npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/typescript/ts.security.missing-integrity-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use authenticated encryption for secrets and tokens
   summary: Session, cookie, and token encryption should provide integrity protection in the same helper.
   rationale: Confidentiality-only encryption leaves secret-bearing values vulnerable to tampering unless the code also applies an integrity check or uses an authenticated mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` encrypts a secret-bearing value without authenticated encryption or a same-helper integrity check."
   remediation:
     summary: Prefer authenticated encryption such as AES-GCM, or pair non-AEAD encryption with an explicit integrity check in the same helper.

package/rules/typescript/ts.security.missing-message-origin-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Verify `message` event origins
   summary: "`message` handlers should validate `event.origin` before trusting cross-window data."
   rationale: Without an origin check, hostile pages can post crafted messages into the handler.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - browser
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` handles cross-window messages without validating the sender origin."
   remediation:
     summary: Gate the handler on a strict allowlist of expected origins before reading `event.data`.

package/rules/typescript/ts.security.missing-ownership-validation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing ownership validation
   summary: Resource identifiers from request input should be checked against the caller before sensitive actions run.
   rationale: Authorization alone is not enough when handlers act on caller-provided resource ids that may belong to someone else.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` is used in a sensitive path without a matching ownership check."
   remediation:
     summary: Compare the request-derived resource id to the authenticated caller or load the resource through an ownership-enforcing query.

package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing request timeout or retry protection
   summary: External calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows.
   rationale: Authentication and dependency calls that have neither timeout nor retry protection fail unpredictably under network stress.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - resilience
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
   remediation:
     summary: Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical.

package/rules/typescript/ts.security.nestjs-helmet-after-route-mount.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Register Helmet before Nest route mounts
   summary: Nest bootstrap files should apply Helmet before mounting path-bound routers.
   rationale: Middleware order determines whether framed routes inherit Helmet protections; mounting routers too early widens exposure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -32,3 +47,4 @@ emit:
     summary: Helmet runs after a route-mounted `app.use` in this Nest bootstrap.
   remediation:
     summary: Call `helmet()` before registering routers bound to external paths unless another gateway applies equivalent protections.

package/rules/typescript/ts.security.nestjs-missing-global-validation-pipe.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Add a global Nest ValidationPipe
   summary: Nest bootstrap entries should register `ValidationPipe` globally when controllers parse bodies or DTOs.
   rationale: Without a validation pipe unexpected fields can reach controllers and weaken input hygiene.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -33,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Call app.useGlobalPipes with ValidationPipe using whitelist and forbidNonWhitelisted flags near bootstrap completion.

package/rules/typescript/ts.security.nestjs-skip-throttle-sensitive-route.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Do not skip throttling on credential routes
   summary: Sensitive Nest routes should not disable `@nestjs/throttler` protections without a compensating throttle.
   rationale: Authentication endpoints are brute-force magnets; removing throttling removes basic abuse resistance.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -33,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` disables throttling on an authentication-sensitive route."
   remediation:
     summary: Remove `@SkipThrottle()` or pair it with an explicit `@Throttle` policy tuned for the handler.

package/rules/typescript/ts.security.nestjs-validation-pipe-without-whitelist.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Harden Nest ValidationPipe with whitelist mode
   summary: Global ValidationPipe instances should enable whitelist-style stripping for unexpected fields.
   rationale: Allowing undeclared fields preserves attack surface for mass-assignment style bugs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Enable whitelist true and usually forbidNonWhitelisted true on the global ValidationPipe.

package/rules/typescript/ts.security.no-alert-confirm-prompt.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-alert-confirm-prompt
+  title: Avoid blocking dialog APIs
+  summary: Do not call `alert`, `confirm`, or `prompt` in application code.
+  rationale: Blocking dialogs freeze the UI thread, are easy to abuse for social engineering, and are inappropriate for production UX.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - ux
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.alert-confirm-prompt
+    bind: issue
+emit:
+  finding:
+    category: security.ux
+    severity: medium
+    confidence: 0.93
+    tags:
+      - security
+      - ux
+  message:
+    title: Avoid blocking dialog APIs
+    summary: "`${captures.issue.text}` uses a blocking browser dialog that should not ship in application code."
+  remediation:
+    summary: Replace blocking dialogs with in-app UI components or structured notifications.

package/rules/typescript/ts.security.no-arguments-callee.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-arguments-callee
+  title: Avoid `arguments.callee` and `arguments.caller`
+  summary: Do not read `arguments.callee` or `arguments.caller` in functions.
+  rationale: These legacy properties break optimizations, leak stack details, and are restricted in strict mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.arguments-callee-or-caller
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - security
+      - language
+  message:
+    title: Avoid `${captures.issue.text}`
+    summary: "`${captures.issue.text}` relies on deprecated `arguments` metadata and should not be used."
+  remediation:
+    summary: Use named function expressions or arrow functions instead of `arguments.callee` or `arguments.caller`.

package/rules/typescript/ts.security.no-assign-mutable-export.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-assign-mutable-export
+  title: Avoid mutable module exports
+  summary: Shared module state should not be exported with `let`/`var` or reassigned after export.
+  rationale: Mutable exports make it easy for unrelated modules to change shared security or configuration state at runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - maintainability
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.mutable-module-export
+    bind: issue
+emit:
+  finding:
+    category: security.maintainability
+    severity: low
+    confidence: 0.84
+    tags:
+      - security
+      - module-boundary
+  message:
+    title: Keep exported module state immutable for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is exported with a mutable binding that can change at runtime."
+  remediation:
+    summary: Export read-only values, freeze shared objects, or expose accessors instead of mutable bindings.

package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Eval or dynamic code execution
   summary: Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.
   rationale: Dynamic execution turns data into code, widens the attack surface, and bypasses normal control flow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
   tags:
     - security
     - execution
@@ -32,3 +41,4 @@ emit:
     summary: "`${captures.issue.text}` executes dynamic code and should be replaced with a safer alternative."
   remediation:
     summary: Replace dynamic execution with explicit parsing, fixed dispatch tables, or normal function callbacks.

package/rules/typescript/ts.security.no-fs-readfile-sync-in-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-fs-readfile-sync-in-handler
+  title: Avoid synchronous file reads in HTTP handlers
+  summary: Request handlers should not call `readFileSync` or equivalent blocking file APIs.
+  rationale: Blocking disk I/O inside request handlers stalls the Node.js event loop and hurts availability under load.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.readfile-sync-in-request-handler
+    bind: issue
+emit:
+  finding:
+    category: security.availability
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - express
+      - filesystem
+  message:
+    title: Replace blocking file read `${captures.issue.text}` in this handler
+    summary: "`${captures.issue.text}` performs synchronous disk I/O on the request path."
+  remediation:
+    summary: Use `fs.promises.readFile`, streams, or preload static assets outside the hot request path.

package/rules/typescript/ts.security.no-global-native-reassignment.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-global-native-reassignment
+  title: Do not reassign global native bindings
+  summary: Do not assign to global native bindings such as `Object`, `Array`, or `undefined`.
+  rationale: Reassigning global natives breaks language invariants and can disable security checks that rely on them.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.global-native-reassignment
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.97
+    tags:
+      - security
+      - language
+  message:
+    title: Do not reassign global native bindings
+    summary: "`${captures.issue.text}` reassigns a global native binding and can break runtime guarantees."
+  remediation:
+    summary: Use local variables with distinct names instead of overwriting global natives.

package/rules/typescript/ts.security.no-innerhtml-assignment.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe `innerHTML` assignment
   summary: "`innerHTML` assignments should only use fixed or explicitly sanitized HTML."
   rationale: Direct HTML injection can allow untrusted or weakly reviewed content to execute in the browser.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - output-encoding
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` inserts non-literal, non-sanitized HTML into `innerHTML`."
   remediation:
     summary: Prefer text-only rendering APIs or assign only fixed or explicitly sanitized HTML.

package/rules/typescript/ts.security.no-javascript-url.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-javascript-url
+  title: Avoid `javascript:` URLs
+  summary: Do not use `javascript:` URLs in string literals, template literals, or JSX link attributes.
+  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.javascript-url
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - xss
+  message:
+    title: "Avoid `javascript:` URLs"
+    summary: "`${captures.issue.text}` uses a `javascript:` URL that can execute arbitrary script."
+  remediation:
+    summary: "Use safe HTTPS links, in-app handlers, or explicit event callbacks instead of `javascript:` URLs."

package/rules/typescript/ts.security.no-native-prototype-extension.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-native-prototype-extension
+  title: Do not extend native prototypes
+  summary: Do not assign properties on built-in prototype objects such as `Array.prototype`.
+  rationale: Mutating native prototypes affects every consumer of that type and can introduce subtle security bugs across the runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.native-prototype-extension
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.96
+    tags:
+      - security
+      - language
+  message:
+    title: Do not extend native prototypes
+    summary: "`${captures.issue.text}` mutates a built-in prototype and can change behavior globally."
+  remediation:
+    summary: Use utility functions or wrapper types instead of modifying native prototypes.

package/rules/typescript/ts.security.no-sync-child-process-exec.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-sync-child-process-exec
+  title: Avoid synchronous child process execution with dynamic commands
+  summary: execSync and spawnSync should not run commands built from variables or template strings.
+  rationale: Synchronous shell execution blocks the event loop and dynamic command strings are a common command-injection surface.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - child-process
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.sync-child-process-exec
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - child-process
+  message:
+    title: Avoid synchronous shell execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` runs a child process synchronously with a non-literal command string."
+  remediation:
+    summary: Prefer async APIs with fixed command allowlists, or validate and normalize inputs before invoking shell commands.

package/rules/typescript/ts.security.no-throw-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-throw-literal
+  title: Throw `Error` objects instead of literals
+  summary: Only throw `Error` instances (or subclasses), not strings, numbers, or plain objects.
+  rationale: Throwing literals loses stack traces and makes error handling inconsistent across callers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - reliability
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.throw-literal
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - reliability
+  message:
+    title: Throw an `Error` instead of a literal
+    summary: "`${captures.issue.text}` throws a non-`Error` value that is harder to inspect and handle safely."
+  remediation:
+    summary: Throw `new Error(...)` or a typed error subclass with a clear message.