npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/php/php.security.symfony-debug-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.symfony-debug-exposure
+  title: Disable Symfony debug and profiler in production-like configs
+  summary: >-
+    Production-like Symfony configuration should not enable debug mode or web profiler surfaces.
+  rationale: >-
+    Debug and profiler exposure can leak internals, stack traces, secrets, and request details.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Symfony security
+      url: https://symfony.com/doc/current/security.html
+  tags:
+    - security
+    - php
+    - symfony
+    - debug
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+      - "**/.env"
+      - "**/.env.*"
+match:
+  fact:
+    kind: php.security.symfony-debug-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-leakage
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - php
+      - symfony
+  message:
+    title: Disable debug exposure in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables Symfony debug or profiler behavior in a production-like surface."
+  remediation:
+    summary: >-
+      Keep `APP_DEBUG=0` in production and disable profiler bundles/toolbars outside local dev/test environments.

package/rules/php/php.security.unsafe-file-upload-handling.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-file-upload-handling
+  title: Validate uploaded filenames and content before storing files
+  summary: >-
+    PHP upload handlers should not persist raw `$_FILES` names without validation and normalization.
+  rationale: >-
+    Unsafely handled uploads can enable path traversal, executable file placement, and malicious payload storage.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - file-upload
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-file-upload-handling
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - file-upload
+  message:
+    title: Harden upload handling in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` stores uploaded files without strong filename/content validation."
+  remediation:
+    summary: >-
+      Normalize filenames, enforce extension and MIME allowlists, and route uploads through dedicated validated storage helpers.

package/rules/php/php.security.unsafe-include-with-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-include-with-user-input
+  title: Avoid include/require with user-controlled paths
+  summary: >-
+    Include and require statements must not load files from request-derived or tainted path values.
+  rationale: >-
+    User-controlled includes can load attacker-chosen PHP and lead to remote code execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - inclusion
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-include-with-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - inclusion
+  message:
+    title: Harden include path in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` includes or requires a path influenced by untrusted input."
+  remediation:
+    summary: >-
+      Map user input to an allowlisted template name and include only fixed, reviewed file paths.

package/rules/php/php.security.weak-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.weak-cipher
+  title: Avoid weak PHP cipher algorithms
+  summary: >-
+    OpenSSL and mcrypt usage should not rely on DES, RC4, Blowfish, ECB mode, or legacy mcrypt APIs.
+  rationale: >-
+    Weak ciphers and modes are vulnerable to practical cryptanalysis and do not meet modern confidentiality standards.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.weak-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.weak-crypto
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - crypto
+  message:
+    title: Replace weak cipher usage in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
+  remediation:
+    summary: >-
+      Use modern authenticated encryption (for example AES-GCM) via sodium or OpenSSL with vetted algorithms and modes.

package/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.wordpress-missing-nonce-or-capability
+  title: Require nonce and capability checks in sensitive WordPress mutation callbacks
+  summary: >-
+    WordPress admin/AJAX mutation callbacks should verify nonce tokens and enforce capability checks.
+  rationale: >-
+    Missing nonce or authorization checks let attackers trigger privileged actions through forged or unauthorized requests.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: WordPress plugin security
+      url: https://developer.wordpress.org/apis/security/
+  tags:
+    - security
+    - php
+    - wordpress
+    - authorization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.wordpress-missing-nonce-or-capability
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - wordpress
+  message:
+    title: Protect WordPress action `${captures.issue.text}`
+    summary: "`${captures.issue.text}` handles a mutation callback without complete nonce and capability enforcement."
+  remediation:
+    summary: >-
+      Add nonce verification (`check_ajax_referer`/`check_admin_referer`) and explicit capability checks (`current_user_can`) before performing mutations.

package/rules/php/php.security.wordpress-unprepared-sql.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.wordpress-unprepared-sql
+  title: Use `$wpdb->prepare` for dynamic WordPress SQL
+  summary: >-
+    WordPress SQL calls should not interpolate request values directly into query strings.
+  rationale: >-
+    Dynamic SQL without `$wpdb->prepare` enables injection and unauthorized data access/manipulation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: WordPress plugin security
+      url: https://developer.wordpress.org/apis/security/
+  tags:
+    - security
+    - php
+    - wordpress
+    - sql-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.wordpress-unprepared-sql
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - wordpress
+  message:
+    title: Parameterize SQL near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` concatenates request data into a WordPress SQL call without `$wpdb->prepare`."
+  remediation:
+    summary: >-
+      Build SQL through `$wpdb->prepare` placeholders and sanitize scalar inputs before passing them to query execution calls.

package/rules/php/php.security.xml-external-entity.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.xml-external-entity
+  title: Harden PHP XML parsing against external entities
+  summary: >-
+    XML parsing should disable external entities and avoid LIBXML_NOENT or libxml_disable_entity_loader(false).
+  rationale: >-
+    Unsafe XML parser configuration enables XXE attacks that can leak files and reach internal services.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - php
+    - xml
+    - xxe
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.xml-external-entity
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - xml
+      - xxe
+  message:
+    title: Harden XML parsing in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses XML without external-entity protections."
+  remediation:
+    summary: >-
+      Call libxml_disable_entity_loader(true) before parsing and pass LIBXML_NONET; never enable LIBXML_NOENT.

package/rules/php/php.testing.curl-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.testing.curl-in-unit-test
+  title: Avoid raw curl calls in PHP unit tests
+  summary: curl_exec in tests should target doubles or local fixtures.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.testing.curl-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.62
+    tags:
+      - testing
+      - php
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses curl primitives inside a test-like path."
+  remediation:
+    summary: Wrap HTTP behind an injectable client and replace curl usage with doubles in unit tests.

package/rules/php/php.testing.mark-test-skipped-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.testing.mark-test-skipped-without-ticket-reference
+  title: markTestSkipped should cite a ticket
+  summary: Empty markTestSkipped() calls without a tracker note are hard to triage.
+  rationale: Skips should carry reviewable intent.
+  tags:
+    - testing
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.testing.mark-test-skipped-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - php
+  message:
+    title: Add a ticket reference to `${captures.issue.text}`
+    summary: "`markTestSkipped()` is used without arguments and without a nearby issue reference."
+  remediation:
+    summary: Pass a reason string with a tracker id or document the suppression inline.

package/rules/php/php.testing.sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.testing.sleep-in-unit-test
+  title: Avoid sleep in PHP unit tests
+  summary: sleep() in tests slows CI and hides synchronization bugs.
+  rationale: Prefer deterministic waits or clock injection.
+  tags:
+    - testing
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.testing.sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.58
+    tags:
+      - testing
+      - php
+  message:
+    title: Replace `sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test-like path."
+  remediation:
+    summary: Inject a clock, shorten waits, or move timing coverage to integration suites.

package/rules/python/py.correctness.assert-on-tuple.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.assert-on-tuple
+  title: Avoid tuple expression in assert
+  summary: Asserting a tuple literal-like expression is usually always truthy and can mask failing checks.
+  rationale: A non-empty tuple evaluates to true, so tuple assertions often pass even when the intended condition is false.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.assert-on-tuple
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Fix tuple-style assert `${captures.issue.text}`
+    summary: "`${captures.issue.text}` asserts a tuple expression, which may always evaluate to truthy."
+  remediation:
+    summary: Assert a single boolean predicate or split checks into separate assert statements.

package/rules/python/py.correctness.bare-except.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.bare-except
+  title: Avoid bare except handlers
+  summary: Bare exception handlers catch all errors and hide root causes.
+  rationale: Catching every throwable without narrowing can swallow interruptions and make failures hard to diagnose.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.bare-except
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.96
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace bare except `${captures.issue.text}`
+    summary: "`${captures.issue.text}` catches every exception type without restriction."
+  remediation:
+    summary: Catch specific expected exceptions and let unexpected failures propagate.

package/rules/python/py.correctness.broad-exception-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.broad-exception-handler
+  title: Avoid overly broad exception handlers
+  summary: Catching `Exception` or `BaseException` makes error handling too broad.
+  rationale: Broad handlers hide programming errors and can interfere with expected process-level exceptions.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.broad-exception-handler
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Narrow exception scope `${captures.issue.text}`
+    summary: "`${captures.issue.text}` catches a broad exception base type."
+  remediation:
+    summary: Catch only the concrete exception classes this block can recover from.

package/rules/python/py.correctness.dangerous-mutable-default.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.dangerous-mutable-default
+  title: Avoid mutable default function arguments
+  summary: Mutable defaults in function signatures retain state across calls.
+  rationale: Reusing the same list, dict, or set instance can leak data between calls and produce non-deterministic behavior.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.dangerous-mutable-default
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.96
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace mutable default `${captures.issue.text}`
+    summary: "`${captures.issue.text}` defines a mutable default argument that persists across invocations."
+  remediation:
+    summary: Use `None` as the default and construct a fresh mutable object inside the function.

package/rules/python/py.correctness.duplicate-dict-key.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.duplicate-dict-key
+  title: Avoid duplicate keys in dict literals
+  summary: Repeated keys in a dict literal overwrite earlier entries.
+  rationale: Silent key replacement hides bugs and can invalidate intended configuration values.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.duplicate-dict-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Resolve duplicate dict key `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears multiple times in a single dict literal."
+  remediation:
+    summary: Keep each key unique and merge or rename entries so earlier values are not silently replaced.

package/rules/python/py.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for python sources.
+  rationale: Performance hygiene signal for python sources.
+  tags:
+    - performance
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - python
+  message:
+    title: Avoid no regex construction in loop in `python` code
+    summary: "`${captures.issue.text}` matches py.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.