npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/package.json CHANGED Viewed

@@ -1,9 +1,14 @@
 {
   "name": "@critiq/rules",
-  "version": "0.0.2",
+  "version": "0.2.0",
   "private": false,
   "description": "Public OSS Critiq rule catalog with catalog metadata, shipped rule YAML files, and preset membership.",
   "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/critiq-dev/critiq-rules.git"
+  },
+  "homepage": "https://github.com/critiq-dev/critiq-rules#readme",
   "type": "commonjs",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",

package/rules/go/go.correctness.defer-close-before-check.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.defer-close-before-check
+  title: Check error before deferring Close
+  summary: A deferred Close runs even when the open call failed and returned a nil handle.
+  rationale: >-
+    When `defer file.Close()` runs before the matching `if err != nil` check, a failed
+    open dereferences a nil resource and panics during cleanup.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.defer-close-before-check
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+  message:
+    title: Move `defer ... Close()` after the err check in `${captures.issue.text}`
+    summary: "A `defer ...Close()` runs before the matching `if err != nil` check on the open call."
+  remediation:
+    summary: >-
+      Return early when the open call sets a non-nil error, then defer the matching
+      `Close()` only once the resource is known to be valid.

package/rules/go/go.correctness.defer-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.defer-in-loop
+  title: Avoid defer inside loops
+  summary: defer inside a loop holds resources until the surrounding function returns.
+  rationale: >-
+    `defer` runs when the enclosing function returns, not when the iteration ends.
+    Deferring inside a `for` or `for ... range` block accumulates open handles for
+    the lifetime of the function and can exhaust file descriptors or memory.
+  tags:
+    - correctness
+    - go
+    - resource-leak
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.defer-in-loop
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-leak
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - resource-leak
+  message:
+    title: Remove `${captures.issue.text}` from the loop body
+    summary: "A `defer` statement runs inside a `for` loop and accumulates cleanups until the function returns."
+  remediation:
+    summary: >-
+      Wrap the per-iteration work in a helper or closure so the deferred call runs
+      when the iteration ends, not at function return.

package/rules/go/go.correctness.nil-context-passed.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.nil-context-passed
+  title: Pass a real context.Context
+  summary: Context-accepting calls should not receive a literal `nil` as their first argument.
+  rationale: >-
+    Standard library functions that take `context.Context` panic or skip cancellation
+    semantics when called with `nil`. Use `context.Background()`, `context.TODO()`, or
+    a propagated context instead.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.nil-context-passed
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+  message:
+    title: Pass a real context to `${captures.issue.text}`
+    summary: "A context-accepting call receives a literal `nil` as its first argument."
+  remediation:
+    summary: Use `context.Background()`, `context.TODO()`, or a propagated context value instead of `nil`.

package/rules/go/go.correctness.nil-map-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.nil-map-assignment
+  title: Initialize maps before assignment
+  summary: Writing to a nil map panics at runtime.
+  rationale: >-
+    A `var m map[K]V` declaration leaves `m` nil. Any `m[key] = value` write before
+    `make(map[K]V)` or a map literal initialization causes a runtime panic.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.nil-map-assignment
+    bind: issue
+emit:
+  finding:
+    category: correctness.runtime
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+  message:
+    title: Initialize map before writing to `${captures.issue.text}`
+    summary: "A `var m map[...]...` declaration is written to before `make(...)` or a literal initialization."
+  remediation:
+    summary: Initialize the map with `make(map[K]V)` or a map literal before writing to it.

package/rules/go/go.correctness.time-tick-leak.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.time-tick-leak
+  title: Avoid time.Tick for stoppable timers
+  summary: time.Tick leaks the underlying ticker because it cannot be stopped.
+  rationale: >-
+    `time.Tick` is documented as appropriate only for cases that run forever. Use
+    `time.NewTicker` so the ticker can be `Stop`ped when the consumer is done with it.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.time-tick-leak
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-leak
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+  message:
+    title: Use `time.NewTicker` instead of `${captures.issue.text}`
+    summary: "`time.Tick` cannot be stopped and leaks the ticker goroutine."
+  remediation:
+    summary: >-
+      Replace `time.Tick(d)` with `time.NewTicker(d)` and defer `ticker.Stop()` once
+      the consumer no longer needs the channel.

package/rules/go/go.correctness.unused-append-result.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.unused-append-result
+  title: Assign the result of append
+  summary: append returns a new slice; dropping the result loses the appended element.
+  rationale: >-
+    `append` may allocate a new backing array, so it always returns the resulting
+    slice. Calling `append(s, x)` as a standalone statement silently throws the
+    update away.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.unused-append-result
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+  message:
+    title: Capture the result of `${captures.issue.text}`
+    summary: "An `append(...)` call appears as a standalone statement without assigning its result."
+  remediation:
+    summary: Assign the result back to the slice variable, e.g. `s = append(s, x)`.

package/rules/go/go.correctness.waitgroup-add-in-goroutine.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.waitgroup-add-in-goroutine
+  title: Call WaitGroup.Add before launching the goroutine
+  summary: WaitGroup.Add called inside the goroutine races with Wait.
+  rationale: >-
+    `sync.WaitGroup.Add` must happen before the launching goroutine returns to the
+    caller. If `Add` runs inside the goroutine, `Wait` may observe a zero counter and
+    return before the work begins.
+  tags:
+    - correctness
+    - go
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.waitgroup-add-in-goroutine
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.88
+    tags:
+      - correctness
+      - go
+      - concurrency
+  message:
+    title: Move `${captures.issue.text}` before `go func`
+    summary: "A `WaitGroup.Add` call runs inside a `go func()` body and can race with `Wait`."
+  remediation:
+    summary: Call `wg.Add(n)` on the launching goroutine before the `go` statement starts the worker.

package/rules/go/go.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for go sources.
+  rationale: Performance hygiene signal for go sources.
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - go
+  message:
+    title: Avoid no regex construction in loop in `go` code
+    summary: "`${captures.issue.text}` matches go.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/go/go.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for go sources.
+  rationale: Performance hygiene signal for go sources.
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - go
+  message:
+    title: Avoid no sync fs in request path in `go` code
+    summary: "`${captures.issue.text}` matches go.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/go/go.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for go sources.
+  rationale: Performance hygiene signal for go sources.
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - go
+  message:
+    title: Avoid no unbounded concurrency in `go` code
+    summary: "`${captures.issue.text}` matches go.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/go/go.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.bind-all-interfaces
+  title: Avoid binding Go services to all interfaces
+  summary: >-
+    Go network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.
+  rationale: >-
+    Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - go
+    - network
+    - exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - go
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: >-
+      Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/go/go.security.echo-sensitive-binding-without-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.echo-sensitive-binding-without-validation
+  title: Echo handlers should validate sensitive request bodies
+  summary: >-
+    Sensitive Echo binds should use struct tags or validators so mutations cannot accept empty or malformed credentials and roles.
+  rationale: >-
+    Regex-based heuristics flag Echo `Bind` usage when the file defines structs with sensitive fields that omit `validate` or `binding` style tags.
+    This is intentionally conservative and may miss cross-file structs or middleware-protected routes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - echo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.echo-sensitive-binding-without-validation
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - echo
+  message:
+    title: Add validation tags for sensitive Echo binds in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds request data without validation tags on sensitive struct fields."
+  remediation:
+    summary: >-
+      Add `validate` tags, use Echo's binding helpers with explicit validation, or route through a hardened DTO layer.

package/rules/go/go.security.echo-unsafe-multipart-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.echo-unsafe-multipart-upload
+  title: Harden Echo multipart uploads
+  summary: >-
+    Multipart handlers should cap body size, sanitize filenames with `filepath.Base`, and avoid concatenating user filenames into destination paths.
+  rationale: >-
+    Unbounded multipart reads and raw `FormFile().Filename` usage enable DoS and path traversal when combined with predictable upload directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - echo
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.echo-unsafe-multipart-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - echo
+  message:
+    title: Harden Echo upload handling in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` writes multipart uploads without `MaxBytesReader`, basename hardening, or equivalent guards."
+  remediation:
+    summary: >-
+      Wrap the request body with `http.MaxBytesReader`, normalize filenames with `filepath.Base`, enforce extension allowlists, and prefer storage APIs that never trust client paths.

package/rules/go/go.security.fiber-sensitive-binding-without-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.fiber-sensitive-binding-without-validation
+  title: Fiber handlers should validate sensitive request bodies
+  summary: >-
+    Sensitive Fiber parsers should pair structs with validator tags or explicit validation so roles and secrets cannot be silently omitted.
+  rationale: >-
+    Regex heuristics flag `BodyParser`/`JSON` usage when structs in the same file define sensitive fields without `validate` or `binding` style tags.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - fiber
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.fiber-sensitive-binding-without-validation
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - fiber
+  message:
+    title: Add validation tags for sensitive Fiber binds in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses request bodies without validation tags on sensitive struct fields."
+  remediation:
+    summary: >-
+      Add `validate` struct tags, use Fiber validator middleware, or centralize DTO validation before business logic.