npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/go/go.security.fiber-unsafe-multipart-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.fiber-unsafe-multipart-upload
+  title: Harden Fiber multipart uploads
+  summary: >-
+    Fiber upload helpers should enforce size limits and never persist client-controlled filenames without normalization.
+  rationale: >-
+    `FormFile`/`SaveFile` flows that concatenate `Filename` into paths or skip `filepath.Base` are a common path traversal and storage abuse vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - fiber
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.fiber-unsafe-multipart-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.76
+    tags:
+      - security
+      - go
+      - fiber
+  message:
+    title: Harden Fiber upload handling in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` handles multipart uploads without basename hardening or byte limits in the local handler window."
+  remediation:
+    summary: >-
+      Apply `filepath.Base`, cap reader sizes, allowlist extensions, and store uploads using server-generated object keys.

package/rules/go/go.security.gin-sensitive-binding-without-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.gin-sensitive-binding-without-validation
+  title: Gin handlers should validate sensitive request bodies
+  summary: >-
+    Sensitive Gin binds should use `binding` or validator tags so authentication and mutation payloads cannot be silently empty.
+  rationale: >-
+    Regex heuristics flag `ShouldBindJSON`/`BindJSON` usage when structs in the same file omit `binding`/`validate` tags on sensitive fields such as passwords or roles.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - gin
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.gin-sensitive-binding-without-validation
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - go
+      - gin
+  message:
+    title: Add validation tags for sensitive Gin binds in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds JSON without validation tags on sensitive struct fields."
+  remediation:
+    summary: >-
+      Add `binding`/`validate` tags, register validators, or reject requests before they reach persistence layers.

package/rules/go/go.security.gin-trust-all-proxies.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.gin-trust-all-proxies
+  title: Avoid trust-all Gin reverse proxy settings
+  summary: >-
+    `SetTrustedProxies` should list real upstreams instead of `nil` or `0.0.0.0/0` style catch-alls that spoof `X-Forwarded-For`.
+  rationale: >-
+    Trusting every proxy allows clients to forge client IP headers and bypass IP-based controls or auditing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - gin
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.gin-trust-all-proxies
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - go
+      - gin
+  message:
+    title: Restrict Gin trusted proxies in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` trusts all proxies or nil, which enables forwarded header spoofing."
+  remediation:
+    summary: >-
+      Replace catch-all trusted proxy lists with explicit CIDRs for your ingress tier and document the expected hop count.

package/rules/go/go.security.gin-wildcard-cors-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.gin-wildcard-cors-with-credentials
+  title: Avoid wildcard CORS origins with credentials in Gin
+  summary: >-
+    `gin-contrib/cors` configurations must not combine wildcard origins with `AllowCredentials: true`.
+  rationale: >-
+    Wildcard origins with credentials violate browser CORS safety expectations and often mask missing origin allowlists in APIs that should be locked down.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+  tags:
+    - security
+    - go
+    - gin
+    - cors
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.gin-wildcard-cors-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - go
+      - gin
+      - cors
+  message:
+    title: Fix permissive CORS with credentials in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` pairs wildcard origins with `AllowCredentials`, which is unsafe for browser clients."
+  remediation:
+    summary: >-
+      Replace wildcard origins with explicit HTTPS origins, disable credentials when public anonymous access is intended, or move token APIs to header-only auth without credentialed CORS.

package/rules/go/go.security.insecure-rand-seed.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-rand-seed
+  title: Do not seed math/rand for security-sensitive randomness
+  summary: >-
+    `rand.Seed` from `math/rand` produces predictable streams; security-sensitive code must use `crypto/rand`.
+  rationale: >-
+    `math/rand` is a PRNG and remains predictable regardless of seed; tokens, secrets, and keys must come from `crypto/rand.Reader`.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-rand-seed
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - cryptography
+  message:
+    title: Replace `${captures.issue.text}` with cryptographic randomness
+    summary: "`${captures.issue.text}` seeds `math/rand`, which is not a secure source of randomness."
+  remediation:
+    summary: >-
+      Use `crypto/rand.Reader` (or `crypto/rand.Read`) to generate secrets, tokens, and keys. `math/rand` should only be used for non-security-sensitive randomness and does not need seeding in Go 1.20+.

package/rules/go/go.security.insecure-ssh-host-key.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-ssh-host-key
+  title: Verify SSH host keys instead of ignoring them
+  summary: >-
+    `ssh.InsecureIgnoreHostKey()` disables host key verification and exposes SSH clients to man-in-the-middle attacks.
+  rationale: >-
+    Skipping host key verification lets any network attacker impersonate the remote host and steal credentials or hijack sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - ssh
+    - transport
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-ssh-host-key
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - go
+      - ssh
+      - transport
+  message:
+    title: Replace insecure host-key callback at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables SSH host key verification."
+  remediation:
+    summary: >-
+      Use `ssh.FixedHostKey`, `knownhosts.New`, or a callback that compares the remote host key to a trusted pin before completing the handshake.

package/rules/go/go.security.insecure-ssl-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-ssl-protocol
+  title: Reject SSLv2 and SSLv3 protocols
+  summary: >-
+    `tls.VersionSSL30`, SSLv2, or SSLv3 string literals indicate use of broken legacy protocols.
+  rationale: >-
+    SSLv2 and SSLv3 contain unrecoverable cryptographic weaknesses (POODLE, DROWN) and must not be negotiated.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-ssl-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Remove SSL legacy protocol from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a broken SSLv2/SSLv3 protocol."
+  remediation:
+    summary: >-
+      Use `tls.VersionTLS12` or `tls.VersionTLS13` instead of SSL legacy constants or string literals.

package/rules/go/go.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-temp-file
+  title: Avoid deprecated `ioutil` temporary file helpers
+  summary: >-
+    Go code should use `os.CreateTemp` and `os.MkdirTemp` instead of the deprecated `ioutil.TempFile` / `ioutil.TempDir` helpers.
+  rationale: >-
+    The `ioutil` temp helpers are deprecated and frequently appear alongside race-prone temp-file patterns; the `os` replacements receive ongoing security fixes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - go
+      - filesystem
+      - tempfile
+  message:
+    title: Replace deprecated temp helper at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a deprecated `ioutil` temporary file helper."
+  remediation:
+    summary: >-
+      Switch to `os.CreateTemp(dir, pattern)` or `os.MkdirTemp(dir, pattern)` and ensure the pattern includes a `*` so a random component is generated.

package/rules/go/go.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: >-
+    Parsing JWTs with `jwt.Parse` and a nil keyfunc, `jwt.ParseUnverified`, or `jwt.Decode` skips signature verification and lets attackers forge tokens.
+  rationale: >-
+    Trusting unverified JWTs allows attackers to impersonate users or escalate privileges by crafting tokens with arbitrary claims.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - go
+      - jwt
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses a JWT without verifying its signature."
+  remediation:
+    summary: >-
+      Provide a non-nil keyfunc to `jwt.Parse` (or `jwt.ParseWithClaims`) and validate the returned token's `.Valid` flag before reading claims.

package/rules/go/go.security.net-http-missing-timeouts.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.net-http-missing-timeouts
+  title: Configure HTTP server timeouts for public listeners
+  summary: >-
+    Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.
+  rationale: >-
+    Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - net/http
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.net-http-missing-timeouts
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.7
+    tags:
+      - security
+      - go
+      - net/http
+  message:
+    title: Add HTTP timeouts around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exposes a listener without full `http.Server` timeout coverage suitable for public networks."
+  remediation:
+    summary: >-
+      Construct `http.Server` with `ReadHeaderTimeout`, `ReadTimeout`, `WriteTimeout`, and `IdleTimeout`, and prefer `ListenAndServe` on that configured instance.

package/rules/go/go.security.pprof-exposed.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.pprof-exposed
+  title: Do not expose pprof endpoints on shared HTTP mux
+  summary: >-
+    Importing `net/http/pprof` or registering `/debug/pprof` handlers on the default mux exposes debugging endpoints to remote callers.
+  rationale: >-
+    Exposed pprof endpoints leak heap, goroutine, and CPU profiles and can be used for denial-of-service or sensitive data harvesting.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - net/http
+    - pprof
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.pprof-exposed
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - net/http
+  message:
+    title: Move pprof off the public mux near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exposes profiler endpoints without an authentication guard."
+  remediation:
+    summary: >-
+      Register pprof handlers on a private mux bound to localhost or a separate listener, and gate them behind authentication.

package/rules/go/go.security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.sensitive-data-egress
+  title: Avoid relaying request-controlled data through outbound Go HTTP clients
+  summary: >-
+    Outbound `http.Post` bodies should not be built directly from request values without validation or redaction.
+  rationale: >-
+    Tainted POST bodies can exfiltrate secrets, replay cookies, or forward attacker payloads to internal integrations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - privacy
+    - egress
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - privacy
+  message:
+    title: Validate outbound HTTP payloads in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards tainted values into an outbound HTTP client body."
+  remediation:
+    summary: >-
+      Allowlist outbound hosts, strip secrets from relayed payloads, and route integrations through audited helpers.