npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/typescript/ts.security.no-arguments-callee.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-arguments-callee
+  title: Avoid `arguments.callee` and `arguments.caller`
+  summary: Do not read `arguments.callee` or `arguments.caller` in functions.
+  rationale: These legacy properties break optimizations, leak stack details, and are restricted in strict mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.arguments-callee-or-caller
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - security
+      - language
+  message:
+    title: Avoid `${captures.issue.text}`
+    summary: "`${captures.issue.text}` relies on deprecated `arguments` metadata and should not be used."
+  remediation:
+    summary: Use named function expressions or arrow functions instead of `arguments.callee` or `arguments.caller`.

package/rules/typescript/ts.security.no-assign-mutable-export.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-assign-mutable-export
+  title: Avoid mutable module exports
+  summary: Shared module state should not be exported with `let`/`var` or reassigned after export.
+  rationale: Mutable exports make it easy for unrelated modules to change shared security or configuration state at runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - maintainability
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.mutable-module-export
+    bind: issue
+emit:
+  finding:
+    category: security.maintainability
+    severity: low
+    confidence: 0.84
+    tags:
+      - security
+      - module-boundary
+  message:
+    title: Keep exported module state immutable for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is exported with a mutable binding that can change at runtime."
+  remediation:
+    summary: Export read-only values, freeze shared objects, or expose accessors instead of mutable bindings.

package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Eval or dynamic code execution
   summary: Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.
   rationale: Dynamic execution turns data into code, widens the attack surface, and bypasses normal control flow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
   tags:
     - security
     - execution
@@ -32,3 +41,4 @@ emit:
     summary: "`${captures.issue.text}` executes dynamic code and should be replaced with a safer alternative."
   remediation:
     summary: Replace dynamic execution with explicit parsing, fixed dispatch tables, or normal function callbacks.

package/rules/typescript/ts.security.no-fs-readfile-sync-in-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-fs-readfile-sync-in-handler
+  title: Avoid synchronous file reads in HTTP handlers
+  summary: Request handlers should not call `readFileSync` or equivalent blocking file APIs.
+  rationale: Blocking disk I/O inside request handlers stalls the Node.js event loop and hurts availability under load.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.readfile-sync-in-request-handler
+    bind: issue
+emit:
+  finding:
+    category: security.availability
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - express
+      - filesystem
+  message:
+    title: Replace blocking file read `${captures.issue.text}` in this handler
+    summary: "`${captures.issue.text}` performs synchronous disk I/O on the request path."
+  remediation:
+    summary: Use `fs.promises.readFile`, streams, or preload static assets outside the hot request path.

package/rules/typescript/ts.security.no-global-native-reassignment.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-global-native-reassignment
+  title: Do not reassign global native bindings
+  summary: Do not assign to global native bindings such as `Object`, `Array`, or `undefined`.
+  rationale: Reassigning global natives breaks language invariants and can disable security checks that rely on them.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.global-native-reassignment
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.97
+    tags:
+      - security
+      - language
+  message:
+    title: Do not reassign global native bindings
+    summary: "`${captures.issue.text}` reassigns a global native binding and can break runtime guarantees."
+  remediation:
+    summary: Use local variables with distinct names instead of overwriting global natives.

package/rules/typescript/ts.security.no-innerhtml-assignment.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe `innerHTML` assignment
   summary: "`innerHTML` assignments should only use fixed or explicitly sanitized HTML."
   rationale: Direct HTML injection can allow untrusted or weakly reviewed content to execute in the browser.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - output-encoding
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` inserts non-literal, non-sanitized HTML into `innerHTML`."
   remediation:
     summary: Prefer text-only rendering APIs or assign only fixed or explicitly sanitized HTML.

package/rules/typescript/ts.security.no-javascript-url.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-javascript-url
+  title: Avoid `javascript:` URLs
+  summary: Do not use `javascript:` URLs in string literals, template literals, or JSX link attributes.
+  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.javascript-url
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - xss
+  message:
+    title: "Avoid `javascript:` URLs"
+    summary: "`${captures.issue.text}` uses a `javascript:` URL that can execute arbitrary script."
+  remediation:
+    summary: "Use safe HTTPS links, in-app handlers, or explicit event callbacks instead of `javascript:` URLs."

package/rules/typescript/ts.security.no-native-prototype-extension.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-native-prototype-extension
+  title: Do not extend native prototypes
+  summary: Do not assign properties on built-in prototype objects such as `Array.prototype`.
+  rationale: Mutating native prototypes affects every consumer of that type and can introduce subtle security bugs across the runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.native-prototype-extension
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.96
+    tags:
+      - security
+      - language
+  message:
+    title: Do not extend native prototypes
+    summary: "`${captures.issue.text}` mutates a built-in prototype and can change behavior globally."
+  remediation:
+    summary: Use utility functions or wrapper types instead of modifying native prototypes.

package/rules/typescript/ts.security.no-sync-child-process-exec.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-sync-child-process-exec
+  title: Avoid synchronous child process execution with dynamic commands
+  summary: execSync and spawnSync should not run commands built from variables or template strings.
+  rationale: Synchronous shell execution blocks the event loop and dynamic command strings are a common command-injection surface.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - child-process
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.sync-child-process-exec
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - child-process
+  message:
+    title: Avoid synchronous shell execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` runs a child process synchronously with a non-literal command string."
+  remediation:
+    summary: Prefer async APIs with fixed command allowlists, or validate and normalize inputs before invoking shell commands.

package/rules/typescript/ts.security.no-throw-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-throw-literal
+  title: Throw `Error` objects instead of literals
+  summary: Only throw `Error` instances (or subclasses), not strings, numbers, or plain objects.
+  rationale: Throwing literals loses stack traces and makes error handling inconsistent across callers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - reliability
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.throw-literal
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - reliability
+  message:
+    title: Throw an `Error` instead of a literal
+    summary: "`${captures.issue.text}` throws a non-`Error` value that is harder to inspect and handle safely."
+  remediation:
+    summary: Throw `new Error(...)` or a typed error subclass with a clear message.

package/rules/typescript/ts.security.no-with-statement.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-with-statement
+  title: Avoid `with` statements
+  summary: "`with` statements make binding resolution unpredictable and are disallowed in strict mode."
+  rationale: The `with` statement introduces dynamic scope and makes static analysis, optimization, and security review unreliable.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.with-statement
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.98
+    tags:
+      - security
+      - language
+  message:
+    title: Avoid `with` statements
+    summary: "`${captures.issue.text}` uses a `with` statement that makes binding resolution unpredictable."
+  remediation:
+    summary: Replace the `with` block with explicit property access on a named object.

package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid attacker-controlled filesystem read paths
   summary: Direct filesystem read APIs should not consume request- or upload-controlled filenames.
   rationale: Dynamic read paths can expose unintended local files or bypass expected file-selection constraints.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` reads from a filename derived from external input."
   remediation:
     summary: Resolve reads from a trusted allowlist or a validated server-controlled mapping instead of external filenames.

package/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nuxt-public-runtime-secret
+  title: Keep secrets out of Nuxt public runtime config
+  summary: >-
+    Sensitive credentials must not be exposed through runtimeConfig.public, which is visible to client bundles.
+  rationale: >-
+    Nuxt exposes runtimeConfig.public to the browser; placing secret material there leaks API keys, database passwords, and signing material to every visitor.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+  tags:
+    - security
+    - nuxt
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nuxt-public-runtime-secret
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - nuxt
+  message:
+    title: Move ${captures.issue.text} out of runtimeConfig.public
+    summary: >-
+      runtimeConfig.public declares ${captures.issue.text}, which looks like a secret or private credential.
+  remediation:
+    summary: >-
+      Keep secrets in the private runtimeConfig tree (non-public) and expose only publishable identifiers to the client after reviewing Nuxt runtime config documentation.

package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use constant-time secret comparison
   summary: Secrets and tokens should not be compared with ordinary equality operators.
   rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use a constant-time comparison helper such as `crypto.timingSafeEqual` for secrets, tokens, and password hashes.

package/rules/typescript/ts.security.open-redirect.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Open redirect via request-controlled target
   summary: Redirect and navigation sinks should not use request-controlled destinations without validation.
   rationale: Redirect targets that are derived from user input can send authenticated users to attacker-controlled destinations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-601
+      title: URL Redirection to Untrusted Site
+    - kind: owasp
+      title: Unvalidated Redirects and Forwards Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
   tags:
     - security
     - input-validation
@@ -16,6 +25,8 @@ scope:
   languages:
     - typescript
     - javascript
+    - java
+    - go
 match:
   fact:
     kind: security.open-redirect
@@ -35,3 +46,4 @@ emit:
   remediation:
     summary: Normalize the target to an internal path or validate it against a trusted origin allowlist before redirecting.

package/rules/typescript/ts.security.permissive-allow-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not allow every origin in CORS policy
   summary: CORS should not fall back to wildcard or implicit allow-all origin settings.
   rationale: Wildcard or implicit allow-all CORS policies expose authenticated browser responses across origins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - cors
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` allows any origin through wildcard or implicit CORS policy."
   remediation:
     summary: Configure an explicit allowlist or validated origin callback instead of allowing all origins.

package/rules/typescript/ts.security.permissive-file-permissions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid permissive file modes
   summary: Files that can carry user or security data should not be created with world-accessible modes.
   rationale: Broad file permissions expose application data to local users or processes that should not read or modify it.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
   tags:
     - security
     - filesystem
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use the minimum required file mode and remove world-readable or world-writable bits.

package/rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid wildcard `postMessage` targets
   summary: "`postMessage` calls should not use `*` as the target origin when they carry application data."
   rationale: Wildcard targets allow the browser to deliver the message to any origin that receives the window reference.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - browser
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses `*` as the `postMessage` target origin."
   remediation:
     summary: Set the target origin to a strict expected origin instead of `*`.

package/rules/typescript/ts.security.predictable-token-generation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid predictable token generation
   summary: Tokens, reset links, and session secrets should be generated from cryptographically strong randomness.
   rationale: Predictable token material makes it easier to guess reset links, invite codes, and session secrets.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` builds a token-like value from predictable inputs."
   remediation:
     summary: Generate the value with `crypto.randomBytes`, `crypto.randomUUID`, or an approved secure token source.

package/rules/typescript/ts.security.raw-html-using-user-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid raw HTML with request input
   summary: Request-derived values should not be interpolated into raw HTML strings.
   rationale: Raw HTML construction with request data is a common path to reflected and stored XSS.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use framework escaping, a trusted sanitizer, or safe DOM APIs instead of raw HTML interpolation.