npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/rust/rust.security.template-unescaped-request-value.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.template-unescaped-request-value
+  title: Sanitize request data before unescaped template output in Rust
+  summary: >-
+    Tera, Maud, and similar engines should not insert request-sourced strings into contexts or `PreEscaped`/`raw` sinks without sanitization.
+  rationale: >-
+    Template `safe`/raw sinks disable escaping; feeding path, query, form, or JSON extractors there is a direct XSS vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - templates
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.template-unescaped-request-value
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.74
+    tags:
+      - security
+      - rust
+      - templates
+      - xss
+  message:
+    title: Escape or sanitize before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` feeds request-derived data into an unescaped template context."
+  remediation:
+    summary: >-
+      HTML-escape with a vetted policy (for example `ammonia::clean`), keep auto-escaping on, and avoid `PreEscaped`/`Markup::raw` for untrusted strings.

package/rules/rust/rust.security.tls-missing-min-version.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.tls-missing-min-version
+  title: Set a minimum TLS protocol version in Rust TLS configs
+  summary: >-
+    Rust TLS client and server configuration should set an explicit minimum protocol version (TLS 1.2 or newer).
+  rationale: >-
+    Without a minimum version, legacy SSL/TLS protocols may be negotiated, weakening transport security.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.tls-missing-min-version
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Set minimum TLS version near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures TLS without an explicit minimum protocol version."
+  remediation:
+    summary: >-
+      Set `min_protocol_version` (rustls) or `min_tls_version` (reqwest) to TLS 1.2 or newer.

package/rules/rust/rust.security.warp-blocking-or-panic-in-async-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.warp-blocking-or-panic-in-async-handler
+  title: Avoid blocking I/O and infallible unwraps in async Warp handlers
+  summary: >-
+    Warp filters and handlers run on the async runtime; avoid `std::fs`, `thread::sleep`, and `unwrap` on request paths without `spawn_blocking` or proper errors.
+  rationale: >-
+    Blocking the runtime reduces availability and unwraps turn parse errors into panics; both are amplified under load and hostile traffic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
+  tags:
+    - security
+    - rust
+    - warp
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.warp-blocking-or-panic-in-async-handler
+    bind: issue
+emit:
+  finding:
+    category: security.availability
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - rust
+      - warp
+  message:
+    title: Refactor async Warp handler around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` blocks the async executor or can panic inside a Warp async handler."
+  remediation:
+    summary: >-
+      Use `tokio::fs`, offload blocking work with `spawn_blocking`, and propagate errors with `Rejection` instead of `unwrap`.

package/rules/rust/rust.security.weak-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-crypto-import
+  title: Avoid importing broken or deprecated crypto crates
+  summary: >-
+    Production Rust code should not import `md5`, `sha1`, `des`, or `rc4` for security-sensitive purposes.
+  rationale: >-
+    MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - cryptography
+  message:
+    title: Replace weak crypto import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a broken or deprecated crypto crate."
+  remediation:
+    summary: >-
+      Use `sha2`, `blake3`, or `aes-gcm` for modern cryptographic primitives.

package/rules/rust/rust.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-rsa-key-size
+  title: Use RSA keys of at least 2048 bits
+  summary: >-
+    RSA key generation must use at least 2048 bits.
+  rationale: >-
+    RSA keys shorter than 2048 bits are vulnerable to factorization attacks with modern compute.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` generates an RSA key smaller than 2048 bits."
+  remediation:
+    summary: >-
+      Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new designs.

package/rules/rust/rust.security.weak-tls-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-tls-cipher
+  title: Avoid weak TLS cipher suites
+  summary: >-
+    Rust TLS configuration must not include cipher suites using RC4, 3DES, NULL, or EXPORT algorithms.
+  rationale: >-
+    Weak cipher suites are vulnerable to practical attacks and should not be negotiated.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-tls-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Replace weak TLS cipher near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a weak TLS cipher suite."
+  remediation:
+    summary: >-
+      Use modern AEAD cipher suites such as TLS_AES_128_GCM_SHA256 or TLS_CHACHA20_POLY1305_SHA256.

package/rules/rust/rust.testing.ignore-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.testing.ignore-without-ticket-reference
+  title: "Rust #[ignore] tests should cite a ticket"
+  summary: Ignored tests without a nearby tracker comment are easy to lose.
+  rationale: Ignored tests should carry reviewable intent like skips in other ecosystems.
+  tags:
+    - testing
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.testing.ignore-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.62
+    tags:
+      - testing
+      - rust
+  message:
+    title: Add a ticket comment near `${captures.issue.text}`
+    summary: "`#[ignore]` is present without a nearby issue key or accepted suppression comment."
+  remediation:
+    summary: Document the ignore with a tracker id or remove the attribute when the test is ready.

package/rules/rust/rust.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.testing.real-network-in-unit-test
+  title: Avoid live reqwest clients in Rust unit tests
+  summary: reqwest usage in tests should target local servers or fakes.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - rust
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references `reqwest` inside a test-like path."
+  remediation:
+    summary: Use wiremock, axum test servers, or injected clients with deterministic responses.

package/rules/rust/rust.testing.thread-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.testing.thread-sleep-in-unit-test
+  title: Avoid thread::sleep in Rust unit tests
+  summary: Sleeping in tests slows CI and hides synchronization bugs.
+  rationale: Prefer deterministic synchronization or tokio time advances.
+  tags:
+    - testing
+    - rust
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+match:
+  fact:
+    kind: rust.testing.thread-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - rust
+  message:
+    title: Replace sleep in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test-like path."
+  remediation:
+    summary: Use `tokio::time::pause`, condvars, or scoped integration tests for real delays.

package/rules/shared/security.archive-path-traversal.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.archive-path-traversal
+  title: Sanitize archive entry paths before writing
+  summary: Archive extraction should not write entry names directly to the filesystem.
+  rationale: Archive entries can contain traversal paths that overwrite files outside the intended extraction directory.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+  tags:
+    - security
+    - filesystem
+    - archive
+    - path-traversal
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+    - java
+    - php
+    - python
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.archive-path-traversal
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - filesystem
+      - archive
+  message:
+    title: Check archive containment for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` may write an archive-controlled path without a containment check."
+  remediation:
+    summary: Normalize each entry path against a trusted extraction root and reject paths that escape it.

package/rules/shared/security.external-file-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.external-file-upload
+  title: Do not persist upload filenames directly
+  summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
+  rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - filesystem
+    - upload
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+    - java
+    - php
+    - python
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.external-file-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - filesystem
+      - upload
+  message:
+    title: Generate a trusted local filename for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
+  remediation:
+    summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.

package/rules/shared/security.insecure-http-transport.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Insecure HTTP transport
   summary: Outbound transport should not use plain HTTP for sensitive requests.
   rationale: Plain HTTP exposes traffic to interception and tampering.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` sends an outbound request over plain HTTP."
   remediation:
     summary: Use HTTPS or a trusted local-development exception for non-production endpoints.

package/rules/shared/security.no-command-execution-with-request-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Command execution using untrusted input
   summary: Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.
   rationale: Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
   tags:
     - security
     - injection
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.execCall.text}` executes a process using request-controlled command data."
   remediation:
     summary: Dispatch only allowlisted binaries, keep shell mode disabled, and validate or constrain subcommands before execution.

package/rules/shared/security.no-hardcoded-credentials.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Hardcoded API keys or credentials
   summary: Source files should not embed credential-like string literals.
   rationale: Hardcoded credentials are difficult to rotate and are easily leaked through source control.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
   tags:
     - security
     - secrets
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.credential.text}` appears to embed a credential-like literal in source code."
   remediation:
     summary: Move the secret to a secure runtime secret store or environment-backed config path.

package/rules/shared/security.no-request-path-file-read.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Path traversal via user input
   summary: File access calls must not use request-controlled paths directly.
   rationale: User-controlled paths can escape the intended directory and expose sensitive files.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.fileRead.text}` reads from a path derived from request data without an allowlist or boundary check."
   remediation:
     summary: Resolve the path against a trusted base directory and reject values that escape it.

package/rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid sensitive data in logs and telemetry
   summary: Sensitive fields should not be sent to logging, tracing, or analytics sinks.
   rationale: Observability payloads often leave the service boundary and can expose secrets, account identifiers, or personal data if they carry raw request or user fields.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -42,3 +51,4 @@ emit:
     summary: "`${captures.issue.text}` reaches a logging or telemetry sink with sensitive data."
   remediation:
     summary: Redact, hash, or drop the sensitive field before it reaches the sink.

package/rules/shared/security.no-sql-interpolation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid raw or interpolated SQL
   summary: Database query sinks must not receive request-driven or dynamically interpolated SQL text.
   rationale: Raw or interpolated SQL can let attackers control query structure when values are not passed separately.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
   tags:
     - security
     - sql
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.queryCall.text}` builds or forwards SQL text directly into a raw query sink."
   remediation:
     summary: Use prepared statements, placeholder parameters, or a typed query builder instead of executing raw SQL text.