npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.axum-insecure-cors-with-credentials
+  title: Avoid permissive tower-http CORS with credentials in Axum
+  summary: >-
+    Do not pair wildcard or `very_permissive` origin policies with credentialed CORS or private-network access in `tower-http`.
+  rationale: >-
+    Browsers treat credentialed CORS as trusted cross-origin behavior; permissive origin lists undermine that contract and often hide missing explicit allowlists.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
+  tags:
+    - security
+    - rust
+    - axum
+    - cors
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.axum-insecure-cors-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - rust
+      - axum
+      - cors
+  message:
+    title: Tighten CORS configuration around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` combines permissive origins with credentialed or private-network CORS behavior."
+  remediation:
+    summary: >-
+      Prefer explicit HTTPS `AllowOrigin` lists, avoid `CorsLayer::very_permissive` with `allow_credentials(true)`, and only enable `allow_private_network` with strict origin controls.

package/rules/rust/rust.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.bind-all-interfaces
+  title: Avoid binding Rust services to all interfaces
+  summary: >-
+    Rust network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.
+  rationale: >-
+    Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - rust
+    - network
+    - exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: >-
+      Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/rust/rust.security.insecure-ssh-host-key.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-ssh-host-key
+  title: Verify SSH host keys before connecting
+  summary: >-
+    SSH clients must not disable host key verification.
+  rationale: >-
+    Skipping host key checks enables person-in-the-middle attacks against SSH sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - rust
+    - ssh
+    - network
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-ssh-host-key
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - ssh
+      - network
+  message:
+    title: Enable SSH host key verification near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables SSH host key verification."
+  remediation:
+    summary: >-
+      Keep host key checking enabled and pin known host keys or use a trusted known_hosts store.

package/rules/rust/rust.security.insecure-ssl-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-ssl-protocol
+  title: Reject deprecated SSL/TLS protocol versions
+  summary: >-
+    Rust code must not enable SSLv3, TLS 1.0, or TLS 1.1 in TLS configuration.
+  rationale: >-
+    These protocol versions have known weaknesses and are deprecated for secure transport.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-ssl-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Remove insecure TLS protocol near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a deprecated SSL/TLS protocol version."
+  remediation:
+    summary: >-
+      Require TLS 1.2 or TLS 1.3 and remove SSLv3, TLS 1.0, and TLS 1.1 from allowed protocol lists.

package/rules/rust/rust.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-temp-file
+  title: Avoid predictable or permissionless temporary files
+  summary: >-
+    Temporary file creation should use secure helpers with random suffixes and restrictive permissions.
+  rationale: >-
+    Predictable temp paths and default-permission temp files enable symlink races and information disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - filesystem
+      - tempfile
+  message:
+    title: Use secure temp file creation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` creates a temporary file with an insecure pattern."
+  remediation:
+    summary: >-
+      Use `tempfile::Builder` with explicit permissions and patterns containing `*`, or `std::env::temp_dir` with random names.

package/rules/rust/rust.security.insecure-yaml-load.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-yaml-load
+  title: Avoid untyped YAML deserialization
+  summary: >-
+    Untyped `serde_yaml` deserialization can instantiate arbitrary types from untrusted input.
+  rationale: >-
+    YAML loaders without strict typing enable unsafe object graphs and unexpected type coercion.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - yaml
+    - deserialization
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-yaml-load
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - yaml
+      - deserialization
+  message:
+    title: Use typed YAML parsing near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` deserializes YAML without a constrained target type."
+  remediation:
+    summary: >-
+      Deserialize into explicit structs or enums and validate input before use.

package/rules/rust/rust.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: >-
+    JWT parsing must use a verification key and must not disable signature validation.
+  rationale: >-
+    Trusting unverified JWTs allows attackers to forge tokens with arbitrary claims.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - jwt
+      - authentication
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses a JWT without verifying its signature."
+  remediation:
+    summary: >-
+      Pass a `DecodingKey` to `decode` and validate claims with a strict `Validation` configuration.

package/rules/rust/rust.security.panic-in-async-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.panic-in-async-handler
+  title: Avoid panic and unwrap in async handlers
+  summary: >-
+    Async request handlers should propagate errors instead of panicking or unwrapping Results.
+  rationale: >-
+    Panics in async handlers can abort tasks and leak error details under load.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - async
+    - reliability
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.panic-in-async-handler
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - async
+      - reliability
+  message:
+    title: Handle errors in async handler near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` panics or unwraps inside an async function."
+  remediation:
+    summary: >-
+      Return `Result` from async handlers and map errors to appropriate HTTP responses.

package/rules/rust/rust.security.rocket-panic-prone-request-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.rocket-panic-prone-request-handler
+  title: Avoid panicking on request-derived data in Rocket handlers
+  summary: >-
+    Rocket route handlers should not `unwrap`, `expect`, or otherwise panic on values derived from the HTTP request.
+  rationale: >-
+    Panics become hard failures and can be abused for denial-of-service or to leak error detail; prefer `Result` and typed rejections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
+  tags:
+    - security
+    - rust
+    - rocket
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.rocket-panic-prone-request-handler
+    bind: issue
+emit:
+  finding:
+    category: security.error-handling
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - rust
+      - rocket
+  message:
+    title: Replace infallible unwraps in Rocket handler near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` can panic on malformed or hostile input in a Rocket request handler."
+  remediation:
+    summary: >-
+      Return `Result`, `Option`, or `status::Custom`, map errors to HTTP responses, and reserve `unwrap` for tests or statically known invariants.

package/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.rocket-unsafe-template-output
+  title: Avoid raw HTML built from Rocket route parameters
+  summary: >-
+    Do not wrap request-sourced strings in `RawHtml` (or similar) without escaping in Rocket handlers.
+  rationale: >-
+    Raw HTML bypasses Rocket's escaping defaults and is a common XSS footgun when fed from path, query, or body inputs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
+  tags:
+    - security
+    - rust
+    - rocket
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.rocket-unsafe-template-output
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.76
+    tags:
+      - security
+      - rust
+      - rocket
+      - xss
+  message:
+    title: Escape or sanitize before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` emits raw HTML from handler parameters without an obvious sanitizer."
+  remediation:
+    summary: >-
+      Prefer typed templates with auto-escaping, sanitize with a vetted HTML policy crate, or return plain text/JSON instead of `RawHtml`.

package/rules/rust/rust.security.shell-command-spawn.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.shell-command-spawn
+  title: Avoid shell invocation via Command
+  summary: >-
+    Spawning `/bin/sh` or `bash` with `-c` enables shell metacharacter injection.
+  rationale: >-
+    Shell interpretation expands attacker-controlled input into arbitrary command execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - command-injection
+    - shell
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.shell-command-spawn
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - command-injection
+      - shell
+  message:
+    title: Avoid shell spawn near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` spawns a shell with `-c`, enabling command injection."
+  remediation:
+    summary: >-
+      Invoke binaries directly with explicit arguments instead of routing through a shell.

package/rules/rust/rust.security.sqlx-diesel-raw-interpolated-query.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.sqlx-diesel-raw-interpolated-query
+  title: Avoid dynamic SQL built with format! for SQLx or Diesel
+  summary: >-
+    Do not pass `format!(...)` (or equivalent string concatenation) into `sqlx::query` or `diesel::sql_query` sinks.
+  rationale: >-
+    Interpolated SQL is the primary SQL injection pattern in Rust ORMs; compile-time macros and bind parameters keep queries safe.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
+  tags:
+    - security
+    - rust
+    - sqlx
+    - diesel
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.sqlx-diesel-raw-interpolated-query
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - rust
+      - sqlx
+      - diesel
+  message:
+    title: Replace interpolated SQL at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds SQL with `format!` instead of bound parameters or compile-time checked macros."
+  remediation:
+    summary: >-
+      Prefer `sqlx::query!` / `query_as!`, use `.bind(...)` on typed query builders, or Diesel's query DSL with bound parameters instead of raw interpolated strings.