npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/python/py.security.dynamic-code-execution.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.dynamic-code-execution
+  title: Avoid dynamic code execution with eval or exec
+  summary: Python services should not execute runtime-generated code via `eval` or `exec`.
+  rationale: Dynamic code execution turns untrusted data into executable behavior and expands code-injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - python
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.dynamic-code-execution
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - execution
+      - injection
+  message:
+    title: Avoid dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes code dynamically with `eval` or `exec`."
+  remediation:
+    summary: Replace dynamic execution with explicit parsing, allowlisted operations, or fixed function dispatch tables.

package/rules/python/py.security.fastapi-insecure-cors.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.fastapi-insecure-cors
+  title: Avoid permissive FastAPI CORS with credentials
+  summary: FastAPI `CORSMiddleware` should not combine wildcard origins, methods, or headers with `allow_credentials=True`.
+  rationale: Wildcard CORS policies plus credentials mirror insecure browser CORS combinations that attackers can abuse from malicious origins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: FastAPI security
+      url: https://fastapi.tiangolo.com/tutorial/security/
+  tags:
+    - security
+    - python
+    - fastapi
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.fastapi-insecure-cors
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.87
+    tags:
+      - security
+      - fastapi
+      - cors
+  message:
+    title: Tighten FastAPI CORS `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures `CORSMiddleware` with wildcards while credentials are enabled."
+  remediation:
+    summary: Replace wildcard origins, methods, and headers with explicit allowlists when credentials are required.

package/rules/python/py.security.flask-debug-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-debug-enabled
+  title: Disable Flask debug mode in runtime configuration
+  summary: Flask applications should not enable debug mode through `app.run`, config assignment, or `FLASK_DEBUG`.
+  rationale: Debug mode can expose interactive tracebacks and internal application state to external users.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - flask
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-debug-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - flask
+      - configuration
+  message:
+    title: Disable Flask debug setting `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables Flask debug behavior that should remain off outside local development."
+  remediation:
+    summary: Remove debug flags from runtime code and environment assignments, then gate development-only behavior behind safe configuration.

package/rules/python/py.security.flask-missing-upload-body-limit.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-missing-upload-body-limit
+  title: Set Flask MAX_CONTENT_LENGTH for uploads
+  summary: Flask apps handling uploads should configure `MAX_CONTENT_LENGTH` to bound request bodies.
+  rationale: Missing upload limits enables trivial denial-of-service via oversized multipart payloads.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - flask
+    - upload
+    - dos
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-missing-upload-body-limit
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - flask
+      - upload
+  message:
+    title: Add upload size limits near `${captures.issue.text}`
+    summary: "Upload handling references `${captures.issue.text}` but no `MAX_CONTENT_LENGTH` configuration was detected in this file."
+  remediation:
+    summary: Set `app.config["MAX_CONTENT_LENGTH"]` (or equivalent) to a bounded maximum aligned with product limits.

package/rules/python/py.security.flask-unsafe-html-output.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-unsafe-html-output
+  title: Avoid Flask markup helpers fed by request data
+  summary: Flask responses should not bypass escaping when interpolating `request` input into HTML helpers or template strings.
+  rationale: >-
+    Markup helpers, render_template_string, and Jinja safe filters bypass escaping and commonly become XSS sinks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - flask
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-unsafe-html-output
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - flask
+      - xss
+  message:
+    title: Remove unsafe HTML composition `${captures.issue.text}`
+    summary: "`${captures.issue.text}` mixes request-controlled values with markup helpers or unescaped template paths."
+  remediation:
+    summary: Use automatic escaping, `render_template` with trusted contexts, or a vetted sanitizer instead of raw markup shortcuts.

package/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-unsafe-upload-filename
+  title: Sanitize Flask upload filenames before saving
+  summary: Flask upload handlers should pass filenames through `secure_filename` (or equivalent) before persisting to disk.
+  rationale: Attacker-controlled filenames enable traversal sequences, extension spoofing, and collisions when saved verbatim.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - flask
+    - filesystem
+    - upload
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-unsafe-upload-filename
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - flask
+      - upload
+  message:
+    title: Harden upload save `${captures.issue.text}`
+    summary: "`${captures.issue.text}` persists uploads using an unsanitized client-provided filename."
+  remediation:
+    summary: Generate trusted server-side names or wrap uploads with `werkzeug.utils.secure_filename` before calling `save`.

package/rules/python/py.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-temp-file
+  title: Avoid insecure temporary file name helpers
+  summary: Python temporary files should not use `mktemp` or `tempnam` helpers that create race-prone filenames.
+  rationale: Predictable temporary filenames can enable symlink races and unauthorized file access before creation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.92
+    tags:
+      - security
+      - python
+      - filesystem
+      - tempfile
+  message:
+    title: Replace insecure temp helper `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an insecure temporary filename API."
+  remediation:
+    summary: Use `tempfile.NamedTemporaryFile` or `tempfile.mkstemp` to create secure files atomically.

package/rules/python/py.security.insecure-yaml-load.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-yaml-load
+  title: Use SafeLoader with yaml.load
+  summary: Python YAML parsing should use `SafeLoader` when calling `yaml.load`.
+  rationale: Unsafe YAML deserialization can instantiate arbitrary Python objects and lead to unexpected code paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - yaml
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-yaml-load
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - yaml
+      - deserialization
+  message:
+    title: Use a safe YAML loader in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` calls `yaml.load` without a safe loader."
+  remediation:
+    summary: Prefer `yaml.safe_load` or pass `Loader=yaml.SafeLoader` explicitly for trusted-safe parsing behavior.

package/rules/python/py.security.jinja-autoescape-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.jinja-autoescape-disabled
+  title: Avoid disabling Jinja autoescape
+  summary: Jinja2 environments should keep autoescaping enabled for HTML rendering contexts.
+  rationale: Disabling autoescape can allow untrusted template data to render as executable markup in browser clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - jinja
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.jinja-autoescape-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - jinja
+      - xss
+  message:
+    title: Enable Jinja autoescape in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures a Jinja environment with `autoescape=False`."
+  remediation:
+    summary: Keep `autoescape` enabled for HTML templates and isolate trusted non-HTML rendering pipelines explicitly.

package/rules/python/py.security.subprocess-shell-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.subprocess-shell-enabled
+  title: Avoid enabling shell mode in subprocess calls
+  summary: Python process execution should avoid `shell=True` unless shell interpretation is explicitly required and tightly controlled.
+  rationale: Shell-enabled process execution introduces command parsing behavior that increases injection and execution risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - subprocess
+    - execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.subprocess-shell-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.93
+    tags:
+      - security
+      - python
+      - subprocess
+      - execution
+  message:
+    title: Review shell-enabled process call `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables shell interpretation via `shell=True`."
+  remediation:
+    summary: Use argument-list execution with `shell=False` by default, and only allow fixed commands when shell mode is unavoidable.

package/rules/python/py.testing.pytest-skip-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.testing.pytest-skip-without-ticket-reference
+  title: pytest.mark.skip should include a reason or ticket
+  summary: Skips without `reason=` or a nearby tracker reference are hard to triage.
+  rationale: Silent pytest skips accumulate unless they carry reviewable intent.
+  tags:
+    - testing
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.testing.pytest-skip-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.68
+    tags:
+      - testing
+      - python
+  message:
+    title: Document `@pytest.mark.skip` with reason or ticket
+    summary: "`${captures.issue.text}` marks a skip without `reason=` and without a nearby issue reference."
+  remediation:
+    summary: Add `reason=` with a tracker id or move the skip behind a feature flag with expiry notes.

package/rules/python/py.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.testing.real-network-in-unit-test
+  title: Avoid live HTTP clients in Python unit tests
+  summary: requests/httpx/urllib calls in unit tests should be doubled or recorded.
+  rationale: Live HTTP couples CI to the network and slows feedback.
+  tags:
+    - testing
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.66
+    tags:
+      - testing
+      - python
+  message:
+    title: Mock outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` performs a live HTTP style call inside a test module."
+  remediation:
+    summary: Use responses/httpretty/pytest-httpserver or dependency-injected clients with fakes.

package/rules/python/py.testing.time-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.testing.time-sleep-in-unit-test
+  title: Avoid time.sleep in Python unit tests
+  summary: Sleeping in tests slows suites and hides synchronization bugs.
+  rationale: Prefer deterministic waits, polling helpers, or clock fakes.
+  tags:
+    - testing
+    - python
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: py.testing.time-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - python
+  message:
+    title: Replace `time.sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test module."
+  remediation:
+    summary: Inject a clock, shorten waits, or move timing-sensitive coverage to integration tests.