npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/php/php.correctness.error-suppression-operator.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.error-suppression-operator
+  title: Avoid the error suppression operator
+  summary: The `@` operator hides warnings and errors instead of handling them explicitly.
+  rationale: Suppressed failures make debugging harder and can mask security or data integrity issues.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.error-suppression-operator
+    bind: issue
+emit:
+  finding:
+    category: correctness.error-handling
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove error suppression in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses `@` to suppress PHP errors or warnings."
+  remediation:
+    summary: Handle expected failures with explicit checks, try/catch where appropriate, or fix the underlying condition instead of silencing errors.

package/rules/php/php.correctness.nullsafe-returned-by-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nullsafe-returned-by-reference
+  title: Do not return nullsafe access by reference
+  summary: By-reference arrow functions cannot safely return nullsafe property access.
+  rationale: Nullsafe access may evaluate to null, which cannot be returned by reference and triggers runtime errors.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nullsafe-returned-by-reference
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.92
+    tags:
+      - correctness
+      - php
+  message:
+    title: Fix by-reference arrow function using nullsafe access
+    summary: "`${captures.issue.text}` returns a nullsafe property access by reference."
+  remediation:
+    summary: Return a value by copy, guard against null before returning a reference, or avoid by-reference arrow functions for nullable targets.

package/rules/php/php.correctness.switch-multiple-default.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.switch-multiple-default
+  title: Use only one default case per switch
+  summary: A switch statement must not declare more than one default branch.
+  rationale: Multiple default cases are invalid PHP and indicate a copy-paste or merge mistake.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.switch-multiple-default
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.98
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove extra default case in switch
+    summary: "This switch declares more than one `default` branch."
+  remediation:
+    summary: Keep a single default case and move additional logic into earlier cases or refactor the control flow.

package/rules/php/php.correctness.unreachable-after-return.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unreachable-after-return
+  title: Remove unreachable statements after return or throw
+  summary: Code after `return` or `throw` in the same block never runs.
+  rationale: Unreachable statements usually indicate dead code, incomplete refactors, or missing control-flow fixes.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unreachable-after-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove unreachable statement
+    summary: "This statement appears after a `return` or `throw` in the same block and will not execute."
+  remediation:
+    summary: Delete the dead code or move it before the terminal statement if it is still required.

package/rules/php/php.security.debug-function-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.debug-function-exposure
+  title: Remove debug dump helpers from production PHP
+  summary: >-
+    var_dump, print_r, debug_zval_dump, and xdebug helpers should not ship in application code paths.
+  rationale: >-
+    Debug helpers can leak secrets, PII, and internal object state to logs or HTTP responses.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - debug
+    - information-leakage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.php"
+match:
+  fact:
+    kind: php.security.debug-function-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-leakage
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - debug
+  message:
+    title: Remove debug helper in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a debug dump helper in non-test code."
+  remediation:
+    summary: >-
+      Remove debug helpers from production paths or route diagnostics through structured logging with redaction.

package/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     PHP CORS responses should not allow credentials when origin is set to `*`.
   rationale: >-
     Wildcard origins with credential support break origin isolation and can expose authenticated data cross-site.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - php
@@ -39,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Replace wildcard origins with explicit allowlists and keep credentials disabled unless strictly required.

package/rules/php/php.security.insecure-mail-or-file-transport.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound mail/file transfer code should not rely on plaintext transport endpoints for sensitive traffic.
   rationale: >-
     Unencrypted transfer channels expose credentials and payloads to interception or tampering.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
   tags:
     - security
     - php
@@ -39,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Use encrypted transport endpoints and modern client libraries with certificate validation enabled.

package/rules/php/php.security.insecure-session-id-generation.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-session-id-generation
+  title: Avoid predictable or user-supplied session IDs
+  summary: >-
+    session_id must not be set from weak hash helpers, uniqid, or request-derived values.
+  rationale: >-
+    Predictable or attacker-controlled session identifiers enable fixation and session hijacking.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - session
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-session-id-generation
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - php
+      - session
+  message:
+    title: Harden session ID generation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sets session_id from weak or untrusted input."
+  remediation:
+    summary: >-
+      Let PHP generate session identifiers with session_start, or use random_bytes and bin2hex for custom IDs.

package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Session/cookie configuration should keep secure, httpOnly, and safe same-site posture for authenticated contexts.
   rationale: >-
     Weak cookie/session flags increase theft and replay risk across XSS, mixed transport, and cross-site request contexts.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
   tags:
     - security
     - php
@@ -40,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Set `secure=true`, `httponly=true`, and a restrictive same-site policy for authentication cookies in production traffic.

package/rules/php/php.security.laravel-sensitive-csrf-exclusion.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Wildcard CSRF exclusions should not cover account, billing, admin, password, or profile endpoints.
   rationale: >-
     Over-broad CSRF exemptions remove request integrity checks from high-impact authenticated actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Limit CSRF exceptions to explicitly signed webhook endpoints and avoid wildcard exclusions on authenticated user flows.

package/rules/php/php.security.laravel-unsafe-blade-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Raw Blade rendering (`{!! !!}`) should not directly render request, model, or translated user content.
   rationale: >-
     Unescaped template output can enable stored or reflected XSS when user-controlled values are rendered as HTML.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Prefer escaped Blade output (`{{ }}`) and sanitizer wrappers before rendering user-influenced HTML.

package/rules/php/php.security.laravel-unsafe-mass-assignment.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Eloquent writes should not use `$request->all()` or fully unguarded models for sensitive records.
   rationale: >-
     Raw request mass assignment lets attackers set privileged fields like role or account ownership.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
   tags:
     - security
     - php
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Use validated DTO/request objects and explicit allowlists (`only`) for model writes, and avoid `$guarded = []` on sensitive models.

package/rules/php/php.security.no-dynamic-eval.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.no-dynamic-eval
+  title: Avoid dynamic PHP code execution
+  summary: >-
+    Do not execute runtime-generated PHP via eval, string assert, or create_function.
+  rationale: >-
+    Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - php
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.no-dynamic-eval
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - php
+      - execution
+  message:
+    title: Remove dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes PHP code dynamically."
+  remediation:
+    summary: >-
+      Replace eval, string assert, and create_function with explicit control flow, parsing, or allowlisted dispatch.

package/rules/php/php.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound HTTP clients should not forward tainted request/session material without validation or redaction.
   rationale: >-
     Unchecked egress forwarding can leak tokens, credentials, or personal data to external systems.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - php
@@ -40,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Scrub secrets, restrict outbound destinations, and centralize external integrations behind audited request builders.

package/rules/php/php.security.symfony-csrf-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Symfony forms and controllers handling state changes should not disable CSRF protection without a clear API token boundary.
   rationale: >-
     Disabling CSRF for authenticated browser flows enables cross-site request forgery on sensitive actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Symfony security
+      url: https://symfony.com/doc/current/security.html
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Keep CSRF enabled for browser forms/controllers and only exempt endpoints that are explicitly authenticated by signed tokens.

package/rules/php/php.security.symfony-debug-exposure.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Production-like Symfony configuration should not enable debug mode or web profiler surfaces.
   rationale: >-
     Debug and profiler exposure can leak internals, stack traces, secrets, and request details.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Symfony security
+      url: https://symfony.com/doc/current/security.html
   tags:
     - security
     - php
@@ -42,3 +54,4 @@ emit:
   remediation:
     summary: >-
       Keep `APP_DEBUG=0` in production and disable profiler bundles/toolbars outside local dev/test environments.

package/rules/php/php.security.unsafe-file-upload-handling.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     PHP upload handlers should not persist raw `$_FILES` names without validation and normalization.
   rationale: >-
     Unsafely handled uploads can enable path traversal, executable file placement, and malicious payload storage.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - php
@@ -39,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Normalize filenames, enforce extension and MIME allowlists, and route uploads through dedicated validated storage helpers.

package/rules/php/php.security.unsafe-include-with-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-include-with-user-input
+  title: Avoid include/require with user-controlled paths
+  summary: >-
+    Include and require statements must not load files from request-derived or tainted path values.
+  rationale: >-
+    User-controlled includes can load attacker-chosen PHP and lead to remote code execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - inclusion
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-include-with-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - inclusion
+  message:
+    title: Harden include path in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` includes or requires a path influenced by untrusted input."
+  remediation:
+    summary: >-
+      Map user input to an allowlisted template name and include only fixed, reviewed file paths.

package/rules/php/php.security.weak-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.weak-cipher
+  title: Avoid weak PHP cipher algorithms
+  summary: >-
+    OpenSSL and mcrypt usage should not rely on DES, RC4, Blowfish, ECB mode, or legacy mcrypt APIs.
+  rationale: >-
+    Weak ciphers and modes are vulnerable to practical cryptanalysis and do not meet modern confidentiality standards.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.weak-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.weak-crypto
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - crypto
+  message:
+    title: Replace weak cipher usage in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
+  remediation:
+    summary: >-
+      Use modern authenticated encryption (for example AES-GCM) via sodium or OpenSSL with vetted algorithms and modes.

package/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     WordPress admin/AJAX mutation callbacks should verify nonce tokens and enforce capability checks.
   rationale: >-
     Missing nonce or authorization checks let attackers trigger privileged actions through forged or unauthorized requests.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: WordPress plugin security
+      url: https://developer.wordpress.org/apis/security/
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Add nonce verification (`check_ajax_referer`/`check_admin_referer`) and explicit capability checks (`current_user_can`) before performing mutations.