npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/php/php.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for php sources.
+  rationale: Performance hygiene signal for php sources.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid no sync fs in request path in `php` code
+    summary: "`${captures.issue.text}` matches php.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/php/php.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for php sources.
+  rationale: Performance hygiene signal for php sources.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+match:
+  fact:
+    kind: php.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid no unbounded concurrency in `php` code
+    summary: "`${captures.issue.text}` matches php.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/php/php.security.debug-function-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.debug-function-exposure
+  title: Remove debug dump helpers from production PHP
+  summary: >-
+    var_dump, print_r, debug_zval_dump, and xdebug helpers should not ship in application code paths.
+  rationale: >-
+    Debug helpers can leak secrets, PII, and internal object state to logs or HTTP responses.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - debug
+    - information-leakage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.php"
+match:
+  fact:
+    kind: php.security.debug-function-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-leakage
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - debug
+  message:
+    title: Remove debug helper in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a debug dump helper in non-test code."
+  remediation:
+    summary: >-
+      Remove debug helpers from production paths or route diagnostics through structured logging with redaction.

package/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-cors-wildcard-with-credentials
+  title: Do not combine wildcard CORS origin with credentials
+  summary: >-
+    PHP CORS responses should not allow credentials when origin is set to `*`.
+  rationale: >-
+    Wildcard origins with credential support break origin isolation and can expose authenticated data cross-site.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+  tags:
+    - security
+    - php
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-cors-wildcard-with-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.data-exposure
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - php
+      - cors
+  message:
+    title: Fix unsafe CORS configuration in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` allows wildcard origin and credentials together."
+  remediation:
+    summary: >-
+      Replace wildcard origins with explicit allowlists and keep credentials disabled unless strictly required.

package/rules/php/php.security.insecure-mail-or-file-transport.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-mail-or-file-transport
+  title: Avoid insecure PHP FTP/SMTP or plaintext transport patterns
+  summary: >-
+    Outbound mail/file transfer code should not rely on plaintext transport endpoints for sensitive traffic.
+  rationale: >-
+    Unencrypted transfer channels expose credentials and payloads to interception or tampering.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - php
+    - transport
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-mail-or-file-transport
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - php
+      - transport
+  message:
+    title: Prefer encrypted transport in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses plaintext FTP/SMTP/HTTP transport for potentially sensitive operations."
+  remediation:
+    summary: >-
+      Use encrypted transport endpoints and modern client libraries with certificate validation enabled.

package/rules/php/php.security.insecure-session-id-generation.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-session-id-generation
+  title: Avoid predictable or user-supplied session IDs
+  summary: >-
+    session_id must not be set from weak hash helpers, uniqid, or request-derived values.
+  rationale: >-
+    Predictable or attacker-controlled session identifiers enable fixation and session hijacking.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - session
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-session-id-generation
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - php
+      - session
+  message:
+    title: Harden session ID generation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sets session_id from weak or untrusted input."
+  remediation:
+    summary: >-
+      Let PHP generate session identifiers with session_start, or use random_bytes and bin2hex for custom IDs.

package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-session-or-cookie-config
+  title: Harden PHP session and cookie security flags
+  summary: >-
+    Session/cookie configuration should keep secure, httpOnly, and safe same-site posture for authenticated contexts.
+  rationale: >-
+    Weak cookie/session flags increase theft and replay risk across XSS, mixed transport, and cross-site request contexts.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - session
+    - cookies
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-session-or-cookie-config
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: medium
+    confidence: 0.76
+    tags:
+      - security
+      - php
+      - session
+  message:
+    title: Tighten cookie/session configuration in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures cookies or sessions with insecure defaults."
+  remediation:
+    summary: >-
+      Set `secure=true`, `httponly=true`, and a restrictive same-site policy for authentication cookies in production traffic.

package/rules/php/php.security.laravel-sensitive-csrf-exclusion.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.laravel-sensitive-csrf-exclusion
+  title: Avoid broad Laravel CSRF exclusions on sensitive routes
+  summary: >-
+    Wildcard CSRF exclusions should not cover account, billing, admin, password, or profile endpoints.
+  rationale: >-
+    Over-broad CSRF exemptions remove request integrity checks from high-impact authenticated actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
+  tags:
+    - security
+    - php
+    - laravel
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.laravel-sensitive-csrf-exclusion
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - laravel
+  message:
+    title: Narrow CSRF exclusions near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exempts sensitive route patterns from CSRF verification."
+  remediation:
+    summary: >-
+      Limit CSRF exceptions to explicitly signed webhook endpoints and avoid wildcard exclusions on authenticated user flows.

package/rules/php/php.security.laravel-unsafe-blade-output.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.laravel-unsafe-blade-output
+  title: Avoid unescaped Laravel Blade output from request or model data
+  summary: >-
+    Raw Blade rendering (`{!! !!}`) should not directly render request, model, or translated user content.
+  rationale: >-
+    Unescaped template output can enable stored or reflected XSS when user-controlled values are rendered as HTML.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
+  tags:
+    - security
+    - php
+    - laravel
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.laravel-unsafe-blade-output
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.84
+    tags:
+      - security
+      - php
+      - laravel
+  message:
+    title: Escape template output in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` emits raw HTML from potentially untrusted values."
+  remediation:
+    summary: >-
+      Prefer escaped Blade output (`{{ }}`) and sanitizer wrappers before rendering user-influenced HTML.

package/rules/php/php.security.laravel-unsafe-mass-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.laravel-unsafe-mass-assignment
+  title: Avoid mass-assigning full Laravel request payloads
+  summary: >-
+    Eloquent writes should not use `$request->all()` or fully unguarded models for sensitive records.
+  rationale: >-
+    Raw request mass assignment lets attackers set privileged fields like role or account ownership.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
+  tags:
+    - security
+    - php
+    - laravel
+    - mass-assignment
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: php.security.laravel-unsafe-mass-assignment
+    bind: issue
+emit:
+  finding:
+    category: security.authorization
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - laravel
+  message:
+    title: Restrict model assignment in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` writes unfiltered request attributes into a model."
+  remediation:
+    summary: >-
+      Use validated DTO/request objects and explicit allowlists (`only`) for model writes, and avoid `$guarded = []` on sensitive models.

package/rules/php/php.security.no-dynamic-eval.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.no-dynamic-eval
+  title: Avoid dynamic PHP code execution
+  summary: >-
+    Do not execute runtime-generated PHP via eval, string assert, or create_function.
+  rationale: >-
+    Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - php
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.no-dynamic-eval
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - php
+      - execution
+  message:
+    title: Remove dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes PHP code dynamically."
+  remediation:
+    summary: >-
+      Replace eval, string assert, and create_function with explicit control flow, parsing, or allowlisted dispatch.

package/rules/php/php.security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.sensitive-data-egress
+  title: Avoid relaying request-derived sensitive data in outbound PHP HTTP calls
+  summary: >-
+    Outbound HTTP clients should not forward tainted request/session material without validation or redaction.
+  rationale: >-
+    Unchecked egress forwarding can leak tokens, credentials, or personal data to external systems.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - privacy
+    - egress
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - php
+      - privacy
+  message:
+    title: Validate outbound payloads in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards tainted or sensitive values to an external HTTP client."
+  remediation:
+    summary: >-
+      Scrub secrets, restrict outbound destinations, and centralize external integrations behind audited request builders.

package/rules/php/php.security.symfony-csrf-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.symfony-csrf-disabled
+  title: Keep Symfony CSRF enabled on state-changing form flows
+  summary: >-
+    Symfony forms and controllers handling state changes should not disable CSRF protection without a clear API token boundary.
+  rationale: >-
+    Disabling CSRF for authenticated browser flows enables cross-site request forgery on sensitive actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Symfony security
+      url: https://symfony.com/doc/current/security.html
+  tags:
+    - security
+    - php
+    - symfony
+    - csrf
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.symfony-csrf-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.84
+    tags:
+      - security
+      - php
+      - symfony
+  message:
+    title: Re-enable CSRF guard around `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables CSRF protection for a state-changing Symfony surface."
+  remediation:
+    summary: >-
+      Keep CSRF enabled for browser forms/controllers and only exempt endpoints that are explicitly authenticated by signed tokens.