust
+      - rocket
+      - xss
+  message:
+    title: Escape or sanitize before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` emits raw HTML from handler parameters without an obvious sanitizer."
+  remediation:
+    summary: >-
+      Prefer typed templates with auto-escaping, sanitize with a vetted HTML policy crate, or return plain text/JSON instead of `RawHtml`.

package/rules/rust/rust.security.sqlx-diesel-raw-interpolated-query.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.sqlx-diesel-raw-interpolated-query
+  title: Avoid dynamic SQL built with format! for SQLx or Diesel
+  summary: >-
+    Do not pass `format!(...)` (or equivalent string concatenation) into `sqlx::query` or `diesel::sql_query` sinks.
+  rationale: >-
+    Interpolated SQL is the primary SQL injection pattern in Rust ORMs; compile-time macros and bind parameters keep queries safe.
+  tags:
+    - security
+    - rust
+    - sqlx
+    - diesel
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.sqlx-diesel-raw-interpolated-query
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - rust
+      - sqlx
+      - diesel
+  message:
+    title: Replace interpolated SQL at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds SQL with `format!` instead of bound parameters or compile-time checked macros."
+  remediation:
+    summary: >-
+      Prefer `sqlx::query!` / `query_as!`, use `.bind(...)` on typed query builders, or Diesel's query DSL with bound parameters instead of raw interpolated strings.

package/rules/rust/rust.security.template-unescaped-request-value.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.template-unescaped-request-value
+  title: Sanitize request data before unescaped template output in Rust
+  summary: >-
+    Tera, Maud, and similar engines should not insert request-sourced strings into contexts or `PreEscaped`/`raw` sinks without sanitization.
+  rationale: >-
+    Template `safe`/raw sinks disable escaping; feeding path, query, form, or JSON extractors there is a direct XSS vector.
+  tags:
+    - security
+    - rust
+    - templates
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.template-unescaped-request-value
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.74
+    tags:
+      - security
+      - rust
+      - templates
+      - xss
+  message:
+    title: Escape or sanitize before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` feeds request-derived data into an unescaped template context."
+  remediation:
+    summary: >-
+      HTML-escape with a vetted policy (for example `ammonia::clean`), keep auto-escaping on, and avoid `PreEscaped`/`Markup::raw` for untrusted strings.

package/rules/rust/rust.security.warp-blocking-or-panic-in-async-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.warp-blocking-or-panic-in-async-handler
+  title: Avoid blocking I/O and infallible unwraps in async Warp handlers
+  summary: >-
+    Warp filters and handlers run on the async runtime; avoid `std::fs`, `thread::sleep`, and `unwrap` on request paths without `spawn_blocking` or proper errors.
+  rationale: >-
+    Blocking the runtime reduces availability and unwraps turn parse errors into panics; both are amplified under load and hostile traffic.
+  tags:
+    - security
+    - rust
+    - warp
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.warp-blocking-or-panic-in-async-handler
+    bind: issue
+emit:
+  finding:
+    category: security.availability
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - rust
+      - warp
+  message:
+    title: Refactor async Warp handler around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` blocks the async executor or can panic inside a Warp async handler."
+  remediation:
+    summary: >-
+      Use `tokio::fs`, offload blocking work with `spawn_blocking`, and propagate errors with `Rejection` instead of `unwrap`.

package/rules/rust/rust.testing.ignore-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.testing.ignore-without-ticket-reference
+  title: "Rust #[ignore] tests should cite a ticket"
+  summary: Ignored tests without a nearby tracker comment are easy to lose.
+  rationale: Ignored tests should carry reviewable intent like skips in other ecosystems.
+  tags:
+    - testing
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.testing.ignore-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.62
+    tags:
+      - testing
+      - rust
+  message:
+    title: Add a ticket comment near `${captures.issue.text}`
+    summary: "`#[ignore]` is present without a nearby issue key or accepted suppression comment."
+  remediation:
+    summary: Document the ignore with a tracker id or remove the attribute when the test is ready.

package/rules/rust/rust.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.testing.real-network-in-unit-test
+  title: Avoid live reqwest clients in Rust unit tests
+  summary: reqwest usage in tests should target local servers or fakes.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - rust
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references `reqwest` inside a test-like path."
+  remediation:
+    summary: Use wiremock, axum test servers, or injected clients with deterministic responses.

package/rules/rust/rust.testing.thread-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.testing.thread-sleep-in-unit-test
+  title: Avoid thread::sleep in Rust unit tests
+  summary: Sleeping in tests slows CI and hides synchronization bugs.
+  rationale: Prefer deterministic synchronization or tokio time advances.
+  tags:
+    - testing
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.testing.thread-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - rust
+  message:
+    title: Replace sleep in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test-like path."
+  remediation:
+    summary: Use `tokio::time::pause`, condvars, or scoped integration tests for real delays.

package/rules/shared/security.archive-path-traversal.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.archive-path-traversal
+  title: Sanitize archive entry paths before writing
+  summary: Archive extraction should not write entry names directly to the filesystem.
+  rationale: Archive entries can contain traversal paths that overwrite files outside the intended extraction directory.
+  tags:
+    - security
+    - filesystem
+    - archive
+    - path-traversal
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+    - java
+    - php
+    - python
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.archive-path-traversal
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - filesystem
+      - archive
+  message:
+    title: Check archive containment for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` may write an archive-controlled path without a containment check."
+  remediation:
+    summary: Normalize each entry path against a trusted extraction root and reject paths that escape it.