npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/shared/security.permissive-file-permissions.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.permissive-file-permissions
+  title: Avoid world-readable or world-writable file permissions
+  summary: File creation and permission changes should not grant broad local access.
+  rationale: Broad permissions expose application data to local users or processes that should not read or modify it.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
+  tags:
+    - security
+    - filesystem
+    - permissions
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+    - java
+    - php
+    - python
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.permissive-file-permissions
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - filesystem
+      - permissions
+  message:
+    title: Tighten file permissions for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` grants world-readable or world-writable filesystem access."
+  remediation:
+    summary: Use least-privilege file modes and avoid world-readable or world-writable permissions.

package/rules/shared/security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.sensitive-data-egress
+  title: Sensitive data egress to third-party processors
+  summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
+  rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
+  tags:
+    - security
+    - privacy
+    - data-exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+    - rust
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - privacy
+      - data-exposure
+  message:
+    title: Avoid sending sensitive data through `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sends request or identity data to an outbound processor."
+  remediation:
+    summary: Minimize the payload, redact sensitive fields, or route the data only to approved processors.

package/rules/shared/security.tls-verification-disabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: TLS verification disabled
   summary: Transport clients should not disable certificate verification.
   rationale: Trust-all TLS settings accept any certificate and undermine transport security.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables certificate verification or trust validation."
   remediation:
     summary: Use trusted certificate validation and remove trust-all overrides outside local development.

package/rules/shared/security.unsafe-deserialization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Protect deserialization trust boundaries
   summary: Deserializers should not consume untrusted payloads directly across a trust boundary.
   rationale: Deserializing untrusted payloads can let attacker-controlled data reshape parser state, object graphs, or downstream runtime behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
   tags:
     - security
     - deserialization
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` deserializes an untrusted payload across a trust boundary."
   remediation:
     summary: Deserialize only from trusted producers, or validate and constrain the payload shape before crossing the deserialization boundary.

package/rules/shared/security.weak-hash-algorithm.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak hash algorithms
   summary: Cryptographic hashing should use modern, collision-resistant algorithms.
   rationale: Weak digests such as MD5 and SHA-1 are vulnerable to collisions and should not be used for security-sensitive hashing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - crypto
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` uses a weak hash algorithm."
   remediation:
     summary: Use SHA-256, SHA-384, SHA-512, or a stronger approved hashing primitive instead.

package/rules/typescript/ts.correctness.array-callback-missing-return.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.array-callback-missing-return
+  title: Array callback missing return
+  summary: Array iteration callbacks with block bodies should return a value when required.
+  rationale: map, filter, reduce, every, and some expect callback return values; missing returns yield undefined elements or incorrect predicates.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-032
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.array-callback-missing-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Add a return to the array callback
+    summary: "`${captures.issue.text}` is a block-bodied array callback without a return statement."
+  remediation:
+    summary: Return the computed value from the callback, or switch to forEach when side effects are intended.

package/rules/typescript/ts.correctness.array-sort-without-compare.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.array-sort-without-compare
+  title: Array.sort without compare function
+  summary: Provide a compare function when sorting non-string arrays.
+  rationale: Default sort coerces elements to strings, which misorders numbers and many objects.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-036
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.array-sort-without-compare
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Pass a compare function to sort
+    summary: "`${captures.issue.text}` calls sort() without a comparator."
+  remediation:
+    summary: Pass an explicit compare function, for example `(a, b) => a - b` for numbers.

package/rules/typescript/ts.correctness.assignment-in-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.assignment-in-condition
+  title: Assignment used as a conditional test
+  summary: Control-flow conditions should compare values, not perform assignments.
+  rationale: Using `=` where `===` was intended is a common defect; assignments in conditions also obscure data flow.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-016
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.assignment-in-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace assignment in condition
+    summary: "`${captures.issue.text}` performs assignment where a boolean predicate is expected."
+  remediation:
+    summary: Use a comparison operator or move the assignment before the condition. Note that the parser may not preserve extra grouping parentheses around the assignment.

package/rules/typescript/ts.correctness.assignment-to-import-binding.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.assignment-to-import-binding
+  title: Assignment to an imported binding
+  summary: Code assigns to or updates a symbol declared by an import.
+  rationale: ES module imports are read-only bindings; reassignment fails at runtime and signals a mistaken refactor.
+  tags:
+    - correctness
+    - modules
+    - rules-catalog
+    - crq-cor-021
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.assignment-to-import-binding
+    bind: issue
+emit:
+  finding:
+    category: correctness.modules
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - modules
+  message:
+    title: Do not assign to imported bindings
+    summary: "`${captures.issue.text}` mutates a symbol declared by an import."
+  remediation:
+    summary: Use a local variable, change the exporting module, or refactor so imports remain immutable.

package/rules/typescript/ts.correctness.async-promise-executor.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.async-promise-executor
+  title: Async Promise executor function
+  summary: The executor passed to `new Promise` is declared `async`.
+  rationale: Async executors defer errors and can swallow rejections; prefer a synchronous executor that calls `resolve`/`reject`.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-020
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.async-promise-executor
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: medium
+    confidence: 0.92
+    tags:
+      - correctness
+      - async
+  message:
+    title: Avoid async Promise executors
+    summary: "`${captures.issue.text}` is an async Promise executor, which can hide thrown errors."
+  remediation:
+    summary: Remove `async` from the executor and use `resolve`/`reject`, or wrap the async work without making the executor itself async.

package/rules/typescript/ts.correctness.control-flow-in-finally.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.control-flow-in-finally
+  title: Control flow in finally block
+  summary: Avoid return, throw, break, or continue inside finally blocks.
+  rationale: Control-flow statements in finally override try/catch completion and can hide errors or skip cleanup intent.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-028
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.control-flow-in-finally
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove control flow from finally
+    summary: "`${captures.issue.text}` changes completion inside a finally block."
+  remediation:
+    summary: Move return, throw, break, or continue out of the finally block, or restructure the try/finally logic.

package/rules/typescript/ts.correctness.duplicate-function-parameter.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-function-parameter
+  title: Duplicate function parameter names
+  summary: A function declares the same parameter name more than once.
+  rationale: Duplicate parameters are confusing and usually indicate a copy-paste or merge mistake.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-017
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-function-parameter
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate parameter
+    summary: "Duplicate parameter name `${captures.issue.text}` in the same parameter list."
+  remediation:
+    summary: Rename or remove the duplicate parameter so each binding is unique.

package/rules/typescript/ts.correctness.duplicate-if-else-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-if-else-condition
+  title: Duplicate if-else-if condition
+  summary: Do not repeat the same test in an if-else-if chain.
+  rationale: Duplicate conditions create unreachable branches and usually indicate a copy-paste defect.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-031
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-if-else-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate if condition
+    summary: "`${captures.issue.text}` repeats a prior if-else-if test."
+  remediation:
+    summary: Remove the duplicate branch or change the condition to the intended distinct test.

package/rules/typescript/ts.correctness.duplicate-import-source.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-import-source
+  title: Duplicate imports from the same module
+  summary: The file imports from the same module path more than once.
+  rationale: Multiple import declarations for one module increase bundle noise and can diverge over time.
+  tags:
+    - correctness
+    - modules
+    - rules-catalog
+    - crq-cor-024
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-import-source
+    bind: issue
+emit:
+  finding:
+    category: correctness.modules
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - modules
+  message:
+    title: Consolidate duplicate imports
+    summary: "`${captures.issue.text}` imports from a module path already imported above."
+  remediation:
+    summary: Merge named imports into a single `import` declaration from that module.

package/rules/typescript/ts.correctness.duplicate-object-key.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-object-key
+  title: Duplicate keys in object literal
+  summary: An object literal repeats the same static property name.
+  rationale: Later entries silently override earlier ones, hiding bugs during refactors.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-018
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-object-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Resolve duplicate object key
+    summary: "This object literal repeats a static property key; later entries override earlier ones."
+  remediation:
+    summary: Merge the values or delete the redundant property so each key is declared once.

package/rules/typescript/ts.correctness.duplicate-switch-case.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-switch-case
+  title: Duplicate switch case labels
+  summary: A switch repeats the same case discriminant.
+  rationale: Unreachable duplicate cases usually mean a merge error or incomplete refactor.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-019
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-switch-case
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate switch case
+    summary: "This switch repeats an earlier case discriminant, so the branch is unreachable."
+  remediation:
+    summary: Delete the unreachable duplicate case or change the discriminant so each branch is distinct.

package/rules/typescript/ts.correctness.empty-block-statement.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.empty-block-statement
+  title: Empty block statement
+  summary: A control-flow or try/catch branch uses an empty `{}` block.
+  rationale: Empty blocks hide missing logic, swallowed errors, or incomplete refactors and often mask bugs.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-025
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.empty-block-statement
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace or remove empty block
+    summary: "This block has no statements; add behavior, a comment explaining intent, or delete the branch."
+  remediation:
+    summary: Add the intended statements, throw or log in error paths, or remove the branch if it is dead code.

package/rules/typescript/ts.correctness.for-in-on-array.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.for-in-on-array
+  title: for-in over array-like value
+  summary: Prefer for-of or index loops instead of for-in on arrays.
+  rationale: for-in enumerates keys (often as strings) and may include inherited properties; for-of iterates values safely.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-037
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.for-in-on-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Avoid for-in on arrays
+    summary: "`${captures.issue.text}` uses for-in on a value that looks like an array."
+  remediation:
+    summary: Use `for (const item of array)` or indexed iteration instead of for-in.

package/rules/typescript/ts.correctness.identical-comparison-operands.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.identical-comparison-operands
+  title: Identical comparison operands
+  summary: Both sides of a comparison use the same source text.
+  rationale: Comparing an expression to itself is either always true or always false and usually indicates a copy-paste defect.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-023
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.identical-comparison-operands
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Fix identical comparison operands
+    summary: "`${captures.issue.text}` compares an expression to itself."
+  remediation:
+    summary: Replace one operand with the value you meant to compare against.