npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@critiq/rules",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "private": false,
   "description": "Public OSS Critiq rule catalog with catalog metadata, shipped rule YAML files, and preset membership.",
   "license": "Apache-2.0",

package/rules/go/go.correctness.defer-close-before-check.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.defer-close-before-check
+  title: Check error before deferring Close
+  summary: A deferred Close runs even when the open call failed and returned a nil handle.
+  rationale: >-
+    When `defer file.Close()` runs before the matching `if err != nil` check, a failed
+    open dereferences a nil resource and panics during cleanup.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.defer-close-before-check
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+  message:
+    title: Move `defer ... Close()` after the err check in `${captures.issue.text}`
+    summary: "A `defer ...Close()` runs before the matching `if err != nil` check on the open call."
+  remediation:
+    summary: >-
+      Return early when the open call sets a non-nil error, then defer the matching
+      `Close()` only once the resource is known to be valid.

package/rules/go/go.correctness.defer-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.defer-in-loop
+  title: Avoid defer inside loops
+  summary: defer inside a loop holds resources until the surrounding function returns.
+  rationale: >-
+    `defer` runs when the enclosing function returns, not when the iteration ends.
+    Deferring inside a `for` or `for ... range` block accumulates open handles for
+    the lifetime of the function and can exhaust file descriptors or memory.
+  tags:
+    - correctness
+    - go
+    - resource-leak
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.defer-in-loop
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-leak
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - resource-leak
+  message:
+    title: Remove `${captures.issue.text}` from the loop body
+    summary: "A `defer` statement runs inside a `for` loop and accumulates cleanups until the function returns."
+  remediation:
+    summary: >-
+      Wrap the per-iteration work in a helper or closure so the deferred call runs
+      when the iteration ends, not at function return.

package/rules/go/go.correctness.nil-context-passed.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.nil-context-passed
+  title: Pass a real context.Context
+  summary: Context-accepting calls should not receive a literal `nil` as their first argument.
+  rationale: >-
+    Standard library functions that take `context.Context` panic or skip cancellation
+    semantics when called with `nil`. Use `context.Background()`, `context.TODO()`, or
+    a propagated context instead.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.nil-context-passed
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+  message:
+    title: Pass a real context to `${captures.issue.text}`
+    summary: "A context-accepting call receives a literal `nil` as its first argument."
+  remediation:
+    summary: Use `context.Background()`, `context.TODO()`, or a propagated context value instead of `nil`.

package/rules/go/go.correctness.nil-map-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.nil-map-assignment
+  title: Initialize maps before assignment
+  summary: Writing to a nil map panics at runtime.
+  rationale: >-
+    A `var m map[K]V` declaration leaves `m` nil. Any `m[key] = value` write before
+    `make(map[K]V)` or a map literal initialization causes a runtime panic.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.nil-map-assignment
+    bind: issue
+emit:
+  finding:
+    category: correctness.runtime
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+  message:
+    title: Initialize map before writing to `${captures.issue.text}`
+    summary: "A `var m map[...]...` declaration is written to before `make(...)` or a literal initialization."
+  remediation:
+    summary: Initialize the map with `make(map[K]V)` or a map literal before writing to it.

package/rules/go/go.correctness.time-tick-leak.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.time-tick-leak
+  title: Avoid time.Tick for stoppable timers
+  summary: time.Tick leaks the underlying ticker because it cannot be stopped.
+  rationale: >-
+    `time.Tick` is documented as appropriate only for cases that run forever. Use
+    `time.NewTicker` so the ticker can be `Stop`ped when the consumer is done with it.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.time-tick-leak
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-leak
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+  message:
+    title: Use `time.NewTicker` instead of `${captures.issue.text}`
+    summary: "`time.Tick` cannot be stopped and leaks the ticker goroutine."
+  remediation:
+    summary: >-
+      Replace `time.Tick(d)` with `time.NewTicker(d)` and defer `ticker.Stop()` once
+      the consumer no longer needs the channel.

package/rules/go/go.correctness.unused-append-result.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.unused-append-result
+  title: Assign the result of append
+  summary: append returns a new slice; dropping the result loses the appended element.
+  rationale: >-
+    `append` may allocate a new backing array, so it always returns the resulting
+    slice. Calling `append(s, x)` as a standalone statement silently throws the
+    update away.
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.unused-append-result
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+  message:
+    title: Capture the result of `${captures.issue.text}`
+    summary: "An `append(...)` call appears as a standalone statement without assigning its result."
+  remediation:
+    summary: Assign the result back to the slice variable, e.g. `s = append(s, x)`.

package/rules/go/go.correctness.waitgroup-add-in-goroutine.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.waitgroup-add-in-goroutine
+  title: Call WaitGroup.Add before launching the goroutine
+  summary: WaitGroup.Add called inside the goroutine races with Wait.
+  rationale: >-
+    `sync.WaitGroup.Add` must happen before the launching goroutine returns to the
+    caller. If `Add` runs inside the goroutine, `Wait` may observe a zero counter and
+    return before the work begins.
+  tags:
+    - correctness
+    - go
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.waitgroup-add-in-goroutine
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.88
+    tags:
+      - correctness
+      - go
+      - concurrency
+  message:
+    title: Move `${captures.issue.text}` before `go func`
+    summary: "A `WaitGroup.Add` call runs inside a `go func()` body and can race with `Wait`."
+  remediation:
+    summary: Call `wg.Add(n)` on the launching goroutine before the `go` statement starts the worker.

package/rules/go/go.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.bind-all-interfaces
+  title: Avoid binding Go services to all interfaces
+  summary: >-
+    Go network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.
+  rationale: >-
+    Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - go
+    - network
+    - exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - go
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: >-
+      Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/go/go.security.echo-sensitive-binding-without-validation.rule.yaml CHANGED Viewed

@@ -8,6 +8,15 @@ metadata:
   rationale: >-
     Regex-based heuristics flag Echo `Bind` usage when the file defines structs with sensitive fields that omit `validate` or `binding` style tags.
     This is intentionally conservative and may miss cross-file structs or middleware-protected routes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -44,3 +53,4 @@ emit:
   remediation:
     summary: >-
       Add `validate` tags, use Echo's binding helpers with explicit validation, or route through a hardened DTO layer.

package/rules/go/go.security.echo-unsafe-multipart-upload.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Multipart handlers should cap body size, sanitize filenames with `filepath.Base`, and avoid concatenating user filenames into destination paths.
   rationale: >-
     Unbounded multipart reads and raw `FormFile().Filename` usage enable DoS and path traversal when combined with predictable upload directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Wrap the request body with `http.MaxBytesReader`, normalize filenames with `filepath.Base`, enforce extension allowlists, and prefer storage APIs that never trust client paths.

package/rules/go/go.security.fiber-sensitive-binding-without-validation.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Sensitive Fiber parsers should pair structs with validator tags or explicit validation so roles and secrets cannot be silently omitted.
   rationale: >-
     Regex heuristics flag `BodyParser`/`JSON` usage when structs in the same file define sensitive fields without `validate` or `binding` style tags.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Add `validate` struct tags, use Fiber validator middleware, or centralize DTO validation before business logic.

package/rules/go/go.security.fiber-unsafe-multipart-upload.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Fiber upload helpers should enforce size limits and never persist client-controlled filenames without normalization.
   rationale: >-
     `FormFile`/`SaveFile` flows that concatenate `Filename` into paths or skip `filepath.Base` are a common path traversal and storage abuse vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Apply `filepath.Base`, cap reader sizes, allowlist extensions, and store uploads using server-generated object keys.

package/rules/go/go.security.gin-sensitive-binding-without-validation.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Sensitive Gin binds should use `binding` or validator tags so authentication and mutation payloads cannot be silently empty.
   rationale: >-
     Regex heuristics flag `ShouldBindJSON`/`BindJSON` usage when structs in the same file omit `binding`/`validate` tags on sensitive fields such as passwords or roles.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Add `binding`/`validate` tags, register validators, or reject requests before they reach persistence layers.

package/rules/go/go.security.gin-trust-all-proxies.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     `SetTrustedProxies` should list real upstreams instead of `nil` or `0.0.0.0/0` style catch-alls that spoof `X-Forwarded-For`.
   rationale: >-
     Trusting every proxy allows clients to forge client IP headers and bypass IP-based controls or auditing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Replace catch-all trusted proxy lists with explicit CIDRs for your ingress tier and document the expected hop count.

package/rules/go/go.security.gin-wildcard-cors-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     `gin-contrib/cors` configurations must not combine wildcard origins with `AllowCredentials: true`.
   rationale: >-
     Wildcard origins with credentials violate browser CORS safety expectations and often mask missing origin allowlists in APIs that should be locked down.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - go
@@ -45,3 +54,4 @@ emit:
   remediation:
     summary: >-
       Replace wildcard origins with explicit HTTPS origins, disable credentials when public anonymous access is intended, or move token APIs to header-only auth without credentialed CORS.

package/rules/go/go.security.insecure-rand-seed.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-rand-seed
+  title: Do not seed math/rand for security-sensitive randomness
+  summary: >-
+    `rand.Seed` from `math/rand` produces predictable streams; security-sensitive code must use `crypto/rand`.
+  rationale: >-
+    `math/rand` is a PRNG and remains predictable regardless of seed; tokens, secrets, and keys must come from `crypto/rand.Reader`.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-rand-seed
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - cryptography
+  message:
+    title: Replace `${captures.issue.text}` with cryptographic randomness
+    summary: "`${captures.issue.text}` seeds `math/rand`, which is not a secure source of randomness."
+  remediation:
+    summary: >-
+      Use `crypto/rand.Reader` (or `crypto/rand.Read`) to generate secrets, tokens, and keys. `math/rand` should only be used for non-security-sensitive randomness and does not need seeding in Go 1.20+.

package/rules/go/go.security.insecure-ssh-host-key.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-ssh-host-key
+  title: Verify SSH host keys instead of ignoring them
+  summary: >-
+    `ssh.InsecureIgnoreHostKey()` disables host key verification and exposes SSH clients to man-in-the-middle attacks.
+  rationale: >-
+    Skipping host key verification lets any network attacker impersonate the remote host and steal credentials or hijack sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - ssh
+    - transport
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-ssh-host-key
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - go
+      - ssh
+      - transport
+  message:
+    title: Replace insecure host-key callback at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables SSH host key verification."
+  remediation:
+    summary: >-
+      Use `ssh.FixedHostKey`, `knownhosts.New`, or a callback that compares the remote host key to a trusted pin before completing the handshake.