npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/typescript/ts.react.no-set-state-in-component-did-update.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-set-state-in-component-did-update
+  title: Guard setState in componentDidUpdate
+  summary: Unconditional setState in componentDidUpdate can recurse through renders when props or state change on every pass.
+  rationale: Updates should compare against prevProps or prevState so the component only re-renders when inputs actually changed.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.set-state-in-component-did-update
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.8
+    tags:
+      - react
+      - ui
+  message:
+    title: Compare previous inputs before updating state
+    summary: "`${captures.issue.text}` calls setState inside componentDidUpdate without a prevProps or prevState guard."
+  remediation:
+    summary: Wrap the update in a conditional that compares prevProps or prevState, or move synchronization into getDerivedStateFromProps.

package/rules/typescript/ts.react.no-static-element-with-synthetic-handlers.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-static-element-with-synthetic-handlers
+  title: Avoid dangling pointer or key handlers on static elements
+  summary: "Non-interactive elements that listen for pointer or key events without a widget role usually hide custom interaction that needs explicit semantics."
+  rationale: Drag handles, menus, and listboxes should expose roles and focus models; otherwise assistive technologies treat the region as inert content.
+  tags:
+    - react
+    - accessibility
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.non-interactive-with-pointer-or-key-handler-without-role
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.76
+    tags:
+      - react
+      - accessibility
+      - ui
+  message:
+    title: Model custom interaction explicitly
+    summary: "`${captures.issue.text}` listens for pointer or keyboard events without declaring a widget role."
+  remediation:
+    summary: Promote the element to a named widget with `role`, keyboard parity, and focus order, or attach handlers to a native interactive element instead.

package/rules/typescript/ts.react.no-string-ref.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-string-ref
+  title: Avoid legacy React string refs
+  summary: String refs rely on older React behavior that is harder to analyze and less reliable than callback or object refs.
+  rationale: Legacy refs obscure ownership, do not compose cleanly, and complicate future migrations away from class-heavy React patterns.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.string-ref
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.79
+    tags:
+      - react
+      - ui
+  message:
+    title: Replace string refs with modern refs
+    summary: "`${captures.issue.text}` uses a legacy React string ref."
+  remediation:
+    summary: "Use `createRef`, `useRef`, or a callback ref so the reference stays explicit and type-safe."

package/rules/typescript/ts.react.no-target-blank-without-rel.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-target-blank-without-rel
+  title: Add rel=noopener to target=_blank links
+  summary: Opening links in a new tab without rel=noopener lets the destination page access window.opener.
+  rationale: Untrusted destinations can navigate or phish the opener tab unless noopener severs that relationship.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - react
+    - security
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.target-blank-without-rel
+    bind: issue
+emit:
+  finding:
+    category: security.ui
+    severity: high
+    confidence: 0.9
+    tags:
+      - react
+      - security
+      - ui
+  message:
+    title: Harden external links opened in a new tab
+    summary: "`${captures.issue.text}` uses target=_blank without rel containing noopener."
+  remediation:
+    summary: Add rel=noopener or rel="noopener noreferrer" whenever target="_blank" is present.

package/rules/typescript/ts.react.no-this-in-function-component.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-this-in-function-component
+  title: Do not use this in function components
+  summary: Function components have no instance, so `this` references are almost always mistakes copied from class components.
+  rationale: Hooks, props, and closures replace instance fields; leaving `this` in place breaks at runtime or hides missing refactors.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.this-in-function-component
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.76
+    tags:
+      - react
+      - ui
+  message:
+    title: Remove this from function components
+    summary: "`${captures.issue.text}` uses this inside a function component."
+  remediation:
+    summary: Use props, hooks, module-level helpers, or refs instead of instance fields accessed through this.

package/rules/typescript/ts.react.no-uncontrolled-to-controlled-input.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-uncontrolled-to-controlled-input
+  title: Avoid mixing controlled and uncontrolled input props
+  summary: Combining value with defaultValue leads to ambiguous ownership between React and the DOM.
+  rationale: Inputs should be either controlled via value or bootstrapped once via defaultValue, not both at once.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.uncontrolled-controlled-input
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.88
+    tags:
+      - react
+      - ui
+  message:
+    title: Pick either controlled or uncontrolled inputs
+    summary: "`${captures.issue.text}` sets both value and defaultValue."
+  remediation:
+    summary: Remove defaultValue when binding value, or drop value to stay fully uncontrolled.

package/rules/typescript/ts.react.no-widget-role-without-tabindex.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-widget-role-without-tabindex
+  title: Pair interactive roles with focus behavior
+  summary: "Custom elements that declare widget roles need to enter the tab order unless they wrap a native focusable control."
+  rationale: ARIA widget roles without `tabIndex` are inert to keyboard users because the browser never sends them focus events.
+  tags:
+    - react
+    - accessibility
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.widget-role-without-tabindex
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.83
+    tags:
+      - react
+      - accessibility
+      - ui
+  message:
+    title: Make custom widgets focusable
+    summary: "`${captures.issue.text}` exposes a widget role without a non-negative `tabIndex`."
+  remediation:
+    summary: Add `tabIndex={0}` for simple widgets, or prefer native elements like `button` and `a` with real `href` values.

package/rules/typescript/ts.runtime.no-process-exit.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.runtime.no-process-exit
+  title: Avoid `process.exit` in application code
+  summary: Do not call `process.exit` from application logic; reserve termination for CLI entrypoints.
+  rationale: Forced process termination bypasses graceful shutdown, in-flight request draining, and cleanup hooks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - runtime
+    - node
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: runtime.process-exit
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.9
+    tags:
+      - runtime
+      - node
+  message:
+    title: Avoid `process.exit` in application code
+    summary: "`${captures.issue.text}` terminates the process abruptly and should be limited to CLI entrypoints."
+  remediation:
+    summary: Propagate errors to the caller or use graceful shutdown hooks instead of calling `process.exit`.

package/rules/typescript/ts.security.ajv-insecure-configuration.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.ajv-insecure-configuration
+  title: Harden AJV compile options
+  summary: AJV should not compile schemas with allErrors true unless strict mode is enabled.
+  rationale: Missing strict-mode options historically enabled schema compilation DoS and unexpected coercion behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - validation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.ajv-insecure-configuration
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.82
+    tags:
+      - security
+      - validation
+  message:
+    title: "Tighten AJV options in ${captures.issue.text}"
+    summary: "${captures.issue.text} enables allErrors without strict, strictTypes, or strictSchema."
+  remediation:
+    summary: Enable AJV strict options appropriate to your major version and avoid compiling untrusted schemas with permissive settings.

package/rules/typescript/ts.security.angular-dom-sanitizer-bypass-untrusted-input.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.angular-dom-sanitizer-bypass-untrusted-input
+  title: Avoid trusting unsanitized Angular bypass sinks
+  summary: DomSanitizer bypass helpers should not receive route, storage, or request-derived values without validation.
+  rationale: Bypass helpers disable Angular templating protections and turn downstream sinks into XSS execution points.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Angular security guide
+      url: https://angular.dev/best-practices/security
+  tags:
+    - security
+    - angular
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.angular-dom-sanitizer-bypass-untrusted-input
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.81
+    tags:
+      - security
+      - angular
+  message:
+    title: Replace Angular sanitizer bypass with validated HTML or structured bindings
+    summary: "`${captures.issue.text}` trusts externally influenced markup."
+  remediation:
+    summary: >-
+      Keep sensitive markup on Angular-safe bindings or sanitize with a reviewed helper before calling bypassSecurityTrust helpers.

package/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-csrf-disabled
+  title: Keep Apollo Server CSRF protections enabled
+  summary: Apollo Server should not explicitly disable CSRF prevention for browser-accessible endpoints.
+  rationale: GraphQL POST endpoints are vulnerable to cross-site writes when CSRF defenses are turned off.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-csrf-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - graphql
+  message:
+    title: Re-enable Apollo Server CSRF prevention
+    summary: Apollo Server sets `csrfPrevention` to false.
+  remediation:
+    summary: >-
+      Remove `csrfPrevention: false` or replace it with an equivalent POST-only plus preflight strategy documented by Apollo.

package/rules/typescript/ts.security.apollo-server-graphql-dev-tooling-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-graphql-dev-tooling-exposure
+  title: Avoid shipping GraphQL dev landing or playground plugins without a production guard
+  summary: Apollo Server dev landing pages, sandbox UIs, and GraphQL Playground-style plugins should not load unconditionally in production builds.
+  rationale: Interactive GraphQL explorers widen attack surface and often expose schema details beyond what production APIs should advertise by default.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-graphql-dev-tooling-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - graphql
+  message:
+    title: Gate GraphQL dev tooling away from production
+    summary: Apollo Server registers dev-oriented landing or playground plugins without an obvious environment guard in the same plugin expression.
+  remediation:
+    summary: >-
+      Load sandbox or local landing plugins only outside production, prefer `ApolloServerPluginLandingPageProductionDefault`, or disable interactive explorers behind authentication at the edge.

package/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-introspection-exposure
+  title: Avoid unconditional GraphQL introspection
+  summary: Apollo Server should not hard-enable introspection without environment guards.
+  rationale: Introspection aids attackers in mapping schemas on production deployments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-introspection-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-exposure
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - graphql
+  message:
+    title: Gate GraphQL introspection away from production
+    summary: Apollo Server enables introspection with a literal `true` flag.
+  remediation:
+    summary: Bind introspection to non-production environments or protect the endpoint behind authenticated tooling.

package/rules/typescript/ts.security.apollo-server-missing-query-limits.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.apollo-server-missing-query-limits
+  title: Add GraphQL query depth or complexity controls
+  summary: Apollo Server bootstrap should declare validation rules or plugins that bound query cost.
+  rationale: Without depth, complexity, persisted operations, or gateway limits, GraphQL endpoints are easier to abuse with expensive queries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
+  tags:
+    - security
+    - graphql
+    - apollo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.apollo-server-missing-query-limits
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - graphql
+  message:
+    title: Layer defenses against expensive GraphQL queries
+    summary: Apollo Server is constructed without recognizable validation rules or protective plugins.
+  remediation:
+    summary: Add depth limits, query complexity rules, persisted operations, rate limits, or terminate behind a gateway/WAF that enforces GraphQL policies.

package/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.astro-vite-public-secret-define
+  title: Do not inline secrets into Astro PUBLIC import meta defines
+  summary: >-
+    Astro and Vite define entries for import.meta.env.PUBLIC_* must not map to high-risk process.env secrets.
+  rationale: >-
+    PUBLIC_* keys are intended for browser-visible configuration; wiring database passwords or API secrets through vite.define exposes them to client bundles.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+  tags:
+    - security
+    - astro
+    - vite
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.astro-vite-public-secret-define
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.83
+    tags:
+      - security
+      - astro
+  message:
+    title: Remove secret process.env wiring from ${captures.issue.text}
+    summary: >-
+      vite.define maps ${captures.issue.text} to a process.env value that looks like a secret.
+  remediation:
+    summary: >-
+      Keep secrets on the server, use private server-only env vars, and reserve PUBLIC_* keys for intentionally public identifiers such as analytics IDs.

package/rules/typescript/ts.security.bind-to-all-interfaces.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid binding to all interfaces
   summary: Network-facing services should not explicitly bind to every interface unless public exposure is intentional and protected.
   rationale: Binding to `0.0.0.0` or `::` can expose a service beyond the expected trust boundary and widen the reachable attack surface.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
   tags:
     - security
     - network
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly binds a network-facing service to every interface."
   remediation:
     summary: Bind to loopback or a specific interface unless public exposure is an intentional deployment requirement with compensating controls.