npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/java/java.security.template-unescaped-user-output.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.template-unescaped-user-output
+  title: Escape template output that reflects request or model data
+  summary: >-
+    Thymeleaf `th:utext`, JSP scriptlets, and FreeMarker `?no_esc` patterns must not render untrusted request or model values without an explicit sanitization strategy.
+  rationale: >-
+    Non-escaped template sinks turn reflected input into XSS, which compromises browser sessions and administrative workflows.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - templates
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.html"
+      - "**/*.htm"
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.template-unescaped-user-output
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - java
+      - xss
+  message:
+    title: Prefer escaped template output instead of `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` renders template content without default escaping; switch to escaped directives or sanitize with a trusted library.
+  remediation:
+    summary: >-
+      Use Thymeleaf `th:text`, avoid raw JSP expressions for request data, and keep FreeMarker auto-escaping on unless a vetted sanitizer wraps dynamic HTML.

package/rules/java/java.security.trust-all-certificates.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.trust-all-certificates
+  title: Do not trust every TLS certificate
+  summary: "TrustManagers must validate certificates; empty `checkServerTrusted`/`checkClientTrusted` bodies or `TrustAllStrategy` accept any peer."
+  rationale: Disabling certificate validation defeats TLS authentication and enables man-in-the-middle attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.trust-all-certificates
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: critical
+    confidence: 0.93
+    tags:
+      - security
+      - java
+      - tls
+  message:
+    title: Restore certificate validation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` accepts any TLS certificate without verification."
+  remediation:
+    summary: "Use the platform default `TrustManager` or pin specific CAs; never ship a TrustManager whose validation methods are empty."

package/rules/java/java.security.unsafe-jackson-deserialization.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.unsafe-jackson-deserialization
+  title: Avoid enabling Jackson polymorphic deserialization
+  summary: >-
+    Jackson `ObjectMapper` should not call `enableDefaultTyping` or `activateDefaultTyping`, and `@JsonTypeInfo(use = Id.CLASS|MINIMAL_CLASS)` should not be applied without an allowlist.
+  rationale: >-
+    Polymorphic deserialization that encodes class names lets attacker-controlled payloads instantiate gadget chains and pivot to remote code execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - jackson
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.unsafe-jackson-deserialization
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: critical
+    confidence: 0.88
+    tags:
+      - security
+      - java
+      - jackson
+      - deserialization
+  message:
+    title: Restrict Jackson polymorphic typing at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` opts into Jackson polymorphic typing without an allowlist; untrusted JSON can then instantiate arbitrary classes.
+  remediation:
+    summary: >-
+      Disable default typing, validate types with a strict subtype resolver, or replace `Id.CLASS` / `Id.MINIMAL_CLASS` with `Id.NAME` and a registered set of allowed subtypes.

package/rules/java/java.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.weak-rsa-key-size
+  title: Use at least 2048-bit RSA keys
+  summary: RSA key generation should request a key size of 2048 bits or higher.
+  rationale: RSA moduli below 2048 bits are considered cryptographically weak and feasible to attack with modern resources.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - java
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` initializes RSA with fewer than 2048 bits."
+  remediation:
+    summary: Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new code where appropriate.

package/rules/java/java.security.xxe-document-builder.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.xxe-document-builder
+  title: Disable external entities on Java XML parsers
+  summary: >-
+    `DocumentBuilderFactory`, `SAXParserFactory`, and `TransformerFactory` instances should enable secure processing and disable external entities before they parse untrusted XML.
+  rationale: >-
+    Java XML parser factories default to processing external DTDs and entities; without explicit hardening they expose XXE that can exfiltrate files or perform server-side requests.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - java
+    - xxe
+    - xml
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.xxe-document-builder
+    bind: issue
+emit:
+  finding:
+    category: security.xxe
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - java
+      - xxe
+      - xml
+  message:
+    title: Harden XML parser factory at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` constructs a Java XML factory without secure processing or external-entity hardening.
+  remediation:
+    summary: >-
+      Call `setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` and disable `disallow-doctype-decl`, `external-general-entities`, and `external-parameter-entities` before parsing untrusted XML.

package/rules/java/java.security.xxe-xml-input-factory.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.xxe-xml-input-factory
+  title: Disable DTD and external entities on XMLInputFactory
+  summary: >-
+    `XMLInputFactory.newInstance()` and `XMLInputFactory.newFactory()` should set `SUPPORT_DTD` and `IS_SUPPORTING_EXTERNAL_ENTITIES` to false before reading untrusted XML.
+  rationale: >-
+    StAX `XMLInputFactory` defaults expand DTDs and external entities; without explicit hardening the parser is vulnerable to XXE and external resource disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - java
+    - xxe
+    - stax
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.xxe-xml-input-factory
+    bind: issue
+emit:
+  finding:
+    category: security.xxe
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - java
+      - xxe
+      - stax
+  message:
+    title: Harden XMLInputFactory at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` returns an `XMLInputFactory` without disabling DTD support or external entities.
+  remediation:
+    summary: >-
+      Set `XMLInputFactory.SUPPORT_DTD` and `XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES` to `false` before creating any reader.

package/rules/java/java.testing.disabled-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.testing.disabled-without-ticket-reference
+  title: JUnit @Disabled should cite a ticket
+  summary: Disabled tests without a reason string or nearby tracker note are hard to triage.
+  rationale: Disabled tests should carry reviewable intent.
+  tags:
+    - testing
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.testing.disabled-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.64
+    tags:
+      - testing
+      - java
+  message:
+    title: Add a reason or ticket to `${captures.issue.text}`
+    summary: "`@Disabled` is used without a documented reason containing a tracker reference."
+  remediation:
+    summary: Add `@Disabled("JIRA-123 ...")` or a nearby suppression comment with an issue id.

package/rules/java/java.testing.http-client-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.testing.http-client-in-unit-test
+  title: Avoid live HTTP clients in Java unit tests
+  summary: HttpClient/URL/RestTemplate usage in unit tests should target fakes or embedded servers.
+  rationale: Live HTTP couples CI to the network.
+  tags:
+    - testing
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.testing.http-client-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.62
+    tags:
+      - testing
+      - java
+  message:
+    title: Stub outbound HTTP in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a live HTTP client inside a `*Test.java` file."
+  remediation:
+    summary: Use MockWebServer, WireMock, or injected clients with deterministic responses.

package/rules/java/java.testing.thread-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.testing.thread-sleep-in-unit-test
+  title: Avoid Thread.sleep in Java unit tests
+  summary: Sleeping in tests slows CI and hides synchronization bugs.
+  rationale: Prefer Awaitility, latches, or deterministic test doubles.
+  tags:
+    - testing
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.testing.thread-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.6
+    tags:
+      - testing
+      - java
+  message:
+    title: Replace `Thread.sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a `*Test.java` file."
+  remediation:
+    summary: Use synchronization primitives, timeouts with polling, or move timing coverage to integration tests.

package/rules/php/php.correctness.duplicate-array-key.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.duplicate-array-key
+  title: Avoid duplicate keys in array literals
+  summary: Repeated keys in an array literal overwrite earlier entries.
+  rationale: Silent key replacement hides bugs and can invalidate intended configuration values.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.duplicate-array-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Resolve duplicate array key `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears multiple times in a single array literal."
+  remediation:
+    summary: Keep each key unique and merge or rename entries so earlier values are not silently replaced.

package/rules/php/php.correctness.error-suppression-operator.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.error-suppression-operator
+  title: Avoid the error suppression operator
+  summary: The `@` operator hides warnings and errors instead of handling them explicitly.
+  rationale: Suppressed failures make debugging harder and can mask security or data integrity issues.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.error-suppression-operator
+    bind: issue
+emit:
+  finding:
+    category: correctness.error-handling
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove error suppression in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses `@` to suppress PHP errors or warnings."
+  remediation:
+    summary: Handle expected failures with explicit checks, try/catch where appropriate, or fix the underlying condition instead of silencing errors.

package/rules/php/php.correctness.nullsafe-returned-by-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nullsafe-returned-by-reference
+  title: Do not return nullsafe access by reference
+  summary: By-reference arrow functions cannot safely return nullsafe property access.
+  rationale: Nullsafe access may evaluate to null, which cannot be returned by reference and triggers runtime errors.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nullsafe-returned-by-reference
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.92
+    tags:
+      - correctness
+      - php
+  message:
+    title: Fix by-reference arrow function using nullsafe access
+    summary: "`${captures.issue.text}` returns a nullsafe property access by reference."
+  remediation:
+    summary: Return a value by copy, guard against null before returning a reference, or avoid by-reference arrow functions for nullable targets.

package/rules/php/php.correctness.switch-multiple-default.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.switch-multiple-default
+  title: Use only one default case per switch
+  summary: A switch statement must not declare more than one default branch.
+  rationale: Multiple default cases are invalid PHP and indicate a copy-paste or merge mistake.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.switch-multiple-default
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.98
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove extra default case in switch
+    summary: "This switch declares more than one `default` branch."
+  remediation:
+    summary: Keep a single default case and move additional logic into earlier cases or refactor the control flow.

package/rules/php/php.correctness.unreachable-after-return.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unreachable-after-return
+  title: Remove unreachable statements after return or throw
+  summary: Code after `return` or `throw` in the same block never runs.
+  rationale: Unreachable statements usually indicate dead code, incomplete refactors, or missing control-flow fixes.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unreachable-after-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove unreachable statement
+    summary: "This statement appears after a `return` or `throw` in the same block and will not execute."
+  remediation:
+    summary: Delete the dead code or move it before the terminal statement if it is still required.

package/rules/php/php.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for php sources.
+  rationale: Performance hygiene signal for php sources.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid no regex construction in loop in `php` code
+    summary: "`${captures.issue.text}` matches php.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.