npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/typescript/ts.security.no-with-statement.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-with-statement
+  title: Avoid `with` statements
+  summary: "`with` statements make binding resolution unpredictable and are disallowed in strict mode."
+  rationale: The `with` statement introduces dynamic scope and makes static analysis, optimization, and security review unreliable.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.with-statement
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.98
+    tags:
+      - security
+      - language
+  message:
+    title: Avoid `with` statements
+    summary: "`${captures.issue.text}` uses a `with` statement that makes binding resolution unpredictable."
+  remediation:
+    summary: Replace the `with` block with explicit property access on a named object.

package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid attacker-controlled filesystem read paths
   summary: Direct filesystem read APIs should not consume request- or upload-controlled filenames.
   rationale: Dynamic read paths can expose unintended local files or bypass expected file-selection constraints.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` reads from a filename derived from external input."
   remediation:
     summary: Resolve reads from a trusted allowlist or a validated server-controlled mapping instead of external filenames.

package/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Sensitive credentials must not be exposed through runtimeConfig.public, which is visible to client bundles.
   rationale: >-
     Nuxt exposes runtimeConfig.public to the browser; placing secret material there leaks API keys, database passwords, and signing material to every visitor.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
   tags:
     - security
     - nuxt
@@ -36,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Keep secrets in the private runtimeConfig tree (non-public) and expose only publishable identifiers to the client after reviewing Nuxt runtime config documentation.

package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use constant-time secret comparison
   summary: Secrets and tokens should not be compared with ordinary equality operators.
   rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use a constant-time comparison helper such as `crypto.timingSafeEqual` for secrets, tokens, and password hashes.

package/rules/typescript/ts.security.open-redirect.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Open redirect via request-controlled target
   summary: Redirect and navigation sinks should not use request-controlled destinations without validation.
   rationale: Redirect targets that are derived from user input can send authenticated users to attacker-controlled destinations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-601
+      title: URL Redirection to Untrusted Site
+    - kind: owasp
+      title: Unvalidated Redirects and Forwards Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
   tags:
     - security
     - input-validation
@@ -37,3 +46,4 @@ emit:
   remediation:
     summary: Normalize the target to an internal path or validate it against a trusted origin allowlist before redirecting.

package/rules/typescript/ts.security.permissive-allow-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not allow every origin in CORS policy
   summary: CORS should not fall back to wildcard or implicit allow-all origin settings.
   rationale: Wildcard or implicit allow-all CORS policies expose authenticated browser responses across origins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - cors
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` allows any origin through wildcard or implicit CORS policy."
   remediation:
     summary: Configure an explicit allowlist or validated origin callback instead of allowing all origins.

package/rules/typescript/ts.security.permissive-file-permissions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid permissive file modes
   summary: Files that can carry user or security data should not be created with world-accessible modes.
   rationale: Broad file permissions expose application data to local users or processes that should not read or modify it.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
   tags:
     - security
     - filesystem
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use the minimum required file mode and remove world-readable or world-writable bits.

package/rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid wildcard `postMessage` targets
   summary: "`postMessage` calls should not use `*` as the target origin when they carry application data."
   rationale: Wildcard targets allow the browser to deliver the message to any origin that receives the window reference.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - browser
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses `*` as the `postMessage` target origin."
   remediation:
     summary: Set the target origin to a strict expected origin instead of `*`.

package/rules/typescript/ts.security.predictable-token-generation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid predictable token generation
   summary: Tokens, reset links, and session secrets should be generated from cryptographically strong randomness.
   rationale: Predictable token material makes it easier to guess reset links, invite codes, and session secrets.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` builds a token-like value from predictable inputs."
   remediation:
     summary: Generate the value with `crypto.randomBytes`, `crypto.randomUUID`, or an approved secure token source.

package/rules/typescript/ts.security.raw-html-using-user-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid raw HTML with request input
   summary: Request-derived values should not be interpolated into raw HTML strings.
   rationale: Raw HTML construction with request data is a common path to reflected and stored XSS.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use framework escaping, a trusted sanitizer, or safe DOM APIs instead of raw HTML interpolation.

package/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid request-driven array indexing without bounds checks
   summary: Arrays indexed with request-derived keys can read or write out-of-bounds entries.
   rationale: Attacker-controlled indexes bypass assumptions about array length and element initialization.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - correctness
@@ -31,3 +40,4 @@ emit:
     summary: "Array access uses a computed index derived from ${captures.issue.text}."
   remediation:
     summary: Parse and bound-check indexes, prefer maps keyed by stable identifiers, or avoid indexing arrays with request data.

package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sensitive data egress to third-party processors
   summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
   rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
     summary: "`${captures.issue.text}` sends normalized sensitive datatypes to an outbound processor or external service."
   remediation:
     summary: Minimize the payload, redact the sensitive fields, or route the data only to approved processors.

package/rules/typescript/ts.security.sensitive-data-in-exception.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid sensitive data in thrown errors
   summary: Exceptions and rejection payloads should not include raw secrets or personal data.
   rationale: Exception payloads often reach logs, APM tools, and client responses with less review than normal business data.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Replace raw secrets and personal data with opaque identifiers or redacted summaries before throwing or rejecting.

package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid writing sensitive data to files
   summary: Data exports and local file writes should not persist raw secrets or personal fields.
   rationale: Static files, exports, and backups are easy to copy or retain beyond their intended lifetime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Redact, hash, or exclude the sensitive fields before writing the file.

package/rules/typescript/ts.security.ssrf.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Server-side request forgery
   summary: Outbound requests should not use attacker-controlled targets or private hosts.
   rationale: Request-controlled targets can force the server to call internal services, metadata endpoints, or attacker-controlled infrastructure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+    - kind: owasp
+      title: Server-Side Request Forgery
+      url: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
   tags:
     - security
     - network
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.ssrfCall.text}` sends an outbound request to a request-controlled or private target."
   remediation:
     summary: Resolve URLs against a trusted allowlist, reject private hosts, and proxy outbound requests through a vetted server-side helper.

package/rules/typescript/ts.security.token-or-session-not-validated.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Token or session not validated
   summary: Session and token values from external input should be verified before authentication or identity use.
   rationale: Parsing or loading session state without verification allows forged or stale credentials to influence authorization paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` uses token or session input without any preceding validation step."
   remediation:
     summary: Verify or authenticate the token or session value before decoding, loading, or deriving identity from it.

package/rules/typescript/ts.security.ui-redress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not derive anti-framing headers from request input
   summary: Framing and CSP headers should not be set from request-controlled values.
   rationale: Request-controlled anti-framing headers weaken protections against clickjacking and UI redress attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - clickjacking
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Set framing and CSP headers from fixed server policy instead of request data.

package/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-dirname-path-concat
+  title: Avoid string-built paths from `__dirname` or `__filename`
+  summary: Do not build filesystem paths by concatenating `__dirname` or `__filename` with strings or templates.
+  rationale: String-built paths are easy to get wrong and can enable directory traversal when any segment is dynamic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.unsafe-dirname-path-concat
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - filesystem
+  message:
+    title: Avoid string-built paths from `__dirname` or `__filename`
+    summary: "`${captures.issue.text}` builds a path by concatenating `__dirname` or `__filename`, which is fragile and risky."
+  remediation:
+    summary: Use `path.join`, `path.resolve`, or `import.meta.url` with validated segments instead of string concatenation.

package/rules/typescript/ts.security.unsafe-dompurify-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Upgrade DOM sanitization dependency
   summary: DOM sanitization libraries should stay on patched versions before they are trusted for untrusted HTML.
   rationale: Older sanitizer versions can miss browser parsing edge cases and leave XSS protections incomplete.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1104
+      title: Use of Unmaintained Third Party Components
+    - kind: owasp
+      title: Vulnerable Dependency Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html
   tags:
     - security
     - dependency
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` is below the minimum sanitizer version Critiq treats as safe for untrusted HTML."
   remediation:
     summary: Upgrade the package, then keep HTML sanitizer usage behind a small reviewed wrapper.

package/rules/typescript/ts.security.unsafe-marked-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Upgrade Markdown rendering dependency
   summary: Markdown renderers should stay on patched versions before rendering untrusted content.
   rationale: Older Markdown renderer versions can expose unsafe HTML handling and parser edge cases.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1104
+      title: Use of Unmaintained Third Party Components
+    - kind: owasp
+      title: Vulnerable Dependency Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html
   tags:
     - security
     - dependency
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` is below the minimum Markdown renderer version Critiq treats as safe for untrusted content."
   remediation:
     summary: Upgrade the package and keep untrusted Markdown rendering behind explicit sanitization.

package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe raw HTTP response output
   summary: Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.
   rationale: Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` writes request-controlled data into a raw HTTP response sink without a trusted HTML escaping model."
   remediation:
     summary: Escape or sanitize the data with a trusted helper, or switch to a response format that does not treat it as executable markup.

package/rules/typescript/ts.security.unvalidated-external-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Validate untrusted input before parser construction
   summary: Untrusted input should be validated before it is used to construct sensitive parsers or runtime objects.
   rationale: Passing untrusted text across regex or URL construction boundaries increases the risk of parser abuse, denial of service, and downstream policy bypass.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - input-validation
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` constructs a sensitive parser or runtime object from untrusted input without a trust-boundary check."
   remediation:
     summary: Validate, sanitize, or normalize the untrusted value before passing it into URL, RegExp, or similarly sensitive constructors.

package/rules/typescript/ts.security.user-controlled-sendfile.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain `res.sendFile` to a trusted root
   summary: "`res.sendFile()` should not resolve filenames or options from request input without a trusted root."
   rationale: Request-controlled file responses are a common path to path traversal and unintended local file disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+    - kind: owasp
+      title: Server-Side Request Forgery
+      url: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` serves a request-controlled file path or options object without a trusted root."
   remediation:
     summary: Resolve files from an allowlisted directory and validate request input before it reaches `res.sendFile()`.

package/rules/typescript/ts.security.user-controlled-view-render.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain `res.render()` trust boundaries
   summary: Express view names should not cross into server-side rendering from untrusted input.
   rationale: Untrusted template names can expose internal views, bypass intended route behavior, or widen a server-side template boundary.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` selects a server-side template across a trust boundary using untrusted input."
   remediation:
     summary: Resolve the template from an allowlist or fixed route mapping before calling `res.render()`.

package/rules/typescript/ts.security.weak-cipher-or-mode.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak cipher algorithms and modes
   summary: Cryptographic ciphers should use modern authenticated modes and approved algorithms.
   rationale: Weak modes such as ECB and legacy ciphers such as DES or RC4 do not provide adequate confidentiality.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - crypto
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
   remediation:
     summary: Use modern authenticated encryption such as AES-GCM with approved key sizes and IV handling.

package/rules/typescript/ts.security.weak-key-strength.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak key-generation strength
   summary: Key-generation helpers should use current minimum strengths for RSA, AES, and HMAC keys.
   rationale: Weak modulus or key lengths make brute-force and cryptanalytic attacks more practical, even when the API itself is correct.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` configures a key length or modulus size below the current minimum expected for production cryptography."
   remediation:
     summary: Use at least 2048-bit RSA keys and at least 128-bit AES or HMAC keys unless a clearly documented compatibility boundary requires otherwise.

package/rules/typescript/ts.security.weak-tls-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Require modern TLS minimum versions
   summary: Transport clients should not explicitly allow SSLv3, TLS 1.0, or TLS 1.1.
   rationale: Legacy TLS protocol floors weaken transport security and keep obsolete downgrade-compatible settings alive in production code.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly allows an obsolete TLS or SSL protocol version."
   remediation:
     summary: Set `minVersion` to at least `TLSv1.2` or `TLSv1.3` and remove legacy `secureProtocol` values.

package/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not parse untrusted XML with permissive parsers
   summary: parseString and similar XML helpers should not consume request-controlled payloads without hardening.
   rationale: Untrusted XML can enable XXE-style parser abuse depending on the underlying implementation and parser flags.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
   tags:
     - security
     - xml
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} parses XML that appears request-driven."
   remediation:
     summary: Disable external entities, validate payloads against a strict schema, and parse with a hardened XML configuration.