npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/rust/rust.security.insecure-yaml-load.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-yaml-load
+  title: Avoid untyped YAML deserialization
+  summary: >-
+    Untyped `serde_yaml` deserialization can instantiate arbitrary types from untrusted input.
+  rationale: >-
+    YAML loaders without strict typing enable unsafe object graphs and unexpected type coercion.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - yaml
+    - deserialization
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-yaml-load
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - yaml
+      - deserialization
+  message:
+    title: Use typed YAML parsing near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` deserializes YAML without a constrained target type."
+  remediation:
+    summary: >-
+      Deserialize into explicit structs or enums and validate input before use.

package/rules/rust/rust.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: >-
+    JWT parsing must use a verification key and must not disable signature validation.
+  rationale: >-
+    Trusting unverified JWTs allows attackers to forge tokens with arbitrary claims.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - jwt
+      - authentication
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses a JWT without verifying its signature."
+  remediation:
+    summary: >-
+      Pass a `DecodingKey` to `decode` and validate claims with a strict `Validation` configuration.

package/rules/rust/rust.security.panic-in-async-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.panic-in-async-handler
+  title: Avoid panic and unwrap in async handlers
+  summary: >-
+    Async request handlers should propagate errors instead of panicking or unwrapping Results.
+  rationale: >-
+    Panics in async handlers can abort tasks and leak error details under load.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - async
+    - reliability
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.panic-in-async-handler
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - async
+      - reliability
+  message:
+    title: Handle errors in async handler near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` panics or unwraps inside an async function."
+  remediation:
+    summary: >-
+      Return `Result` from async handlers and map errors to appropriate HTTP responses.

package/rules/rust/rust.security.rocket-panic-prone-request-handler.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Rocket route handlers should not `unwrap`, `expect`, or otherwise panic on values derived from the HTTP request.
   rationale: >-
     Panics become hard failures and can be abused for denial-of-service or to leak error detail; prefer `Result` and typed rejections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Return `Result`, `Option`, or `status::Custom`, map errors to HTTP responses, and reserve `unwrap` for tests or statically known invariants.

package/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not wrap request-sourced strings in `RawHtml` (or similar) without escaping in Rocket handlers.
   rationale: >-
     Raw HTML bypasses Rocket's escaping defaults and is a common XSS footgun when fed from path, query, or body inputs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer typed templates with auto-escaping, sanitize with a vetted HTML policy crate, or return plain text/JSON instead of `RawHtml`.

package/rules/rust/rust.security.shell-command-spawn.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.shell-command-spawn
+  title: Avoid shell invocation via Command
+  summary: >-
+    Spawning `/bin/sh` or `bash` with `-c` enables shell metacharacter injection.
+  rationale: >-
+    Shell interpretation expands attacker-controlled input into arbitrary command execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - command-injection
+    - shell
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.shell-command-spawn
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - command-injection
+      - shell
+  message:
+    title: Avoid shell spawn near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` spawns a shell with `-c`, enabling command injection."
+  remediation:
+    summary: >-
+      Invoke binaries directly with explicit arguments instead of routing through a shell.

package/rules/rust/rust.security.sqlx-diesel-raw-interpolated-query.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not pass `format!(...)` (or equivalent string concatenation) into `sqlx::query` or `diesel::sql_query` sinks.
   rationale: >-
     Interpolated SQL is the primary SQL injection pattern in Rust ORMs; compile-time macros and bind parameters keep queries safe.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer `sqlx::query!` / `query_as!`, use `.bind(...)` on typed query builders, or Diesel's query DSL with bound parameters instead of raw interpolated strings.

package/rules/rust/rust.security.template-unescaped-request-value.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Tera, Maud, and similar engines should not insert request-sourced strings into contexts or `PreEscaped`/`raw` sinks without sanitization.
   rationale: >-
     Template `safe`/raw sinks disable escaping; feeding path, query, form, or JSON extractors there is a direct XSS vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - rust
@@ -45,3 +54,4 @@ emit:
   remediation:
     summary: >-
       HTML-escape with a vetted policy (for example `ammonia::clean`), keep auto-escaping on, and avoid `PreEscaped`/`Markup::raw` for untrusted strings.

package/rules/rust/rust.security.tls-missing-min-version.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.tls-missing-min-version
+  title: Set a minimum TLS protocol version in Rust TLS configs
+  summary: >-
+    Rust TLS client and server configuration should set an explicit minimum protocol version (TLS 1.2 or newer).
+  rationale: >-
+    Without a minimum version, legacy SSL/TLS protocols may be negotiated, weakening transport security.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.tls-missing-min-version
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Set minimum TLS version near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures TLS without an explicit minimum protocol version."
+  remediation:
+    summary: >-
+      Set `min_protocol_version` (rustls) or `min_tls_version` (reqwest) to TLS 1.2 or newer.

package/rules/rust/rust.security.warp-blocking-or-panic-in-async-handler.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Warp filters and handlers run on the async runtime; avoid `std::fs`, `thread::sleep`, and `unwrap` on request paths without `spawn_blocking` or proper errors.
   rationale: >-
     Blocking the runtime reduces availability and unwraps turn parse errors into panics; both are amplified under load and hostile traffic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Use `tokio::fs`, offload blocking work with `spawn_blocking`, and propagate errors with `Rejection` instead of `unwrap`.

package/rules/rust/rust.security.weak-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-crypto-import
+  title: Avoid importing broken or deprecated crypto crates
+  summary: >-
+    Production Rust code should not import `md5`, `sha1`, `des`, or `rc4` for security-sensitive purposes.
+  rationale: >-
+    MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - cryptography
+  message:
+    title: Replace weak crypto import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a broken or deprecated crypto crate."
+  remediation:
+    summary: >-
+      Use `sha2`, `blake3`, or `aes-gcm` for modern cryptographic primitives.

package/rules/rust/rust.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-rsa-key-size
+  title: Use RSA keys of at least 2048 bits
+  summary: >-
+    RSA key generation must use at least 2048 bits.
+  rationale: >-
+    RSA keys shorter than 2048 bits are vulnerable to factorization attacks with modern compute.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` generates an RSA key smaller than 2048 bits."
+  remediation:
+    summary: >-
+      Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new designs.

package/rules/rust/rust.security.weak-tls-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-tls-cipher
+  title: Avoid weak TLS cipher suites
+  summary: >-
+    Rust TLS configuration must not include cipher suites using RC4, 3DES, NULL, or EXPORT algorithms.
+  rationale: >-
+    Weak cipher suites are vulnerable to practical attacks and should not be negotiated.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-tls-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Replace weak TLS cipher near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a weak TLS cipher suite."
+  remediation:
+    summary: >-
+      Use modern AEAD cipher suites such as TLS_AES_128_GCM_SHA256 or TLS_CHACHA20_POLY1305_SHA256.

package/rules/shared/security.archive-path-traversal.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sanitize archive entry paths before writing
   summary: Archive extraction should not write entry names directly to the filesystem.
   rationale: Archive entries can contain traversal paths that overwrite files outside the intended extraction directory.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
   tags:
     - security
     - filesystem
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` may write an archive-controlled path without a containment check."
   remediation:
     summary: Normalize each entry path against a trusted extraction root and reject paths that escape it.

package/rules/shared/security.external-file-upload.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not persist upload filenames directly
   summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
   rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -38,3 +47,4 @@ emit:
     summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
   remediation:
     summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.

package/rules/shared/security.insecure-http-transport.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Insecure HTTP transport
   summary: Outbound transport should not use plain HTTP for sensitive requests.
   rationale: Plain HTTP exposes traffic to interception and tampering.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` sends an outbound request over plain HTTP."
   remediation:
     summary: Use HTTPS or a trusted local-development exception for non-production endpoints.

package/rules/shared/security.no-command-execution-with-request-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Command execution using untrusted input
   summary: Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.
   rationale: Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
   tags:
     - security
     - injection
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.execCall.text}` executes a process using request-controlled command data."
   remediation:
     summary: Dispatch only allowlisted binaries, keep shell mode disabled, and validate or constrain subcommands before execution.

package/rules/shared/security.no-hardcoded-credentials.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Hardcoded API keys or credentials
   summary: Source files should not embed credential-like string literals.
   rationale: Hardcoded credentials are difficult to rotate and are easily leaked through source control.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
   tags:
     - security
     - secrets
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.credential.text}` appears to embed a credential-like literal in source code."
   remediation:
     summary: Move the secret to a secure runtime secret store or environment-backed config path.