npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/python/py.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for python sources.
+  rationale: Performance hygiene signal for python sources.
+  tags:
+    - performance
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - python
+  message:
+    title: Avoid no sync fs in request path in `python` code
+    summary: "`${captures.issue.text}` matches py.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/python/py.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for python sources.
+  rationale: Performance hygiene signal for python sources.
+  tags:
+    - performance
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - python
+  message:
+    title: Avoid no unbounded concurrency in `python` code
+    summary: "`${captures.issue.text}` matches py.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/python/py.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.bind-all-interfaces
+  title: Avoid binding Python services to all interfaces
+  summary: Python network services should avoid explicit binds to `0.0.0.0` or `::` unless public exposure is intentional and controlled.
+  rationale: Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - python
+    - network
+    - exposure
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/python/py.security.debugger-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.debugger-import
+  title: Remove debugger imports from production code
+  summary: Production Python modules should not ship with interactive debugger imports.
+  rationale: Debugger modules can expose introspection hooks and halt execution paths in deployed environments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - debugging
+    - hardening
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.debugger-import
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - python
+      - debugging
+      - hardening
+  message:
+    title: Remove debugger import `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a debugger module in runtime code."
+  remediation:
+    summary: Remove debugger imports from committed runtime modules and gate debugging tools to local-only workflows.

package/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-csrf-exempt-state-changing
+  title: Avoid CSRF exemptions on state-changing Django views
+  summary: Browser-facing Django views that change state should remain CSRF-protected unless they are explicitly token-authenticated APIs.
+  rationale: >-
+    Using django.decorators.csrf.csrf_exempt removes CSRF defenses for session-backed browsers,
+    enabling cross-site request forgery against unsafe methods.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-csrf-exempt-state-changing
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - django
+      - csrf
+  message:
+    title: Review CSRF exemption `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is applied near code that handles POST/PUT/PATCH/DELETE or `request.POST`, which is risky for browser sessions."
+  remediation:
+    summary: Remove `@csrf_exempt`, enforce CSRF tokens for browser views, or constrain the endpoint to non-session authentication with explicit CSRF policy.

package/rules/python/py.security.django-format-html-unsafe.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-format-html-unsafe
+  title: Review dynamic interpolation in Django format_html
+  summary: Django `format_html` calls with placeholder templates and dynamic arguments should be reviewed for unsafe output composition.
+  rationale: Unsafe interpolation patterns can still produce dangerous HTML when trusted and untrusted fragments are mixed incorrectly.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.django-format-html-unsafe
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - django
+      - xss
+  message:
+    title: Audit Django HTML interpolation `${captures.issue.text}`
+    summary: "`${captures.issue.text}` interpolates dynamic values into `format_html`; confirm values are safe for the rendered context."
+  remediation:
+    summary: Keep templates static, ensure interpolated values are trusted for the target context, and avoid assembling HTML from user-controlled fragments.

package/rules/python/py.security.django-mark-safe.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-mark-safe
+  title: Avoid Django mark_safe for dynamic content
+  summary: "Django responses should avoid `mark_safe` when content can include untrusted input."
+  rationale: "`mark_safe` bypasses Django escaping and can introduce cross-site scripting when values are not strictly trusted."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.django-mark-safe
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - django
+      - xss
+  message:
+    title: Remove unsafe HTML trust `${captures.issue.text}`
+    summary: "`${captures.issue.text}` bypasses escaping and can expose XSS when rendered with variable data."
+  remediation:
+    summary: "Prefer Django auto-escaping or sanitize untrusted values before rendering instead of forcing trust with `mark_safe`."

package/rules/python/py.security.django-missing-csrf-middleware.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-missing-csrf-middleware
+  title: Enable Django CSRF middleware for browser apps
+  summary: Django projects using cookie-backed sessions should include `CsrfViewMiddleware` in `MIDDLEWARE`.
+  rationale: Without CSRF middleware, Django cannot enforce CSRF tokens on unsafe HTTP methods for browser clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-missing-csrf-middleware
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - django
+      - csrf
+  message:
+    title: Add CSRF middleware to Django `${captures.issue.text}`
+    summary: "`MIDDLEWARE` is declared without `django.middleware.csrf.CsrfViewMiddleware`, which disables framework CSRF checks."
+  remediation:
+    summary: Insert `django.middleware.csrf.CsrfViewMiddleware` into `MIDDLEWARE` according to the Django deployment checklist ordering guidance.

package/rules/python/py.security.django-security-middleware-missing.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-security-middleware-missing
+  title: Include Django SecurityMiddleware in middleware stack
+  summary: Django settings should include `django.middleware.security.SecurityMiddleware` in `MIDDLEWARE`.
+  rationale: Missing SecurityMiddleware can disable key hardening controls such as transport, header, and redirect protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-security-middleware-missing
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - django
+      - configuration
+  message:
+    title: Add Django SecurityMiddleware near `${captures.issue.text}`
+    summary: "`MIDDLEWARE` is declared without `django.middleware.security.SecurityMiddleware`."
+  remediation:
+    summary: Add `django.middleware.security.SecurityMiddleware` to `MIDDLEWARE` following Django ordering guidance.

package/rules/python/py.security.django-unsafe-production-settings.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-unsafe-production-settings
+  title: Avoid unsafe Django production settings
+  summary: Production Django settings should disable debug mode, restrict hosts, protect secrets, and enable HTTPS-aligned cookie flags.
+  rationale: Misconfigured Django defaults expose debug traces, enable host header attacks, leak secrets, and weaken cookie transport protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-unsafe-production-settings
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - django
+      - configuration
+  message:
+    title: Fix risky Django setting `${captures.issue.text}`
+    summary: "`${captures.issue.text}` weakens production security posture for Django deployment."
+  remediation:
+    summary: Align settings with your deployment checklist—disable DEBUG, pin ALLOWED_HOSTS, load secrets from the environment, and enable secure cookie and HTTPS flags.

package/rules/python/py.security.drf-allow-any-default.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.drf-allow-any-default
+  title: Avoid AllowAny as DRF default permission
+  summary: Django REST Framework APIs should default to authenticated permission classes instead of `AllowAny`.
+  rationale: Default `AllowAny` exposes mutation-heavy APIs unless every view overrides permissions explicitly.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - drf
+    - authorization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.drf-allow-any-default
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - django
+      - drf
+      - authorization
+  message:
+    title: Replace permissive DRF defaults `${captures.issue.text}`
+    summary: "`REST_FRAMEWORK` enables `AllowAny` via `DEFAULT_PERMISSION_CLASSES`, which is unsafe for default API posture."
+  remediation:
+    summary: Prefer `IsAuthenticated` or another restrictive default, then opt-in public access only where documented.

package/rules/python/py.security.drf-allow-any-unsafe-method.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.drf-allow-any-unsafe-method
+  title: Avoid AllowAny on unsafe DRF methods
+  summary: DRF views that accept POST, PUT, PATCH, or DELETE should not declare `AllowAny` unless the endpoint is intentionally public.
+  rationale: Open unsafe methods allow unauthenticated clients to mutate data and violate least-privilege API access.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - drf
+    - authorization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.drf-allow-any-unsafe-method
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - django
+      - drf
+      - authorization
+  message:
+    title: Tighten permissions around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` combines `AllowAny` with an unsafe HTTP method declaration."
+  remediation:
+    summary: Require authentication or scoped permissions for unsafe verbs unless the handler is explicitly public and documented.