@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (396) hide show
  1. package/README.md +52 -4
  2. package/catalog.yaml +1775 -192
  3. package/package.json +6 -1
  4. package/rules/go/go.correctness.defer-close-before-check.rule.yaml +44 -0
  5. package/rules/go/go.correctness.defer-in-loop.rule.yaml +47 -0
  6. package/rules/go/go.correctness.nil-context-passed.rule.yaml +43 -0
  7. package/rules/go/go.correctness.nil-map-assignment.rule.yaml +42 -0
  8. package/rules/go/go.correctness.time-tick-leak.rule.yaml +44 -0
  9. package/rules/go/go.correctness.unused-append-result.rule.yaml +43 -0
  10. package/rules/go/go.correctness.waitgroup-add-in-goroutine.rule.yaml +45 -0
  11. package/rules/go/go.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  12. package/rules/go/go.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  13. package/rules/go/go.performance.no-unbounded-concurrency.rule.yaml +33 -0
  14. package/rules/go/go.security.bind-all-interfaces.rule.yaml +57 -0
  15. package/rules/go/go.security.echo-sensitive-binding-without-validation.rule.yaml +56 -0
  16. package/rules/go/go.security.echo-unsafe-multipart-upload.rule.yaml +55 -0
  17. package/rules/go/go.security.fiber-sensitive-binding-without-validation.rule.yaml +55 -0
  18. package/rules/go/go.security.fiber-unsafe-multipart-upload.rule.yaml +55 -0
  19. package/rules/go/go.security.gin-sensitive-binding-without-validation.rule.yaml +55 -0
  20. package/rules/go/go.security.gin-trust-all-proxies.rule.yaml +55 -0
  21. package/rules/go/go.security.gin-wildcard-cors-with-credentials.rule.yaml +57 -0
  22. package/rules/go/go.security.insecure-rand-seed.rule.yaml +55 -0
  23. package/rules/go/go.security.insecure-ssh-host-key.rule.yaml +57 -0
  24. package/rules/go/go.security.insecure-ssl-protocol.rule.yaml +56 -0
  25. package/rules/go/go.security.insecure-temp-file.rule.yaml +57 -0
  26. package/rules/go/go.security.jwt-without-verification.rule.yaml +56 -0
  27. package/rules/go/go.security.net-http-missing-timeouts.rule.yaml +55 -0
  28. package/rules/go/go.security.pprof-exposed.rule.yaml +56 -0
  29. package/rules/go/go.security.sensitive-data-egress.rule.yaml +56 -0
  30. package/rules/go/go.security.tar-path-traversal.rule.yaml +55 -0
  31. package/rules/go/go.security.template-unescaped-request-value.rule.yaml +55 -0
  32. package/rules/go/go.security.tls-missing-min-version.rule.yaml +55 -0
  33. package/rules/go/go.security.unsafe-package-import.rule.yaml +55 -0
  34. package/rules/go/go.security.weak-bcrypt-cost.rule.yaml +56 -0
  35. package/rules/go/go.security.weak-crypto-import.rule.yaml +57 -0
  36. package/rules/go/go.security.weak-rsa-key-size.rule.yaml +57 -0
  37. package/rules/go/go.security.weak-tls-cipher.rule.yaml +56 -0
  38. package/rules/go/go.testing.real-network-in-unit-test.rule.yaml +33 -0
  39. package/rules/go/go.testing.t-skip-without-ticket-reference.rule.yaml +33 -0
  40. package/rules/go/go.testing.time-sleep-in-unit-test.rule.yaml +33 -0
  41. package/rules/java/java.correctness.catch-null-pointer.rule.yaml +40 -0
  42. package/rules/java/java.correctness.empty-catch.rule.yaml +40 -0
  43. package/rules/java/java.correctness.equals-on-array.rule.yaml +40 -0
  44. package/rules/java/java.correctness.return-in-finally.rule.yaml +40 -0
  45. package/rules/java/java.correctness.sync-on-string-literal.rule.yaml +40 -0
  46. package/rules/java/java.correctness.unsafe-optional-get.rule.yaml +40 -0
  47. package/rules/java/java.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  48. package/rules/java/java.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  49. package/rules/java/java.performance.no-unbounded-concurrency.rule.yaml +33 -0
  50. package/rules/java/java.security.android-screenshot-exposure.rule.yaml +48 -0
  51. package/rules/java/java.security.android-world-readable-mode.rule.yaml +48 -0
  52. package/rules/java/java.security.hibernate-sql-concatenation.rule.yaml +62 -0
  53. package/rules/java/java.security.insecure-cipher-mode.rule.yaml +52 -0
  54. package/rules/java/java.security.insecure-network-protocol.rule.yaml +52 -0
  55. package/rules/java/java.security.insecure-ssl-context.rule.yaml +52 -0
  56. package/rules/java/java.security.jpa-concatenated-query.rule.yaml +60 -0
  57. package/rules/java/java.security.jwt-without-verification.rule.yaml +53 -0
  58. package/rules/java/java.security.null-cipher.rule.yaml +52 -0
  59. package/rules/java/java.security.permissive-cors.rule.yaml +53 -0
  60. package/rules/java/java.security.predictable-securerandom.rule.yaml +59 -0
  61. package/rules/java/java.security.reflected-output-from-request.rule.yaml +45 -0
  62. package/rules/java/java.security.servlet-insecure-cookie.rule.yaml +48 -0
  63. package/rules/java/java.security.shell-runtime-exec.rule.yaml +58 -0
  64. package/rules/java/java.security.spring-actuator-health-details-always.rule.yaml +53 -0
  65. package/rules/java/java.security.spring-actuator-sensitive-exposure.rule.yaml +53 -0
  66. package/rules/java/java.security.spring-csrf-globally-disabled.rule.yaml +62 -0
  67. package/rules/java/java.security.spring-debug-exposure.rule.yaml +48 -0
  68. package/rules/java/java.security.spring-permit-all-default.rule.yaml +60 -0
  69. package/rules/java/java.security.spring-webmvc-unrestricted-data-binding.rule.yaml +60 -0
  70. package/rules/java/java.security.template-unescaped-user-output.rule.yaml +59 -0
  71. package/rules/java/java.security.trust-all-certificates.rule.yaml +52 -0
  72. package/rules/java/java.security.unsafe-jackson-deserialization.rule.yaml +59 -0
  73. package/rules/java/java.security.weak-rsa-key-size.rule.yaml +54 -0
  74. package/rules/java/java.security.xxe-document-builder.rule.yaml +59 -0
  75. package/rules/java/java.security.xxe-xml-input-factory.rule.yaml +59 -0
  76. package/rules/java/java.testing.disabled-without-ticket-reference.rule.yaml +33 -0
  77. package/rules/java/java.testing.http-client-in-unit-test.rule.yaml +33 -0
  78. package/rules/java/java.testing.thread-sleep-in-unit-test.rule.yaml +33 -0
  79. package/rules/php/php.correctness.duplicate-array-key.rule.yaml +36 -0
  80. package/rules/php/php.correctness.error-suppression-operator.rule.yaml +36 -0
  81. package/rules/php/php.correctness.nullsafe-returned-by-reference.rule.yaml +36 -0
  82. package/rules/php/php.correctness.switch-multiple-default.rule.yaml +36 -0
  83. package/rules/php/php.correctness.unreachable-after-return.rule.yaml +36 -0
  84. package/rules/php/php.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  85. package/rules/php/php.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  86. package/rules/php/php.performance.no-unbounded-concurrency.rule.yaml +33 -0
  87. package/rules/php/php.security.debug-function-exposure.rule.yaml +55 -0
  88. package/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml +51 -0
  89. package/rules/php/php.security.insecure-mail-or-file-transport.rule.yaml +51 -0
  90. package/rules/php/php.security.insecure-session-id-generation.rule.yaml +51 -0
  91. package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml +52 -0
  92. package/rules/php/php.security.laravel-sensitive-csrf-exclusion.rule.yaml +55 -0
  93. package/rules/php/php.security.laravel-unsafe-blade-output.rule.yaml +55 -0
  94. package/rules/php/php.security.laravel-unsafe-mass-assignment.rule.yaml +58 -0
  95. package/rules/php/php.security.no-dynamic-eval.rule.yaml +52 -0
  96. package/rules/php/php.security.sensitive-data-egress.rule.yaml +52 -0
  97. package/rules/php/php.security.symfony-csrf-disabled.rule.yaml +55 -0
  98. package/rules/php/php.security.symfony-debug-exposure.rule.yaml +57 -0
  99. package/rules/php/php.security.unsafe-file-upload-handling.rule.yaml +51 -0
  100. package/rules/php/php.security.unsafe-include-with-user-input.rule.yaml +52 -0
  101. package/rules/php/php.security.weak-cipher.rule.yaml +51 -0
  102. package/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml +55 -0
  103. package/rules/php/php.security.wordpress-unprepared-sql.rule.yaml +55 -0
  104. package/rules/php/php.security.xml-external-entity.rule.yaml +53 -0
  105. package/rules/php/php.testing.curl-in-unit-test.rule.yaml +33 -0
  106. package/rules/php/php.testing.mark-test-skipped-without-ticket-reference.rule.yaml +33 -0
  107. package/rules/php/php.testing.sleep-in-unit-test.rule.yaml +33 -0
  108. package/rules/python/py.correctness.assert-on-tuple.rule.yaml +33 -0
  109. package/rules/python/py.correctness.bare-except.rule.yaml +33 -0
  110. package/rules/python/py.correctness.broad-exception-handler.rule.yaml +33 -0
  111. package/rules/python/py.correctness.dangerous-mutable-default.rule.yaml +33 -0
  112. package/rules/python/py.correctness.duplicate-dict-key.rule.yaml +33 -0
  113. package/rules/python/py.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  114. package/rules/python/py.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  115. package/rules/python/py.performance.no-unbounded-concurrency.rule.yaml +33 -0
  116. package/rules/python/py.security.bind-all-interfaces.rule.yaml +55 -0
  117. package/rules/python/py.security.debugger-import.rule.yaml +55 -0
  118. package/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml +59 -0
  119. package/rules/python/py.security.django-format-html-unsafe.rule.yaml +56 -0
  120. package/rules/python/py.security.django-mark-safe.rule.yaml +56 -0
  121. package/rules/python/py.security.django-missing-csrf-middleware.rule.yaml +60 -0
  122. package/rules/python/py.security.django-security-middleware-missing.rule.yaml +60 -0
  123. package/rules/python/py.security.django-unsafe-production-settings.rule.yaml +60 -0
  124. package/rules/python/py.security.drf-allow-any-default.rule.yaml +59 -0
  125. package/rules/python/py.security.drf-allow-any-unsafe-method.rule.yaml +59 -0
  126. package/rules/python/py.security.dynamic-code-execution.rule.yaml +55 -0
  127. package/rules/python/py.security.fastapi-insecure-cors.rule.yaml +56 -0
  128. package/rules/python/py.security.flask-debug-enabled.rule.yaml +56 -0
  129. package/rules/python/py.security.flask-missing-upload-body-limit.rule.yaml +57 -0
  130. package/rules/python/py.security.flask-unsafe-html-output.rule.yaml +57 -0
  131. package/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml +57 -0
  132. package/rules/python/py.security.insecure-temp-file.rule.yaml +55 -0
  133. package/rules/python/py.security.insecure-yaml-load.rule.yaml +55 -0
  134. package/rules/python/py.security.jinja-autoescape-disabled.rule.yaml +58 -0
  135. package/rules/python/py.security.subprocess-shell-enabled.rule.yaml +55 -0
  136. package/rules/python/py.testing.pytest-skip-without-ticket-reference.rule.yaml +33 -0
  137. package/rules/python/py.testing.real-network-in-unit-test.rule.yaml +33 -0
  138. package/rules/python/py.testing.time-sleep-in-unit-test.rule.yaml +33 -0
  139. package/rules/ruby/ruby.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  140. package/rules/ruby/ruby.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  141. package/rules/ruby/ruby.performance.no-unbounded-concurrency.rule.yaml +33 -0
  142. package/rules/ruby/ruby.security.rails-csrf-disabled.rule.yaml +58 -0
  143. package/rules/ruby/ruby.security.rails-detailed-exceptions-enabled.rule.yaml +57 -0
  144. package/rules/ruby/ruby.security.rails-open-redirect.rule.yaml +58 -0
  145. package/rules/ruby/ruby.security.rails-unsafe-html-output.rule.yaml +59 -0
  146. package/rules/ruby/ruby.security.rails-unsafe-render.rule.yaml +58 -0
  147. package/rules/ruby/ruby.security.rails-unsafe-session-or-cookie-store.rule.yaml +58 -0
  148. package/rules/ruby/ruby.security.rails-unsafe-strong-parameters.rule.yaml +59 -0
  149. package/rules/ruby/ruby.security.sensitive-data-egress.rule.yaml +55 -0
  150. package/rules/ruby/ruby.security.sidekiq-web-unauthenticated-mount.rule.yaml +55 -0
  151. package/rules/ruby/ruby.testing.focused-example.rule.yaml +33 -0
  152. package/rules/ruby/ruby.testing.pending-without-ticket-reference.rule.yaml +33 -0
  153. package/rules/ruby/ruby.testing.real-network-in-unit-test.rule.yaml +33 -0
  154. package/rules/ruby/ruby.testing.skip-without-ticket-reference.rule.yaml +33 -0
  155. package/rules/ruby/ruby.testing.sleep-in-unit-test.rule.yaml +33 -0
  156. package/rules/rust/rust.correctness.block-on-in-async.rule.yaml +48 -0
  157. package/rules/rust/rust.correctness.forget-join-handle.rule.yaml +48 -0
  158. package/rules/rust/rust.correctness.mutex-held-across-await.rule.yaml +48 -0
  159. package/rules/rust/rust.correctness.std-mutex-in-async-fn.rule.yaml +48 -0
  160. package/rules/rust/rust.correctness.thread-sleep-in-async.rule.yaml +48 -0
  161. package/rules/rust/rust.correctness.unbounded-channel.rule.yaml +49 -0
  162. package/rules/rust/rust.correctness.unchecked-index.rule.yaml +46 -0
  163. package/rules/rust/rust.performance.no-regex-construction-in-loop.rule.yaml +33 -0
  164. package/rules/rust/rust.performance.no-sync-fs-in-request-path.rule.yaml +33 -0
  165. package/rules/rust/rust.performance.no-unbounded-concurrency.rule.yaml +33 -0
  166. package/rules/rust/rust.security.actix-wildcard-cors-with-credentials.rule.yaml +60 -0
  167. package/rules/rust/rust.security.axum-body-limit-disabled.rule.yaml +58 -0
  168. package/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml +60 -0
  169. package/rules/rust/rust.security.bind-all-interfaces.rule.yaml +57 -0
  170. package/rules/rust/rust.security.insecure-ssh-host-key.rule.yaml +57 -0
  171. package/rules/rust/rust.security.insecure-ssl-protocol.rule.yaml +57 -0
  172. package/rules/rust/rust.security.insecure-temp-file.rule.yaml +57 -0
  173. package/rules/rust/rust.security.insecure-yaml-load.rule.yaml +57 -0
  174. package/rules/rust/rust.security.jwt-without-verification.rule.yaml +57 -0
  175. package/rules/rust/rust.security.panic-in-async-handler.rule.yaml +57 -0
  176. package/rules/rust/rust.security.rocket-panic-prone-request-handler.rule.yaml +58 -0
  177. package/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml +60 -0
  178. package/rules/rust/rust.security.shell-command-spawn.rule.yaml +57 -0
  179. package/rules/rust/rust.security.sqlx-diesel-raw-interpolated-query.rule.yaml +60 -0
  180. package/rules/rust/rust.security.template-unescaped-request-value.rule.yaml +57 -0
  181. package/rules/rust/rust.security.tls-missing-min-version.rule.yaml +57 -0
  182. package/rules/rust/rust.security.warp-blocking-or-panic-in-async-handler.rule.yaml +58 -0
  183. package/rules/rust/rust.security.weak-crypto-import.rule.yaml +55 -0
  184. package/rules/rust/rust.security.weak-rsa-key-size.rule.yaml +57 -0
  185. package/rules/rust/rust.security.weak-tls-cipher.rule.yaml +57 -0
  186. package/rules/rust/rust.testing.ignore-without-ticket-reference.rule.yaml +33 -0
  187. package/rules/rust/rust.testing.real-network-in-unit-test.rule.yaml +33 -0
  188. package/rules/rust/rust.testing.thread-sleep-in-unit-test.rule.yaml +33 -0
  189. package/rules/shared/security.archive-path-traversal.rule.yaml +51 -0
  190. package/rules/shared/security.external-file-upload.rule.yaml +50 -0
  191. package/rules/shared/security.insecure-http-transport.rule.yaml +10 -0
  192. package/rules/shared/security.no-command-execution-with-request-input.rule.yaml +10 -0
  193. package/rules/shared/security.no-hardcoded-credentials.rule.yaml +10 -0
  194. package/rules/shared/security.no-request-path-file-read.rule.yaml +10 -0
  195. package/rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml +10 -0
  196. package/rules/shared/security.no-sql-interpolation.rule.yaml +10 -0
  197. package/rules/shared/security.permissive-file-permissions.rule.yaml +50 -0
  198. package/rules/shared/security.sensitive-data-egress.rule.yaml +46 -0
  199. package/rules/shared/security.tls-verification-disabled.rule.yaml +10 -0
  200. package/rules/shared/security.unsafe-deserialization.rule.yaml +10 -0
  201. package/rules/shared/security.weak-hash-algorithm.rule.yaml +10 -0
  202. package/rules/typescript/ts.correctness.array-callback-missing-return.rule.yaml +35 -0
  203. package/rules/typescript/ts.correctness.array-sort-without-compare.rule.yaml +35 -0
  204. package/rules/typescript/ts.correctness.assignment-in-condition.rule.yaml +36 -0
  205. package/rules/typescript/ts.correctness.assignment-to-import-binding.rule.yaml +36 -0
  206. package/rules/typescript/ts.correctness.async-promise-executor.rule.yaml +36 -0
  207. package/rules/typescript/ts.correctness.control-flow-in-finally.rule.yaml +35 -0
  208. package/rules/typescript/ts.correctness.duplicate-function-parameter.rule.yaml +36 -0
  209. package/rules/typescript/ts.correctness.duplicate-if-else-condition.rule.yaml +35 -0
  210. package/rules/typescript/ts.correctness.duplicate-import-source.rule.yaml +36 -0
  211. package/rules/typescript/ts.correctness.duplicate-object-key.rule.yaml +36 -0
  212. package/rules/typescript/ts.correctness.duplicate-switch-case.rule.yaml +36 -0
  213. package/rules/typescript/ts.correctness.empty-block-statement.rule.yaml +35 -0
  214. package/rules/typescript/ts.correctness.for-in-on-array.rule.yaml +35 -0
  215. package/rules/typescript/ts.correctness.identical-comparison-operands.rule.yaml +36 -0
  216. package/rules/typescript/ts.correctness.infinite-loop.rule.yaml +32 -0
  217. package/rules/typescript/ts.correctness.invalid-await-expression.rule.yaml +32 -0
  218. package/rules/typescript/ts.correctness.invalid-typeof-comparison.rule.yaml +35 -0
  219. package/rules/typescript/ts.correctness.missing-async-on-promise-method.rule.yaml +32 -0
  220. package/rules/typescript/ts.correctness.missing-super-call.rule.yaml +35 -0
  221. package/rules/typescript/ts.correctness.no-floating-promise-in-function.rule.yaml +32 -0
  222. package/rules/typescript/ts.correctness.no-misused-promises.rule.yaml +32 -0
  223. package/rules/typescript/ts.correctness.promise-reject-non-error.rule.yaml +35 -0
  224. package/rules/typescript/ts.correctness.reassign-catch-binding.rule.yaml +35 -0
  225. package/rules/typescript/ts.correctness.regexp-pattern-unusual-control-character.rule.yaml +35 -0
  226. package/rules/typescript/ts.correctness.self-assignment.rule.yaml +36 -0
  227. package/rules/typescript/ts.correctness.this-before-super.rule.yaml +35 -0
  228. package/rules/typescript/ts.correctness.unnecessary-return-await.rule.yaml +32 -0
  229. package/rules/typescript/ts.correctness.use-number-is-nan.rule.yaml +35 -0
  230. package/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml +48 -0
  231. package/rules/typescript/ts.performance.no-array-spread-in-hot-loop.rule.yaml +32 -0
  232. package/rules/typescript/ts.performance.no-await-in-loop.rule.yaml +32 -0
  233. package/rules/typescript/ts.performance.no-cache-miss-from-unstable-key.rule.yaml +32 -0
  234. package/rules/typescript/ts.performance.no-expensive-sort-in-render-path.rule.yaml +32 -0
  235. package/rules/typescript/ts.performance.no-json-parse-stringify-clone.rule.yaml +32 -0
  236. package/rules/typescript/ts.performance.no-large-object-spread-in-loop.rule.yaml +32 -0
  237. package/rules/typescript/ts.performance.no-n-plus-one-await-in-map.rule.yaml +32 -0
  238. package/rules/typescript/ts.performance.no-redundant-network-fetch.rule.yaml +32 -0
  239. package/rules/typescript/ts.performance.no-regex-construction-in-loop.rule.yaml +32 -0
  240. package/rules/typescript/ts.performance.no-sync-fs-in-request-path.rule.yaml +32 -0
  241. package/rules/typescript/ts.performance.no-unbounded-concurrency.rule.yaml +32 -0
  242. package/rules/typescript/ts.quality.no-ambiguous-abbreviations.rule.yaml +27 -0
  243. package/rules/typescript/ts.quality.no-barrel-file-cycle.rule.yaml +27 -0
  244. package/rules/typescript/ts.quality.no-boolean-parameter-trap.rule.yaml +27 -0
  245. package/rules/typescript/ts.quality.no-dead-export.rule.yaml +27 -0
  246. package/rules/typescript/ts.quality.no-empty-function.rule.yaml +32 -0
  247. package/rules/typescript/ts.quality.no-hidden-side-effect-import.rule.yaml +27 -0
  248. package/rules/typescript/ts.quality.no-inconsistent-error-shape.rule.yaml +27 -0
  249. package/rules/typescript/ts.quality.no-mixed-abstraction-level.rule.yaml +27 -0
  250. package/rules/typescript/ts.quality.no-primitive-obsession-in-domain-model.rule.yaml +27 -0
  251. package/rules/typescript/ts.quality.no-temporal-coupling.rule.yaml +27 -0
  252. package/rules/typescript/ts.quality.no-wide-public-surface.rule.yaml +27 -0
  253. package/rules/typescript/ts.react.no-accessibility-label-missing.rule.yaml +36 -0
  254. package/rules/typescript/ts.react.no-activedescendant-on-non-focusable-host.rule.yaml +36 -0
  255. package/rules/typescript/ts.react.no-bind-in-jsx-props.rule.yaml +36 -0
  256. package/rules/typescript/ts.react.no-children-prop.rule.yaml +34 -0
  257. package/rules/typescript/ts.react.no-click-without-keyboard-handler.rule.yaml +36 -0
  258. package/rules/typescript/ts.react.no-deprecated-create-factory.rule.yaml +34 -0
  259. package/rules/typescript/ts.react.no-deprecated-react-dom-root-api.rule.yaml +34 -0
  260. package/rules/typescript/ts.react.no-derived-state-from-props.rule.yaml +34 -0
  261. package/rules/typescript/ts.react.no-direct-state-mutation.rule.yaml +34 -0
  262. package/rules/typescript/ts.react.no-duplicate-jsx-attributes.rule.yaml +34 -0
  263. package/rules/typescript/ts.react.no-effect-fetch-without-cancellation.rule.yaml +35 -0
  264. package/rules/typescript/ts.react.no-find-dom-node.rule.yaml +34 -0
  265. package/rules/typescript/ts.react.no-img-missing-alt-text.rule.yaml +36 -0
  266. package/rules/typescript/ts.react.no-index-as-key-in-dynamic-list.rule.yaml +34 -0
  267. package/rules/typescript/ts.react.no-interactive-role-on-static-semantics.rule.yaml +36 -0
  268. package/rules/typescript/ts.react.no-invalid-anchor-href.rule.yaml +36 -0
  269. package/rules/typescript/ts.react.no-jsx-props-spread.rule.yaml +35 -0
  270. package/rules/typescript/ts.react.no-keyboard-interaction-without-widget-role.rule.yaml +36 -0
  271. package/rules/typescript/ts.react.no-legacy-lifecycle.rule.yaml +34 -0
  272. package/rules/typescript/ts.react.no-missing-error-boundary.rule.yaml +36 -0
  273. package/rules/typescript/ts.react.no-positive-tabindex.rule.yaml +36 -0
  274. package/rules/typescript/ts.react.no-set-state-in-component-did-mount.rule.yaml +34 -0
  275. package/rules/typescript/ts.react.no-set-state-in-component-did-update.rule.yaml +34 -0
  276. package/rules/typescript/ts.react.no-static-element-with-synthetic-handlers.rule.yaml +36 -0
  277. package/rules/typescript/ts.react.no-string-ref.rule.yaml +34 -0
  278. package/rules/typescript/ts.react.no-target-blank-without-rel.rule.yaml +46 -0
  279. package/rules/typescript/ts.react.no-this-in-function-component.rule.yaml +34 -0
  280. package/rules/typescript/ts.react.no-uncontrolled-to-controlled-input.rule.yaml +34 -0
  281. package/rules/typescript/ts.react.no-widget-role-without-tabindex.rule.yaml +36 -0
  282. package/rules/typescript/ts.runtime.no-process-exit.rule.yaml +44 -0
  283. package/rules/typescript/ts.security.ajv-insecure-configuration.rule.yaml +44 -0
  284. package/rules/typescript/ts.security.angular-dom-sanitizer-bypass-untrusted-input.rule.yaml +48 -0
  285. package/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml +52 -0
  286. package/rules/typescript/ts.security.apollo-server-graphql-dev-tooling-exposure.rule.yaml +52 -0
  287. package/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml +51 -0
  288. package/rules/typescript/ts.security.apollo-server-missing-query-limits.rule.yaml +51 -0
  289. package/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml +52 -0
  290. package/rules/typescript/ts.security.bind-to-all-interfaces.rule.yaml +10 -0
  291. package/rules/typescript/ts.security.browser-token-storage.rule.yaml +10 -0
  292. package/rules/typescript/ts.security.dangerous-insert-html.rule.yaml +10 -0
  293. package/rules/typescript/ts.security.dangerously-set-inner-html.rule.yaml +10 -0
  294. package/rules/typescript/ts.security.datadog-browser-track-user-interactions.rule.yaml +10 -0
  295. package/rules/typescript/ts.security.debug-mode-enabled.rule.yaml +10 -0
  296. package/rules/typescript/ts.security.debug-statement-in-source.rule.yaml +46 -0
  297. package/rules/typescript/ts.security.dynamodb-query-injection.rule.yaml +10 -0
  298. package/rules/typescript/ts.security.electron-dangerous-webpreferences.rule.yaml +45 -0
  299. package/rules/typescript/ts.security.electron-insecure-local-state.rule.yaml +45 -0
  300. package/rules/typescript/ts.security.electron-missing-ipc-origin-check.rule.yaml +45 -0
  301. package/rules/typescript/ts.security.electron-shell-open-external-unvalidated.rule.yaml +48 -0
  302. package/rules/typescript/ts.security.exposed-directory-listing.rule.yaml +10 -0
  303. package/rules/typescript/ts.security.express-cookie-missing-http-only.rule.yaml +16 -0
  304. package/rules/typescript/ts.security.express-default-cookie-config.rule.yaml +16 -0
  305. package/rules/typescript/ts.security.express-default-session-config.rule.yaml +16 -0
  306. package/rules/typescript/ts.security.express-error-handler-information-disclosure.rule.yaml +51 -0
  307. package/rules/typescript/ts.security.express-insecure-cookie.rule.yaml +16 -0
  308. package/rules/typescript/ts.security.express-missing-helmet.rule.yaml +16 -0
  309. package/rules/typescript/ts.security.express-nosql-injection.rule.yaml +16 -0
  310. package/rules/typescript/ts.security.express-permissive-cookie-config.rule.yaml +16 -0
  311. package/rules/typescript/ts.security.express-permissive-cors.rule.yaml +52 -0
  312. package/rules/typescript/ts.security.express-reduce-fingerprint.rule.yaml +16 -0
  313. package/rules/typescript/ts.security.express-static-assets-after-session.rule.yaml +16 -0
  314. package/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml +51 -0
  315. package/rules/typescript/ts.security.express-unbounded-body-parser.rule.yaml +50 -0
  316. package/rules/typescript/ts.security.express-user-controlled-static-mount.rule.yaml +51 -0
  317. package/rules/typescript/ts.security.external-file-upload.rule.yaml +10 -0
  318. package/rules/typescript/ts.security.fastify-excessive-body-limit.rule.yaml +50 -0
  319. package/rules/typescript/ts.security.fastify-public-bind-without-trust-proxy.rule.yaml +54 -0
  320. package/rules/typescript/ts.security.file-generation.rule.yaml +10 -0
  321. package/rules/typescript/ts.security.format-string-using-user-input.rule.yaml +10 -0
  322. package/rules/typescript/ts.security.frontend-only-authorization.rule.yaml +10 -0
  323. package/rules/typescript/ts.security.graphql-upload-without-csrf-guard.rule.yaml +52 -0
  324. package/rules/typescript/ts.security.handlebars-no-escape.rule.yaml +10 -0
  325. package/rules/typescript/ts.security.hardcoded-auth-secret.rule.yaml +10 -0
  326. package/rules/typescript/ts.security.iframe-missing-sandbox-attribute.rule.yaml +45 -0
  327. package/rules/typescript/ts.security.import-using-user-input.rule.yaml +10 -0
  328. package/rules/typescript/ts.security.information-leakage.rule.yaml +10 -0
  329. package/rules/typescript/ts.security.insecure-allow-origin.rule.yaml +10 -0
  330. package/rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml +10 -0
  331. package/rules/typescript/ts.security.insecure-content-security-policy-literal.rule.yaml +45 -0
  332. package/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml +46 -0
  333. package/rules/typescript/ts.security.insecure-password-hash-configuration.rule.yaml +10 -0
  334. package/rules/typescript/ts.security.insecure-websocket-transport.rule.yaml +10 -0
  335. package/rules/typescript/ts.security.insufficiently-random-values.rule.yaml +10 -0
  336. package/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml +45 -0
  337. package/rules/typescript/ts.security.jwt-not-revoked.rule.yaml +10 -0
  338. package/rules/typescript/ts.security.jwt-sensitive-claims.rule.yaml +10 -0
  339. package/rules/typescript/ts.security.legacy-buffer-constructor.rule.yaml +45 -0
  340. package/rules/typescript/ts.security.log-injection.rule.yaml +46 -0
  341. package/rules/typescript/ts.security.manual-html-sanitization.rule.yaml +10 -0
  342. package/rules/typescript/ts.security.missing-authorization-before-sensitive-action.rule.yaml +10 -0
  343. package/rules/typescript/ts.security.missing-integrity-check.rule.yaml +10 -0
  344. package/rules/typescript/ts.security.missing-message-origin-check.rule.yaml +10 -0
  345. package/rules/typescript/ts.security.missing-ownership-validation.rule.yaml +10 -0
  346. package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml +10 -0
  347. package/rules/typescript/ts.security.nestjs-helmet-after-route-mount.rule.yaml +50 -0
  348. package/rules/typescript/ts.security.nestjs-missing-global-validation-pipe.rule.yaml +51 -0
  349. package/rules/typescript/ts.security.nestjs-skip-throttle-sensitive-route.rule.yaml +51 -0
  350. package/rules/typescript/ts.security.nestjs-validation-pipe-without-whitelist.rule.yaml +52 -0
  351. package/rules/typescript/ts.security.no-alert-confirm-prompt.rule.yaml +44 -0
  352. package/rules/typescript/ts.security.no-arguments-callee.rule.yaml +44 -0
  353. package/rules/typescript/ts.security.no-assign-mutable-export.rule.yaml +45 -0
  354. package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml +10 -0
  355. package/rules/typescript/ts.security.no-fs-readfile-sync-in-handler.rule.yaml +46 -0
  356. package/rules/typescript/ts.security.no-global-native-reassignment.rule.yaml +44 -0
  357. package/rules/typescript/ts.security.no-innerhtml-assignment.rule.yaml +10 -0
  358. package/rules/typescript/ts.security.no-javascript-url.rule.yaml +44 -0
  359. package/rules/typescript/ts.security.no-native-prototype-extension.rule.yaml +44 -0
  360. package/rules/typescript/ts.security.no-sync-child-process-exec.rule.yaml +45 -0
  361. package/rules/typescript/ts.security.no-throw-literal.rule.yaml +44 -0
  362. package/rules/typescript/ts.security.no-with-statement.rule.yaml +44 -0
  363. package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml +10 -0
  364. package/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml +51 -0
  365. package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml +10 -0
  366. package/rules/typescript/ts.security.open-redirect.rule.yaml +12 -0
  367. package/rules/typescript/ts.security.permissive-allow-origin.rule.yaml +10 -0
  368. package/rules/typescript/ts.security.permissive-file-permissions.rule.yaml +10 -0
  369. package/rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml +10 -0
  370. package/rules/typescript/ts.security.predictable-token-generation.rule.yaml +10 -0
  371. package/rules/typescript/ts.security.raw-html-using-user-input.rule.yaml +10 -0
  372. package/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml +43 -0
  373. package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml +11 -0
  374. package/rules/typescript/ts.security.sensitive-data-in-exception.rule.yaml +10 -0
  375. package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml +10 -0
  376. package/rules/typescript/ts.security.ssrf.rule.yaml +11 -0
  377. package/rules/typescript/ts.security.token-or-session-not-validated.rule.yaml +10 -0
  378. package/rules/typescript/ts.security.ui-redress.rule.yaml +10 -0
  379. package/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml +44 -0
  380. package/rules/typescript/ts.security.unsafe-dompurify-version.rule.yaml +46 -0
  381. package/rules/typescript/ts.security.unsafe-marked-version.rule.yaml +46 -0
  382. package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml +10 -0
  383. package/rules/typescript/ts.security.unvalidated-external-input.rule.yaml +10 -0
  384. package/rules/typescript/ts.security.user-controlled-sendfile.rule.yaml +10 -0
  385. package/rules/typescript/ts.security.user-controlled-view-render.rule.yaml +10 -0
  386. package/rules/typescript/ts.security.weak-cipher-or-mode.rule.yaml +10 -0
  387. package/rules/typescript/ts.security.weak-key-strength.rule.yaml +10 -0
  388. package/rules/typescript/ts.security.weak-tls-version.rule.yaml +10 -0
  389. package/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml +45 -0
  390. package/rules/typescript/ts.testing.no-flaky-timer-test.rule.yaml +38 -0
  391. package/rules/typescript/ts.testing.no-focused-test.rule.yaml +34 -0
  392. package/rules/typescript/ts.testing.no-missing-edge-case-tests.rule.yaml +35 -0
  393. package/rules/typescript/ts.testing.no-network-call-in-unit-test.rule.yaml +38 -0
  394. package/rules/typescript/ts.testing.no-skipped-test-without-ticket.rule.yaml +34 -0
  395. package/rules/typescript/ts.testing.no-snapshot-without-intent.rule.yaml +34 -0
  396. package/rules/typescript/ts.testing.no-test-only-code-in-production.rule.yaml +38 -0
package/rules/typescript/ts.testing.no-skipped-test-without-ticket.rule.yaml ADDED
@@ -0,0 +1,34 @@
1
+ apiVersion: critiq.dev/v1alpha1
2
+ kind: Rule
3
+ metadata:
4
+ id: ts.testing.no-skipped-test-without-ticket
5
+ title: Skipped tests should cite a ticket or timed suppression
6
+ summary: Skipped or disabled tests should reference a tracked issue, expiry, or accepted suppression comment.
7
+ rationale: Silent skips decay into permanent holes in coverage unless they carry reviewable intent.
8
+ tags:
9
+ - testing
10
+ - quality
11
+ - rules-catalog
12
+ stability: experimental
13
+ appliesTo: block
14
+ scope:
15
+ languages:
16
+ - typescript
17
+ - javascript
18
+ match:
19
+ fact:
20
+ kind: testing.skipped-without-ticket-reference
21
+ bind: issue
22
+ emit:
23
+ finding:
24
+ category: quality.testing
25
+ severity: medium
26
+ confidence: 0.72
27
+ tags:
28
+ - testing
29
+ - coverage
30
+ message:
31
+ title: Add a ticket or suppression note for `${captures.issue.text}`
32
+ summary: "`${captures.issue.text}` skips a test without an adjacent issue key, GitHub issue URL, or TODO(expires) style note."
33
+ remediation:
34
+ summary: Link the skip to a tracker id, add a short expiry note, or replace the skip with a focused assertion.
package/rules/typescript/ts.testing.no-snapshot-without-intent.rule.yaml ADDED
@@ -0,0 +1,34 @@
1
+ apiVersion: critiq.dev/v1alpha1
2
+ kind: Rule
3
+ metadata:
4
+ id: ts.testing.no-snapshot-without-intent
5
+ title: Snapshot assertions should name intent
6
+ summary: Snapshot matchers without a snapshot name or preceding intent comment are hard to review in diffs.
7
+ rationale: Anonymous snapshots churn without communicating what behavior reviewers should protect.
8
+ tags:
9
+ - testing
10
+ - quality
11
+ - rules-catalog
12
+ stability: experimental
13
+ appliesTo: block
14
+ scope:
15
+ languages:
16
+ - typescript
17
+ - javascript
18
+ match:
19
+ fact:
20
+ kind: testing.snapshot-without-review-intent
21
+ bind: issue
22
+ emit:
23
+ finding:
24
+ category: quality.testing
25
+ severity: low
26
+ confidence: 0.65
27
+ tags:
28
+ - testing
29
+ - snapshots
30
+ message:
31
+ title: Clarify snapshot intent for `${captures.issue.text}`
32
+ summary: "`${captures.issue.text}` uses a snapshot matcher without a string name and without a `// snapshot:` review comment on the previous line."
33
+ remediation:
34
+ summary: Add a named snapshot, or place `// snapshot:` on the preceding line describing what the snapshot protects.
package/rules/typescript/ts.testing.no-test-only-code-in-production.rule.yaml ADDED
@@ -0,0 +1,38 @@
1
+ apiVersion: critiq.dev/v1alpha1
2
+ kind: Rule
3
+ metadata:
4
+ id: ts.testing.no-test-only-code-in-production
5
+ title: Keep test-only modules and guards out of production paths
6
+ summary: Production modules should not import test doubles or gate behavior on test-only environment flags.
7
+ rationale: Test-only imports and NODE_ENV test branches can ship dead paths or accidental coupling to test harnesses.
8
+ tags:
9
+ - testing
10
+ - quality
11
+ - rules-catalog
12
+ stability: experimental
13
+ appliesTo: project
14
+ scope:
15
+ languages:
16
+ - typescript
17
+ - javascript
18
+ match:
19
+ any:
20
+ - fact:
21
+ kind: testing.production-imports-test-code
22
+ bind: issue
23
+ - fact:
24
+ kind: testing.test-only-env-branch-in-production
25
+ bind: issue
26
+ emit:
27
+ finding:
28
+ category: quality.testing
29
+ severity: high
30
+ confidence: 0.8
31
+ tags:
32
+ - testing
33
+ - boundaries
34
+ message:
35
+ title: Remove test-only coupling in `${captures.issue.text}`
36
+ summary: "`${captures.issue.text}` imports a test-only module or compares runtime mode against `test` outside test paths."
37
+ remediation:
38
+ summary: Move helpers into shared neutral modules, guard test utilities behind dev-only entrypoints, and keep production code free of `NODE_ENV === 'test'` branches.