npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/typescript/ts.security.apollo-server-missing-query-limits.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Add GraphQL query depth or complexity controls
   summary: Apollo Server bootstrap should declare validation rules or plugins that bound query cost.
   rationale: Without depth, complexity, persisted operations, or gateway limits, GraphQL endpoints are easier to abuse with expensive queries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -33,3 +48,4 @@ emit:
     summary: Apollo Server is constructed without recognizable validation rules or protective plugins.
   remediation:
     summary: Add depth limits, query complexity rules, persisted operations, rate limits, or terminate behind a gateway/WAF that enforces GraphQL policies.

package/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Astro and Vite define entries for import.meta.env.PUBLIC_* must not map to high-risk process.env secrets.
   rationale: >-
     PUBLIC_* keys are intended for browser-visible configuration; wiring database passwords or API secrets through vite.define exposes them to client bundles.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
   tags:
     - security
     - astro
@@ -37,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Keep secrets on the server, use private server-only env vars, and reserve PUBLIC_* keys for intentionally public identifiers such as analytics IDs.

package/rules/typescript/ts.security.bind-to-all-interfaces.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid binding to all interfaces
   summary: Network-facing services should not explicitly bind to every interface unless public exposure is intentional and protected.
   rationale: Binding to `0.0.0.0` or `::` can expose a service beyond the expected trust boundary and widen the reachable attack surface.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
   tags:
     - security
     - network
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly binds a network-facing service to every interface."
   remediation:
     summary: Bind to loopback or a specific interface unless public exposure is an intentional deployment requirement with compensating controls.

package/rules/typescript/ts.security.browser-token-storage.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid browser token storage
   summary: Access and session tokens should not be stored in long-lived browser storage.
   rationale: Long-lived browser storage exposes tokens to script access and increases the impact of XSS or device compromise.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Keep tokens in HttpOnly cookies or in memory, and avoid long-lived cleartext browser storage.

package/rules/typescript/ts.security.dangerous-insert-html.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe DOM HTML insertion sinks
   summary: "`outerHTML`, `document.write*`, and `insertAdjacentHTML` should only receive fixed or explicitly sanitized HTML."
   rationale: HTML-capable DOM insertion sinks can execute attacker-controlled markup unless the HTML is fixed or strongly sanitized first.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses an HTML-capable DOM sink with non-literal, non-sanitized content."
   remediation:
     summary: Insert text with safe DOM APIs, or pass only fixed or explicitly sanitized HTML to the sink.

package/rules/typescript/ts.security.dangerously-set-inner-html.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe `dangerouslySetInnerHTML`
   summary: React `dangerouslySetInnerHTML` should only render fixed or explicitly sanitized HTML.
   rationale: React bypasses its normal escaping model when `dangerouslySetInnerHTML` is used, which makes unsanitized HTML a direct XSS sink.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` bypasses React escaping with non-literal, non-sanitized HTML."
   remediation:
     summary: Prefer normal React rendering, or pass only fixed or explicitly sanitized HTML to `dangerouslySetInnerHTML`.

package/rules/typescript/ts.security.datadog-browser-track-user-interactions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Review Datadog RUM user interaction capture
   summary: Datadog Browser RUM should not enable broad user interaction capture without a privacy review.
   rationale: Automatic interaction capture can leak sensitive page content or element labels to third-party telemetry.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Disable broad interaction capture or add explicit scrubbing and allowlisted action naming before enabling it.

package/rules/typescript/ts.security.debug-mode-enabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not expose debug routes or middleware in production
   summary: Debug handlers, stack-showing middleware, and diagnostic endpoints should stay behind explicit development-only guards.
   rationale: Debug endpoints and stack-showing middleware can disclose internal topology, environment details, and request data with very little attacker effort.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` enables debug or diagnostic exposure without a visible same-file development guard."
   remediation:
     summary: Wrap the registration in an explicit development-only guard or remove the endpoint or middleware from production builds.

package/rules/typescript/ts.security.debug-statement-in-source.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: "Remove leftover `console.trace` calls from production paths"
   summary: "`console.trace()` calls should not ship in production code outside an explicit dev-only branch."
   rationale: "`console.trace` dumps a stack trace to stdout/stderr and is almost always leftover developer instrumentation. Stack traces in shipped output disclose internal call structure and inflate logs."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
   tags:
     - security
     - logging
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` is leftover developer instrumentation that ships a stack trace to stdout or stderr."
   remediation:
     summary: Remove the call or guard it behind an explicit dev-only check (`process.env.NODE_ENV !== 'production'`, `import.meta.env.DEV`, or `__DEV__`).

package/rules/typescript/ts.security.dynamodb-query-injection.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid request-driven DynamoDB queries
   summary: DynamoDB query and scan inputs should not be built directly from request input.
   rationale: Raw request data in DynamoDB helpers can widen query scope or let attackers control expressions, filters, and key conditions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
   tags:
     - security
     - injection
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` receives request-controlled DynamoDB input without narrowing it to trusted expressions or key maps."
   remediation:
     summary: Build DynamoDB requests from fixed expressions and allowlisted fields instead of forwarding request-shaped input.

package/rules/typescript/ts.security.electron-dangerous-webpreferences.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Harden Electron webPreferences
   summary: Electron renderers should not run with unsafe webPreferences that weaken isolation or transport protection.
   rationale: Options such as nodeIntegration, contextIsolation, and webSecurity directly control whether renderer compromise becomes host compromise.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-749
+      title: Exposed Dangerous Method or Function
+    - kind: url
+      title: Electron Security
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} weakens Electron renderer isolation or transport protection."
   remediation:
     summary: Keep contextIsolation and webSecurity enabled, disable nodeIntegration and enableRemoteModule, and prefer sandbox true.

package/rules/typescript/ts.security.electron-insecure-local-state.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid storing secrets in Electron local stores without hardening
   summary: electron-store writes that look like credentials should use OS-level secret storage instead.
   rationale: Local JSON stores are readable by other processes and backups unless encrypted with platform APIs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-749
+      title: Exposed Dangerous Method or Function
+    - kind: url
+      title: Electron Security
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} persists sensitive-looking data through electron-store."
   remediation:
     summary: Prefer OS keychains, encrypted vaults, or short-lived session material instead of long-lived plaintext secrets on disk.

package/rules/typescript/ts.security.electron-missing-ipc-origin-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Validate IPC sender origins in Electron
   summary: Privileged ipcMain handlers should validate event.sender origins before acting.
   rationale: Missing origin checks let any loaded renderer invoke privileged main-process behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-749
+      title: Exposed Dangerous Method or Function
+    - kind: url
+      title: Electron Security
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} handles privileged IPC without validating the sender frame origin."
   remediation:
     summary: Assert trusted origins or channels before running privileged logic and reject unexpected senders early.

package/rules/typescript/ts.security.electron-shell-open-external-unvalidated.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Do not open external URLs from request data in Electron
   summary: shell.openExternal should not receive request-controlled URLs without validation.
   rationale: Open redirects and SSRF-style flows in the main process can pivot to arbitrary system browsers or handlers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+    - kind: url
+      title: Electron security tutorial
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +45,4 @@ emit:
     summary: "${captures.issue.text} opens a URL derived from request-controlled input."
   remediation:
     summary: Allowlist URL schemes and hosts, normalize targets, and block private IP ranges before calling openExternal.

package/rules/typescript/ts.security.exposed-directory-listing.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid exposed directory listings
   summary: Directory listing middleware should not be enabled on public paths without a deliberate review.
   rationale: Directory listings expose internal file names and make unintended resources easier to discover and fetch.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Remove directory listing middleware or protect it behind strict authorization and path scoping.

package/rules/typescript/ts.security.express-cookie-missing-http-only.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Set `HttpOnly` on Express session cookies
   summary: Express session and cookie-session configs should not disable the `HttpOnly` flag.
   rationale: Script-readable session cookies are easier to steal after an XSS bug.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -34,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables the `HttpOnly` cookie flag in Express session configuration."
   remediation:
     summary: "Set `httpOnly: true` so browser scripts cannot read the session cookie."

package/rules/typescript/ts.security.express-default-cookie-config.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Override Express cookie defaults
   summary: Express session cookie settings should not omit explicit lifetime, scope, and transport attributes.
   rationale: Implicit cookie defaults vary by middleware and make auth state harder to audit consistently.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -37,3 +52,4 @@ emit:
   remediation:
     summary: Set explicit cookie lifetime, scope, and transport attributes instead of relying on middleware defaults.

package/rules/typescript/ts.security.express-default-session-config.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Override Express session defaults
   summary: Express session middleware should not rely on default session naming and configuration.
   rationale: Default session settings make applications easier to fingerprint and often skip explicit hardening choices.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Set an explicit session name and hardening options instead of relying on middleware defaults.

package/rules/typescript/ts.security.express-error-handler-information-disclosure.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid returning raw errors from Express error middleware
   summary: Express error handlers should not send the err object directly to clients in production paths.
   rationale: Returning raw errors leaks stack traces, internal identifiers, and implementation details to attackers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -33,3 +48,4 @@ emit:
     summary: "${captures.issue.text} forwards the caught error directly to res.send or res.json."
   remediation:
     summary: Log detailed errors server-side and return stable, generic client responses with correlation identifiers.

package/rules/typescript/ts.security.express-insecure-cookie.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Set `Secure` on Express session cookies
   summary: Express session and cookie-session configs should not disable the `Secure` flag.
   rationale: Cookies sent over non-HTTPS transport are easier to intercept or replay.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -34,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables the `Secure` cookie flag in Express session configuration."
   remediation:
     summary: "Set `secure: true` and serve the cookie only over HTTPS."

package/rules/typescript/ts.security.express-missing-helmet.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Apply Helmet to Express apps
   summary: Express apps should use Helmet or equivalent header hardening middleware.
   rationale: Helmet packages several response-header protections that are easy to miss or drift when managed ad hoc.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Apply `helmet()` or an equivalent set of header protections near application startup.

package/rules/typescript/ts.security.express-nosql-injection.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid request-driven model queries
   summary: Express handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines.
   rationale: Request-shaped filters, operators, or pipelines can expand query scope and inject unintended behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - injection
@@ -34,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` receives request-controlled query input without an allowlisted query or pipeline shape."
   remediation:
     summary: Build the NoSQL query or aggregation pipeline from fixed fields or validated filter builders instead of passing request data directly.

package/rules/typescript/ts.security.express-permissive-cookie-config.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid permissive Express session cookie scope
   summary: Express session cookies should not explicitly opt into cross-site or wildcard-style scope.
   rationale: Broad cookie scope increases where session cookies are sent and makes cross-site misuse harder to contain.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -36,3 +51,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly widens session cookie scope with cross-site or wildcard-style settings."
   remediation:
     summary: Prefer exact cookie domains and `SameSite=Lax` or `Strict` unless a reviewed cross-site requirement exists.

package/rules/typescript/ts.security.express-permissive-cors.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-permissive-cors
+  title: Do not combine permissive CORS origins with credentials
+  summary: CORS middleware must not reflect every origin or use a wildcard while `credentials` is enabled.
+  rationale: Allowing credentials with wildcard or reflected origins lets untrusted sites read authenticated browser responses.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
+  tags:
+    - security
+    - express
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-permissive-cors
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - express
+      - cors
+  message:
+    title: Restrict CORS origins when `${captures.issue.text}` sends credentials
+    summary: "`${captures.issue.text}` enables credentials with a wildcard, implicit, or reflected origin policy."
+  remediation:
+    summary: Use an explicit trusted-origin allowlist and disable credentials unless every allowed origin is intentional.

package/rules/typescript/ts.security.express-reduce-fingerprint.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Reduce Express fingerprinting
   summary: Express apps should disable `x-powered-by` or equivalent fingerprinting headers.
   rationale: Framework fingerprinting gives attackers unnecessary detail about the stack they are targeting.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Disable `x-powered-by` or use equivalent middleware to reduce framework fingerprinting.

package/rules/typescript/ts.security.express-static-assets-after-session.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Serve static assets before session middleware
   summary: Static assets should be mounted before session middleware when they do not need session state.
   rationale: Serving public assets after session middleware broadens the session surface and adds unnecessary auth-state handling to static traffic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Mount `express.static()` before session middleware unless the static path genuinely requires session state.