npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/java/java.security.null-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.null-cipher
+  title: Do not use NullCipher
+  summary: "Constructing `new NullCipher()` or `Cipher.getInstance(\"Null\")` performs no encryption."
+  rationale: NullCipher returns plaintext unchanged, providing no confidentiality and often disguising an intentional bypass of crypto.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.null-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: critical
+    confidence: 0.97
+    tags:
+      - security
+      - java
+      - cryptography
+  message:
+    title: Replace NullCipher usage `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses NullCipher, which leaves data unencrypted."
+  remediation:
+    summary: "Use an authenticated cipher such as `AES/GCM/NoPadding` with a properly managed key."

package/rules/java/java.security.permissive-cors.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.permissive-cors
+  title: Avoid wildcard CORS allow-origins
+  summary: "Spring `@CrossOrigin(\"*\")`, `allowedOrigins(\"*\")`, and `addAllowedOriginPattern(\"*\")` open the API to any origin."
+  rationale: Wildcard origins disable browser-enforced same-origin protection and can allow untrusted sites to call the API with credentials.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+  tags:
+    - security
+    - java
+    - spring
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.permissive-cors
+    bind: issue
+emit:
+  finding:
+    category: security.web
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - java
+      - cors
+  message:
+    title: Restrict CORS allow-origin near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` accepts every origin via a wildcard CORS configuration."
+  remediation:
+    summary: "Allow only the specific origins your service trusts; never combine `allowCredentials(true)` with a wildcard origin."

package/rules/java/java.security.predictable-securerandom.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.predictable-securerandom
+  title: Avoid seeding SecureRandom with predictable values
+  summary: >-
+    `new SecureRandom(byte[])` should not be initialized with literal byte arrays, short fixed buffers, or string-derived seeds.
+  rationale: >-
+    A hardcoded or short seed reduces SecureRandom entropy to a guessable space, making downstream tokens, keys, and salts predictable.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - random
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.predictable-securerandom
+    bind: issue
+emit:
+  finding:
+    category: security.random
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - java
+      - random
+      - cryptography
+  message:
+    title: Seed SecureRandom from a strong source at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` seeds `SecureRandom` from a literal or short buffer, which lowers effective entropy.
+  remediation:
+    summary: >-
+      Construct `SecureRandom` without arguments to use the system entropy source, or call `SecureRandom.getInstanceStrong()` and `generateSeed` for high-entropy material.

package/rules/java/java.security.reflected-output-from-request.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.reflected-output-from-request
+  title: Avoid reflecting servlet request data through response writers
+  summary: Servlet writers should not emit raw request parameters or headers without encoding or policy checks.
+  rationale: Writing request-controlled strings directly into HTTP responses is a common reflected XSS vector for servlet stacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - xss
+    - servlet
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.java-reflected-output-from-request
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.76
+    tags:
+      - security
+      - xss
+      - servlet
+  message:
+    title: Encode or validate output before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards request-derived content through the servlet response writer without an obvious encoding guard."
+  remediation:
+    summary: Contextually encode output for HTML or JSON consumers, validate redirect-like flows separately, and prefer templating APIs that auto-escape.

package/rules/java/java.security.servlet-insecure-cookie.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.servlet-insecure-cookie
+  title: Harden servlet session and auth cookies
+  summary: Session-like cookies must not disable HttpOnly or Secure, and explicit insecure builder flags should be removed.
+  rationale: Missing HttpOnly and Secure flags expose cookies to XSS and network interception; disabling them makes theft materially easier.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - session
+    - servlet
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.servlet-insecure-cookie
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - cookie
+      - servlet
+  message:
+    title: Review insecure cookie construction in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds or adjusts cookies with risky defaults or explicitly weakened HttpOnly/Secure flags."
+  remediation:
+    summary: Prefer ResponseCookie with Secure and HttpOnly enabled, SameSite appropriate for your topology, and minimize lifetime on authentication cookies.

package/rules/java/java.security.shell-runtime-exec.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.shell-runtime-exec
+  title: Prefer Runtime.exec with an argument array
+  summary: >-
+    `Runtime.getRuntime().exec(...)` should not be invoked with a single `String` command argument; the array form (`exec(String[])`) avoids shell-style tokenization.
+  rationale: >-
+    The `exec(String)` overload splits on whitespace and respects no quoting; values containing spaces or shell metacharacters can change the command parsed at runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - execution
+    - shell-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.shell-runtime-exec
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - java
+      - execution
+  message:
+    title: Use the array form for `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` calls `Runtime.exec` with a single `String`, which tokenizes on whitespace and can lead to unintended arguments.
+  remediation:
+    summary: >-
+      Pass an explicit `String[]` of command and arguments, or use `ProcessBuilder` with separate arguments and the parent process inheriting no shell.

package/rules/java/java.security.spring-actuator-health-details-always.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-actuator-health-details-always
+  title: Avoid always-on Spring Boot health details in external profiles
+  summary: >-
+    `management.endpoint.health.show-details=always` (or YAML equivalent) publishes detailed health payloads to any caller, which often leaks dependency and infrastructure facts.
+  rationale: >-
+    Detailed health should be reserved for authenticated operators or internal networks; `always` removes that gate for anonymous clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - spring-boot
+    - actuator
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.security.spring-actuator-health-details-always
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.76
+    tags:
+      - security
+      - java
+      - actuator
+  message:
+    title: Scope health detail visibility for `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` always exposes detailed health information; prefer `when-authorized` or role-based access outside tightly controlled environments.
+  remediation:
+    summary: >-
+      Switch to `when-authorized`, protect `/actuator/**` with Spring Security, and keep verbose health on internal-only ports or profiles.

package/rules/java/java.security.spring-actuator-sensitive-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-actuator-sensitive-exposure
+  title: Restrict Spring Boot actuator web exposure to non-sensitive endpoints
+  summary: >-
+    Actuator `management.endpoints.web.exposure.include` should not expose wildcards or high-risk endpoints (such as `env`, `beans`, or `heapdump`) without deliberate access control.
+  rationale: >-
+    Over-exposed actuators leak configuration, secrets material, and JVM internals that attackers can use to pivot or crash the service.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - spring-boot
+    - actuator
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.security.spring-actuator-sensitive-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - java
+      - actuator
+  message:
+    title: Narrow actuator exposure for `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` exposes sensitive actuator endpoints; enumerate only what you need and protect them with authentication and network controls.
+  remediation:
+    summary: >-
+      Replace wildcards with explicit endpoint lists, move sensitive endpoints off public networks, and pair exposure with Spring Security rules or management port isolation.

package/rules/java/java.security.spring-csrf-globally-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-csrf-globally-disabled
+  title: Avoid disabling Spring CSRF protection without a stateless API hardening story
+  summary: >-
+    Disabling CSRF globally is unsafe for cookie-backed browser sessions unless the app is clearly hardened as a stateless API (for example OAuth2 resource server with stateless sessions).
+  rationale: >-
+    CSRF protects browser clients that send session cookies; turning it off without token-based or stateless mitigations invites cross-site request forgery against privileged actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - spring
+    - spring-security
+    - csrf
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.spring-csrf-globally-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - java
+      - spring-security
+      - csrf
+  message:
+    title: Revisit CSRF configuration near `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` disables CSRF; keep it enabled for session-backed MVC, or move to explicit stateless API patterns and document the threat model.
+  remediation:
+    summary: >-
+      Prefer CSRF tokens for cookie sessions, use `oauth2ResourceServer` with JWT for APIs, or set `SessionCreationPolicy.STATELESS` with a reviewed token story instead of blanket `csrf().disable()`.

package/rules/java/java.security.spring-debug-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-debug-exposure
+  title: Avoid Spring Boot debug and actuator exposure in shipped configuration
+  summary: Spring Boot configuration should not force debug logging or wildcard actuator exposure.
+  rationale: Debug modes and fully exposed actuator endpoints leak internals and expand remote attack surface when configs ship to production.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - spring
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.spring-debug-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.secrets
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - spring
+      - disclosure
+  message:
+    title: Tighten Spring configuration near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables verbose debugging or permissive actuator exposure that should stay out of production defaults."
+  remediation:
+    summary: Remove debug=true overrides, scope logging levels deliberately, and enumerate only required actuator endpoints behind authentication.

package/rules/java/java.security.spring-permit-all-default.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-permit-all-default
+  title: Avoid Spring Security chains that leave every request anonymous by default
+  summary: >-
+    Production HTTP security chains should not end with a broad permit-all fallback such as `anyRequest().permitAll()` or `requestMatchers("/**").permitAll()`.
+  rationale: >-
+    Anonymous-by-default authorization lets unauthenticated callers reach handlers that were meant to be protected, which often leads to broken access control and data exposure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - spring
+    - spring-security
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.spring-permit-all-default
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - java
+      - spring-security
+  message:
+    title: Tighten Spring Security authorization instead of `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` leaves requests broadly permitted; require authentication or explicit scoped rules for non-public routes.
+  remediation:
+    summary: >-
+      Replace broad permit-all with authenticated or role-based rules, keep public paths explicit, and add integration tests that assert unauthorized access is rejected.

package/rules/java/java.security.spring-webmvc-unrestricted-data-binding.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-webmvc-unrestricted-data-binding
+  title: Constrain Spring MVC data binding for domain objects
+  summary: >-
+    Binding request parameters directly into entity-like models without `setAllowedFields` / `@InitBinder` controls risks mass-assignment privilege escalation.
+  rationale: >-
+    Attackers can post unexpected fields (for example `role=admin`) that map onto persistent entities unless binding is explicitly allow-listed.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - spring-mvc
+    - mass-assignment
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.spring-webmvc-unrestricted-data-binding
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.74
+    tags:
+      - security
+      - java
+      - spring-mvc
+  message:
+    title: Add binding guards instead of `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` suggests unconstrained binding; use DTOs, `@InitBinder#setAllowedFields`, or constructor binding with immutable commands.
+  remediation:
+    summary: >-
+      Prefer dedicated request DTOs, declare allowed fields explicitly, and avoid binding security-sensitive properties from raw requests.