npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/rust/rust.correctness.block-on-in-async.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.block-on-in-async
+  title: Avoid block_on inside async functions
+  summary: Calling block_on from async code can deadlock the runtime.
+  rationale: >-
+    `Handle::current().block_on`, `Runtime::block_on`, and `futures::executor::block_on`
+    block the async executor thread and can deadlock when invoked from `async fn`.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.block-on-in-async
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Remove block_on from async code
+    summary: "`${captures.issue.text}` can deadlock the async runtime."
+  remediation:
+    summary: Await the future directly or run blocking work on a dedicated runtime thread.

package/rules/rust/rust.correctness.forget-join-handle.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.forget-join-handle
+  title: Do not forget spawned task handles
+  summary: Forgetting a JoinHandle leaks the task and drops panic propagation.
+  rationale: >-
+    `std::mem::forget` on a `tokio::spawn` return value or `JoinHandle` abandons
+    the task without awaiting completion or observing panics.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.forget-join-handle
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Await or detach spawned tasks explicitly
+    summary: "`${captures.issue.text}` forgets a task handle instead of awaiting it."
+  remediation:
+    summary: Store the `JoinHandle`, await it, or use a structured shutdown path.

package/rules/rust/rust.correctness.mutex-held-across-await.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.mutex-held-across-await
+  title: Do not hold a Mutex guard across await
+  summary: Holding a std::sync::Mutex guard across an await point can deadlock the async executor.
+  rationale: >-
+    A `std::sync::Mutex` guard must not be held while the task yields at `.await`.
+    Use an async mutex or release the guard before awaiting.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.mutex-held-across-await
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Release the mutex guard before `${captures.issue.text}`
+    summary: A `std::sync::Mutex` guard from `.lock().unwrap()` or `.lock().expect(...)` is still used after `.await`.
+  remediation:
+    summary: Drop the guard before awaiting or switch to `tokio::sync::Mutex` for async code.

package/rules/rust/rust.correctness.std-mutex-in-async-fn.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.std-mutex-in-async-fn
+  title: Prefer async mutex primitives in async functions
+  summary: std::sync::Mutex in async code encourages blocking and await deadlocks.
+  rationale: >-
+    `std::sync::Mutex` blocks the executor when contended. In `async fn`, prefer
+    `tokio::sync::Mutex` or `async_lock` primitives that cooperate with the runtime.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.std-mutex-in-async-fn
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Replace std mutex in async code
+    summary: "`${captures.issue.text}` uses `std::sync::Mutex` inside an `async fn`."
+  remediation:
+    summary: Switch to `tokio::sync::Mutex` or keep blocking locks outside async contexts.

package/rules/rust/rust.correctness.thread-sleep-in-async.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.thread-sleep-in-async
+  title: Avoid blocking thread sleep in async functions
+  summary: std::thread::sleep blocks the executor thread inside async code.
+  rationale: >-
+    `std::thread::sleep` blocks the current OS thread. Inside `async fn` this stalls
+    the runtime worker and harms throughput. Prefer `tokio::time::sleep` instead.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.thread-sleep-in-async
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Replace blocking sleep in async code
+    summary: "`${captures.issue.text}` blocks an async executor thread."
+  remediation:
+    summary: Use `tokio::time::sleep` or move blocking work to `spawn_blocking`.

package/rules/rust/rust.correctness.unbounded-channel.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.unbounded-channel
+  title: Avoid unbounded async channels
+  summary: Unbounded channels can grow without backpressure and exhaust memory.
+  rationale: >-
+    `tokio::sync::mpsc::unbounded_channel` and `futures::channel::mpsc::unbounded`
+    accept messages without capacity limits, which can cause unbounded memory growth
+    under load.
+  tags:
+    - correctness
+    - rust
+    - resource-leak
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.unbounded-channel
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-leak
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - resource-leak
+  message:
+    title: Prefer bounded channels for backpressure
+    summary: "`${captures.issue.text}` creates an unbounded channel."
+  remediation:
+    summary: Use a bounded `mpsc::channel` with an explicit capacity.

package/rules/rust/rust.correctness.unchecked-index.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.unchecked-index
+  title: Prefer fallible slice access for variable indices
+  summary: Direct indexing with a variable can panic when the index is out of bounds.
+  rationale: >-
+    Slice indexing with a non-literal index panics on bounds failure. Use `.get(index)`
+    when the index comes from a variable and handle `None` explicitly.
+  tags:
+    - correctness
+    - rust
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.unchecked-index
+    bind: issue
+emit:
+  finding:
+    category: correctness.runtime
+    severity: medium
+    confidence: 0.8
+    tags:
+      - correctness
+      - rust
+  message:
+    title: Use fallible access for variable indices
+    summary: "`${captures.issue.text}` indexes a slice with a variable that may be out of bounds."
+  remediation:
+    summary: Replace direct indexing with `.get(index)` and handle the `None` case.

package/rules/rust/rust.security.actix-wildcard-cors-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `actix_cors` configurations must not combine `allow_any_origin` with `supports_credentials`.
   rationale: >-
     Wildcard origins with credentials violate browser CORS expectations and usually indicate a missing explicit origin allowlist.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Use `allowed_origin` with explicit HTTPS origins, or disable credentials when anonymous public access is intended.

package/rules/rust/rust.security.axum-body-limit-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Axum apps should keep a finite `DefaultBodyLimit` (or equivalent) so request bodies cannot exhaust memory.
   rationale: >-
     `DefaultBodyLimit::disable()` removes the framework guardrail against huge bodies and is unsafe on routes that accept untrusted input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Set an explicit max body size with `DefaultBodyLimit::max`, add `tower_http::limit::RequestBodyLimitLayer`, or enforce limits at your edge proxy before accepting large uploads.

package/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not pair wildcard or `very_permissive` origin policies with credentialed CORS or private-network access in `tower-http`.
   rationale: >-
     Browsers treat credentialed CORS as trusted cross-origin behavior; permissive origin lists undermine that contract and often hide missing explicit allowlists.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer explicit HTTPS `AllowOrigin` lists, avoid `CorsLayer::very_permissive` with `allow_credentials(true)`, and only enable `allow_private_network` with strict origin controls.

package/rules/rust/rust.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.bind-all-interfaces
+  title: Avoid binding Rust services to all interfaces
+  summary: >-
+    Rust network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.
+  rationale: >-
+    Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - rust
+    - network
+    - exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: >-
+      Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/rust/rust.security.insecure-ssh-host-key.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-ssh-host-key
+  title: Verify SSH host keys before connecting
+  summary: >-
+    SSH clients must not disable host key verification.
+  rationale: >-
+    Skipping host key checks enables person-in-the-middle attacks against SSH sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - rust
+    - ssh
+    - network
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-ssh-host-key
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - ssh
+      - network
+  message:
+    title: Enable SSH host key verification near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables SSH host key verification."
+  remediation:
+    summary: >-
+      Keep host key checking enabled and pin known host keys or use a trusted known_hosts store.

package/rules/rust/rust.security.insecure-ssl-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-ssl-protocol
+  title: Reject deprecated SSL/TLS protocol versions
+  summary: >-
+    Rust code must not enable SSLv3, TLS 1.0, or TLS 1.1 in TLS configuration.
+  rationale: >-
+    These protocol versions have known weaknesses and are deprecated for secure transport.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-ssl-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Remove insecure TLS protocol near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a deprecated SSL/TLS protocol version."
+  remediation:
+    summary: >-
+      Require TLS 1.2 or TLS 1.3 and remove SSLv3, TLS 1.0, and TLS 1.1 from allowed protocol lists.

package/rules/rust/rust.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-temp-file
+  title: Avoid predictable or permissionless temporary files
+  summary: >-
+    Temporary file creation should use secure helpers with random suffixes and restrictive permissions.
+  rationale: >-
+    Predictable temp paths and default-permission temp files enable symlink races and information disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - filesystem
+      - tempfile
+  message:
+    title: Use secure temp file creation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` creates a temporary file with an insecure pattern."
+  remediation:
+    summary: >-
+      Use `tempfile::Builder` with explicit permissions and patterns containing `*`, or `std::env::temp_dir` with random names.