npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/shared/security.no-request-path-file-read.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Path traversal via user input
   summary: File access calls must not use request-controlled paths directly.
   rationale: User-controlled paths can escape the intended directory and expose sensitive files.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.fileRead.text}` reads from a path derived from request data without an allowlist or boundary check."
   remediation:
     summary: Resolve the path against a trusted base directory and reject values that escape it.

package/rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid sensitive data in logs and telemetry
   summary: Sensitive fields should not be sent to logging, tracing, or analytics sinks.
   rationale: Observability payloads often leave the service boundary and can expose secrets, account identifiers, or personal data if they carry raw request or user fields.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -42,3 +51,4 @@ emit:
     summary: "`${captures.issue.text}` reaches a logging or telemetry sink with sensitive data."
   remediation:
     summary: Redact, hash, or drop the sensitive field before it reaches the sink.

package/rules/shared/security.no-sql-interpolation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid raw or interpolated SQL
   summary: Database query sinks must not receive request-driven or dynamically interpolated SQL text.
   rationale: Raw or interpolated SQL can let attackers control query structure when values are not passed separately.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
   tags:
     - security
     - sql
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.queryCall.text}` builds or forwards SQL text directly into a raw query sink."
   remediation:
     summary: Use prepared statements, placeholder parameters, or a typed query builder instead of executing raw SQL text.

package/rules/shared/security.permissive-file-permissions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid world-readable or world-writable file permissions
   summary: File creation and permission changes should not grant broad local access.
   rationale: Broad permissions expose application data to local users or processes that should not read or modify it.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
   tags:
     - security
     - filesystem
@@ -38,3 +47,4 @@ emit:
     summary: "`${captures.issue.text}` grants world-readable or world-writable filesystem access."
   remediation:
     summary: Use least-privilege file modes and avoid world-readable or world-writable permissions.

package/rules/shared/security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sensitive data egress to third-party processors
   summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
   rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` sends request or identity data to an outbound processor."
   remediation:
     summary: Minimize the payload, redact sensitive fields, or route the data only to approved processors.

package/rules/shared/security.tls-verification-disabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: TLS verification disabled
   summary: Transport clients should not disable certificate verification.
   rationale: Trust-all TLS settings accept any certificate and undermine transport security.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables certificate verification or trust validation."
   remediation:
     summary: Use trusted certificate validation and remove trust-all overrides outside local development.

package/rules/shared/security.unsafe-deserialization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Protect deserialization trust boundaries
   summary: Deserializers should not consume untrusted payloads directly across a trust boundary.
   rationale: Deserializing untrusted payloads can let attacker-controlled data reshape parser state, object graphs, or downstream runtime behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
   tags:
     - security
     - deserialization
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` deserializes an untrusted payload across a trust boundary."
   remediation:
     summary: Deserialize only from trusted producers, or validate and constrain the payload shape before crossing the deserialization boundary.

package/rules/shared/security.weak-hash-algorithm.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak hash algorithms
   summary: Cryptographic hashing should use modern, collision-resistant algorithms.
   rationale: Weak digests such as MD5 and SHA-1 are vulnerable to collisions and should not be used for security-sensitive hashing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - crypto
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` uses a weak hash algorithm."
   remediation:
     summary: Use SHA-256, SHA-384, SHA-512, or a stronger approved hashing primitive instead.

package/rules/typescript/ts.correctness.array-callback-missing-return.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.array-callback-missing-return
+  title: Array callback missing return
+  summary: Array iteration callbacks with block bodies should return a value when required.
+  rationale: map, filter, reduce, every, and some expect callback return values; missing returns yield undefined elements or incorrect predicates.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-032
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.array-callback-missing-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Add a return to the array callback
+    summary: "`${captures.issue.text}` is a block-bodied array callback without a return statement."
+  remediation:
+    summary: Return the computed value from the callback, or switch to forEach when side effects are intended.

package/rules/typescript/ts.correctness.array-sort-without-compare.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.array-sort-without-compare
+  title: Array.sort without compare function
+  summary: Provide a compare function when sorting non-string arrays.
+  rationale: Default sort coerces elements to strings, which misorders numbers and many objects.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-036
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.array-sort-without-compare
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Pass a compare function to sort
+    summary: "`${captures.issue.text}` calls sort() without a comparator."
+  remediation:
+    summary: Pass an explicit compare function, for example `(a, b) => a - b` for numbers.

package/rules/typescript/ts.correctness.control-flow-in-finally.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.control-flow-in-finally
+  title: Control flow in finally block
+  summary: Avoid return, throw, break, or continue inside finally blocks.
+  rationale: Control-flow statements in finally override try/catch completion and can hide errors or skip cleanup intent.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-028
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.control-flow-in-finally
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove control flow from finally
+    summary: "`${captures.issue.text}` changes completion inside a finally block."
+  remediation:
+    summary: Move return, throw, break, or continue out of the finally block, or restructure the try/finally logic.

package/rules/typescript/ts.correctness.duplicate-if-else-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-if-else-condition
+  title: Duplicate if-else-if condition
+  summary: Do not repeat the same test in an if-else-if chain.
+  rationale: Duplicate conditions create unreachable branches and usually indicate a copy-paste defect.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-031
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-if-else-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate if condition
+    summary: "`${captures.issue.text}` repeats a prior if-else-if test."
+  remediation:
+    summary: Remove the duplicate branch or change the condition to the intended distinct test.

package/rules/typescript/ts.correctness.for-in-on-array.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.for-in-on-array
+  title: for-in over array-like value
+  summary: Prefer for-of or index loops instead of for-in on arrays.
+  rationale: for-in enumerates keys (often as strings) and may include inherited properties; for-of iterates values safely.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-037
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.for-in-on-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Avoid for-in on arrays
+    summary: "`${captures.issue.text}` uses for-in on a value that looks like an array."
+  remediation:
+    summary: Use `for (const item of array)` or indexed iteration instead of for-in.

package/rules/typescript/ts.correctness.infinite-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.infinite-loop
+  title: Infinite Loop
+  summary: Detect obvious infinite loops
+  rationale: Detect obvious infinite loops:while (true) and for(;;) without break, return, or throw in the loop body.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.infinite-loop
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Infinite Loop
+    summary: "`${captures.issue.text}` matches ts.correctness.infinite-loop."
+  remediation:
+    summary: Detect obvious infinite loops:while (true) and for(;;) without break, return, or throw in the loop body.

package/rules/typescript/ts.correctness.invalid-await-expression.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.invalid-await-expression
+  title: Invalid Await Expression
+  summary: Await only promise-like values
+  rationale: Await only promise-like values:await on literals or clearly synchronous calls is usually a mistake.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.invalid-await-expression
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Invalid Await Expression
+    summary: "`${captures.issue.text}` matches ts.correctness.invalid-await-expression."
+  remediation:
+    summary: Await only promise-like values:await on literals or clearly synchronous calls is usually a mistake.

package/rules/typescript/ts.correctness.invalid-typeof-comparison.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.invalid-typeof-comparison
+  title: Invalid typeof comparison string
+  summary: Compare typeof results only to known typeof strings.
+  rationale: typeof returns a fixed set of strings; other comparisons are always false.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-030
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.invalid-typeof-comparison
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Fix typeof comparison
+    summary: "`${captures.issue.text}` compares typeof to a string that typeof never returns."
+  remediation:
+    summary: Compare against a valid typeof result or use a different type guard (for example Array.isArray).

package/rules/typescript/ts.correctness.missing-async-on-promise-method.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-async-on-promise-method
+  title: Missing Async On Promise Method
+  summary: Mark promise callbacks async when using await
+  rationale: Mark promise callbacks async when using await:then/catch handlers that use await must be declared async.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.missing-async-on-promise-method
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Missing Async On Promise Method
+    summary: "`${captures.issue.text}` matches ts.correctness.missing-async-on-promise-method."
+  remediation:
+    summary: Mark promise callbacks async when using await:then/catch handlers that use await must be declared async.

package/rules/typescript/ts.correctness.missing-super-call.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-super-call
+  title: Missing super() in subclass constructor
+  summary: Subclass constructors must call super() before using this.
+  rationale: Derived classes must initialize the base class; omitting super() is a runtime error when this is accessed.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-034
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.missing-super-call
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Call super() in the subclass constructor
+    summary: "`${captures.issue.text}` extends a base class but never calls super()."
+  remediation:
+    summary: Add `super(...)` as the first statement in the constructor (before using this).

package/rules/typescript/ts.correctness.no-floating-promise-in-function.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.no-floating-promise-in-function
+  title: No Floating Promise In Function
+  summary: Handle promise-returning calls explicitly
+  rationale: Handle promise-returning calls explicitly:statement-level promise calls should be awaited, voided, returned, or chained with rejection handling.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.floating-promise-in-function
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: No Floating Promise In Function
+    summary: "`${captures.issue.text}` matches ts.correctness.no-floating-promise-in-function."
+  remediation:
+    summary: Handle promise-returning calls explicitly:statement-level promise calls should be awaited, voided, returned, or chained with rejection handling.

package/rules/typescript/ts.correctness.no-misused-promises.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.no-misused-promises
+  title: No Misused Promises
+  summary: Do not pass async callbacks where sync is expected
+  rationale: Do not pass async callbacks where sync is expected:array iteration methods expect synchronous predicates and should not receive async callbacks.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.misused-promises
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: No Misused Promises
+    summary: "`${captures.issue.text}` matches ts.correctness.no-misused-promises."
+  remediation:
+    summary: Do not pass async callbacks where sync is expected:array iteration methods expect synchronous predicates and should not receive async callbacks.

package/rules/typescript/ts.correctness.promise-reject-non-error.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.promise-reject-non-error
+  title: Reject or throw non-Error values
+  summary: Promise rejections and async throws should use Error objects.
+  rationale: Non-Error rejections lose stack traces and are harder to handle consistently in async code.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-033
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.promise-reject-non-error
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - async
+  message:
+    title: Use Error for rejections and async throws
+    summary: "`${captures.issue.text}` rejects or throws a non-Error literal."
+  remediation:
+    summary: Reject or throw `new Error(...)` (or a typed Error subclass) instead of a string or other primitive.

package/rules/typescript/ts.correctness.this-before-super.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.this-before-super
+  title: this used before super()
+  summary: Do not use this or super members before calling super() in a subclass constructor.
+  rationale: Accessing this before super() in a derived constructor throws at runtime.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-035
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.this-before-super
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Move super() before this access
+    summary: "`${captures.issue.text}` uses this or super before super() runs."
+  remediation:
+    summary: Call `super(...)` before reading or assigning `this` in the constructor.