npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Do not allow dotfiles in Express static middleware
   summary: express.static should not serve dotfiles from disk unless explicitly required and reviewed.
   rationale: Allowing dotfiles can expose hidden configuration and secrets through the static file middleware.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -33,3 +48,4 @@ emit:
     summary: "${captures.issue.text} is configured with dotfiles allow, which can leak hidden files."
   remediation:
     summary: Use the default dotfiles ignore behavior or serve dotfiles from a tightly scoped directory with access controls.

package/rules/typescript/ts.security.express-unbounded-body-parser.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Set explicit Express body parser and multer size limits
   summary: Express and Body Parser middleware plus Multer should declare explicit payload limits.
   rationale: Default limits drift across frameworks and deployments; explicit caps reduce oversized-request abuse.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -32,3 +47,4 @@ emit:
     summary: "`${captures.issue.text}` runs without visible size limits."
   remediation:
     summary: Pass `limit` options to JSON/urlencoded/raw/text parsers and `limits.fileSize` (or equivalent) to Multer.

package/rules/typescript/ts.security.express-user-controlled-static-mount.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid request-controlled Express static mount paths
   summary: The path prefix for express.static should not be derived directly from request objects.
   rationale: User-controlled mount paths can collapse routing assumptions and expose unintended directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -33,3 +48,4 @@ emit:
     summary: "${captures.issue.text} mounts express.static under a request-derived URL prefix."
   remediation:
     summary: Use fixed, reviewed path prefixes and map external identifiers to internal paths through an allowlist.

package/rules/typescript/ts.security.external-file-upload.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not persist upload filenames directly
   summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
   rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
   remediation:
     summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.

package/rules/typescript/ts.security.fastify-excessive-body-limit.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid excessive Fastify body limits
   summary: Fastify applications should not disable body limits or configure unusually large defaults without compensating controls.
   rationale: Oversized bodies amplify denial-of-service risk on services without upstream buffering limits.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Fastify recommendations
+      url: https://fastify.dev/docs/latest/Guides/Recommendation/
   tags:
     - security
     - fastify
@@ -32,3 +47,4 @@ emit:
     summary: Fastify is configured with an oversized or disabled bodyLimit.
   remediation:
     summary: Lower `bodyLimit`, enforce route-specific caps, or terminate traffic behind an API gateway or proxy that caps body size.

package/rules/typescript/ts.security.fastify-public-bind-without-trust-proxy.rule.yaml CHANGED Viewed

@@ -7,6 +7,21 @@ metadata:
     Fastify instances listening on all interfaces should enable trustProxy or terminate behind a reverse proxy you register in code.
   rationale: >-
     Without trustProxy, client IP and protocol metadata from an edge proxy are easy to misread, and public binds amplify exposure when the process is not intentionally perimeter-hardened.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Fastify recommendations
+      url: https://fastify.dev/docs/latest/Guides/Recommendation/
   tags:
     - security
     - fastify
@@ -36,3 +51,4 @@ emit:
   remediation:
     summary: >-
       Set trustProxy when running behind a reverse proxy, prefer non-public bind addresses in development, or register an explicit Fastify proxy plugin so client metadata and TLS termination assumptions stay correct.

package/rules/typescript/ts.security.file-generation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain local file generation paths
   summary: Local file writes should not derive their destination path from request or upload input.
   rationale: Attacker-controlled write paths can overwrite local state, escape intended directories, or create files in sensitive locations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` writes to a path derived from external input without a trusted local filename."
   remediation:
     summary: Generate the destination name on the server or constrain writes to an allowlisted directory and filename set.

package/rules/typescript/ts.security.format-string-using-user-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid request-controlled format strings
   summary: Logging and formatting helpers should not take request input as the format string itself.
   rationale: Request-controlled format strings can corrupt logs, leak structure, or produce unexpected formatting behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - logging
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses request-controlled input as the formatting template."
   remediation:
     summary: Keep the format string fixed and pass request data as ordinary arguments or structured fields.

package/rules/typescript/ts.security.frontend-only-authorization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Authorization enforced only on frontend
   summary: Backend routes should enforce authorization directly instead of relying on frontend gating alone.
   rationale: Frontend checks are easy to bypass, so sensitive routes need server-side authorization on the backend path itself.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "Route `${captures.issue.text}` appears gated in frontend code but not on the backend handler."
   remediation:
     summary: Add a backend authorization or permission check on the matching route handler.

package/rules/typescript/ts.security.graphql-upload-without-csrf-guard.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Pair GraphQL multipart uploads with CSRF-safe server posture
   summary: Legacy GraphQL multipart upload helpers should not run alongside Apollo Server configurations that disable CSRF protections.
   rationale: Multipart GraphQL requests complicate browser CSRF defenses; when Apollo CSRF prevention is explicitly disabled, upload middleware is a high-risk combination for cross-site writes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Keep Apollo csrfPrevention enabled (default in supported releases), add an explicit preflight header policy, or move uploads behind authenticated, non-browser APIs.

package/rules/typescript/ts.security.handlebars-no-escape.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Keep Handlebars escaping enabled at template trust boundaries
   summary: "Server-side Handlebars compilation should not disable HTML escaping with `noEscape: true`."
   rationale: Disabling Handlebars escaping weakens the template trust boundary and can turn server-rendered output into attacker-controlled HTML.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` disables Handlebars escaping at a server-template trust boundary."
   remediation:
     summary: Leave Handlebars escaping enabled, or treat raw HTML rendering as an explicit, narrowly reviewed trust boundary.

package/rules/typescript/ts.security.hardcoded-auth-secret.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid hardcoded auth secrets
   summary: JWT, session, and strategy secrets should not be embedded directly in source code.
   rationale: Hardcoded auth secrets are hard to rotate and are exposed whenever the codebase or build artifacts leak.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Load the secret from environment-backed configuration or a secret manager and rotate the exposed value.

package/rules/typescript/ts.security.iframe-missing-sandbox-attribute.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Add a sandbox attribute to iframes
   summary: Intrinsic iframe elements should declare a sandbox attribute to reduce blast radius.
   rationale: Sandboxed iframes limit scripts, forms, and top-level navigation when embedded third-party content is compromised.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - react
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} is missing a sandbox attribute."
   remediation:
     summary: Add the most restrictive sandbox token set that still allows required behavior, and combine with a strict CSP.

package/rules/typescript/ts.security.import-using-user-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain module-loading trust boundaries
   summary: "`require()` and dynamic `import()` should not resolve modules from untrusted input."
   rationale: Untrusted module paths let attackers steer module-loading boundaries toward unintended files, packages, or plugins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
   tags:
     - security
     - execution
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` crosses a module-loading trust boundary with untrusted input."
   remediation:
     summary: Resolve modules from a fixed allowlist or explicit dispatcher instead of untrusted request or event data.

package/rules/typescript/ts.security.information-leakage.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid leaking sensitive or diagnostic state
   summary: Logs, stdout or stderr, and direct response sinks should not expose sensitive fields or internal diagnostic detail.
   rationale: Stack traces, request metadata, auth or session objects, and environment state are often leaked through "temporary" debugging output that later reaches production paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` exposes sensitive fields or internal diagnostic detail through a direct sink."
   remediation:
     summary: Replace the payload with a fixed summary, redact sensitive fields, and strip stack, env, request, or cookie data from production output.

package/rules/typescript/ts.security.insecure-allow-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not reflect request origin into CORS policy
   summary: "`Access-Control-Allow-Origin` should not be set from request-controlled input."
   rationale: Reflecting the request origin into a CORS allowlist turns origin validation into a no-op.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - cors
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` reflects request input into `Access-Control-Allow-Origin`."
   remediation:
     summary: Set CORS origins from a fixed allowlist or explicit trusted origin check.

package/rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Harden auth-bearing cookies
   summary: Auth and session cookies should set HttpOnly, Secure, and SameSite.
   rationale: Cookie flags prevent browser scripts, mixed transport, and cross-site requests from exposing session-bearing values.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Add `HttpOnly`, `Secure`, and an explicit `SameSite` policy before the cookie is used for session or auth state.

package/rules/typescript/ts.security.insecure-content-security-policy-literal.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe Content-Security-Policy literals
   summary: Static CSP header values should not rely on unsafe-inline, unsafe-eval, or unsafe-hashes without nonces.
   rationale: Permissive CSP keywords weaken XSS defenses for every response that carries the header.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - csp
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} sets a CSP that includes unsafe directives without a nonce-based escape hatch."
   remediation:
     summary: Prefer nonces or hashes, remove unsafe-inline and unsafe-eval, and scope directives to the smallest required surface.

package/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid disabling core Helmet protections
   summary: Helmet should keep nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy enabled unless another gateway enforces them.
   rationale: Turning off individual Helmet middlewares removes baseline HTTP hardening that is a high-signal misconfiguration risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -34,3 +43,4 @@ emit:
     summary: "${captures.issue.text} disables a Helmet protection that should usually remain enabled."
   remediation:
     summary: Remove false overrides for nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy unless a documented compensating control applies.

package/rules/typescript/ts.security.insecure-password-hash-configuration.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid legacy Argon2 password hash modes
   summary: Password hashing should not use `argon2i` or `argon2d` when safer modern modes are available.
   rationale: Older Argon2 modes are weaker choices for password storage than the modern hybrid mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Prefer `argon2id` and keep the password hash configuration aligned with current password-storage guidance.

package/rules/typescript/ts.security.insecure-websocket-transport.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use secure WebSocket transport
   summary: WebSocket clients should not connect over cleartext `ws://` when sensitive application data is involved.
   rationale: Cleartext WebSocket transport exposes application traffic to interception and manipulation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Switch the endpoint to `wss://` and keep certificate validation enabled.

package/rules/typescript/ts.security.insufficiently-random-values.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use enough entropy for secrets and tokens
   summary: Secret-bearing tokens and secrets should use at least 16 bytes of cryptographic entropy.
   rationale: Short random values are harder to brute-force than predictable values, but they can still be guessed faster than modern secret-bearing flows should allow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses a cryptographically random source, but not enough entropy for a secret-bearing value."
   remediation:
     summary: Generate at least 16 bytes of entropy for reset tokens, invitation codes, session secrets, and similar secret-bearing values.

package/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not sign JWTs with the none algorithm
   summary: JSON Web Token signing options must not enable the none algorithm.
   rationale: The none algorithm allows tokens to be accepted without verification, defeating authentication.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - jwt
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} is configured with the none algorithm or algorithm list."
   remediation:
     summary: Require asymmetric or HMAC algorithms explicitly and reject none at signing and verification layers.

package/rules/typescript/ts.security.jwt-not-revoked.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Add a JWT revocation hook
   summary: Express JWT middleware should check revocation state when bearer tokens can be invalidated early.
   rationale: Signature validation alone does not handle logout, compromise, or forced token invalidation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Add an `isRevoked` callback or equivalent revocation check for tokens that can be invalidated before expiry.

package/rules/typescript/ts.security.jwt-sensitive-claims.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Remove sensitive claims from JWT payloads
   summary: JWT payloads should avoid embedding PII or secrets unless absolutely required.
   rationale: Client-visible tokens often outlive a single request and can leak more data than intended.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Keep JWT claims minimal. Prefer stable identifiers, not direct PII or secret-bearing fields.

package/rules/typescript/ts.security.legacy-buffer-constructor.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Replace legacy Buffer constructors
   summary: Use Buffer.from, Buffer.alloc, or Buffer.allocUnsafe instead of the deprecated Buffer constructor.
   rationale: Legacy constructors behave differently across Node versions and are harder to audit for safe allocation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - node
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} uses the deprecated Buffer constructor API."
   remediation:
     summary: Prefer Buffer.from for encoded data and Buffer.alloc for zero-filled buffers sized by trusted logic.

package/rules/typescript/ts.security.log-injection.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sanitize user-controlled values before they reach log messages
   summary: Logger calls in pino, winston, bunyan, and consola should not interpolate or concatenate request input directly into the message text.
   rationale: Unsanitized request data in log messages enables CRLF injection, control-character smuggling, and downstream log-parser confusion. Wrapping the value with a structured field, JSON encoder, or CRLF-stripping replace neutralizes the vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - logging
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` interpolates request data into a log message without an obvious sanitizer."
   remediation:
     summary: Pass request data as a structured field, JSON-encode it, or strip CRLF and control characters before concatenating it into the log message.

package/rules/typescript/ts.security.manual-html-sanitization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid ad hoc HTML sanitization
   summary: Hand-rolled HTML escaping and sanitization should be replaced with vetted sanitizers or safe rendering paths.
   rationale: String replacement chains miss edge cases and are easy to bypass as rendering behavior evolves.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use a vetted sanitizer or framework-native escaping model instead of string replacement chains.

package/rules/typescript/ts.security.missing-authorization-before-sensitive-action.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing authorization before sensitive action
   summary: Sensitive backend actions should be guarded by an authorization or permission check.
   rationale: Calling destructive or privileged actions without an authorization guard increases the risk of broken access control.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` performs a sensitive action without a matching authorization guard."
   remediation:
     summary: Add an explicit authorization or permission check before the sensitive action executes.