npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/php/php.security.wordpress-unprepared-sql.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     WordPress SQL calls should not interpolate request values directly into query strings.
   rationale: >-
     Dynamic SQL without `$wpdb->prepare` enables injection and unauthorized data access/manipulation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: WordPress plugin security
+      url: https://developer.wordpress.org/apis/security/
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Build SQL through `$wpdb->prepare` placeholders and sanitize scalar inputs before passing them to query execution calls.

package/rules/php/php.security.xml-external-entity.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.xml-external-entity
+  title: Harden PHP XML parsing against external entities
+  summary: >-
+    XML parsing should disable external entities and avoid LIBXML_NOENT or libxml_disable_entity_loader(false).
+  rationale: >-
+    Unsafe XML parser configuration enables XXE attacks that can leak files and reach internal services.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - php
+    - xml
+    - xxe
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.xml-external-entity
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - xml
+      - xxe
+  message:
+    title: Harden XML parsing in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses XML without external-entity protections."
+  remediation:
+    summary: >-
+      Call libxml_disable_entity_loader(true) before parsing and pass LIBXML_NONET; never enable LIBXML_NOENT.

package/rules/python/py.correctness.assert-on-tuple.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.assert-on-tuple
+  title: Avoid tuple expression in assert
+  summary: Asserting a tuple literal-like expression is usually always truthy and can mask failing checks.
+  rationale: A non-empty tuple evaluates to true, so tuple assertions often pass even when the intended condition is false.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.assert-on-tuple
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Fix tuple-style assert `${captures.issue.text}`
+    summary: "`${captures.issue.text}` asserts a tuple expression, which may always evaluate to truthy."
+  remediation:
+    summary: Assert a single boolean predicate or split checks into separate assert statements.

package/rules/python/py.correctness.bare-except.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.bare-except
+  title: Avoid bare except handlers
+  summary: Bare exception handlers catch all errors and hide root causes.
+  rationale: Catching every throwable without narrowing can swallow interruptions and make failures hard to diagnose.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.bare-except
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.96
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace bare except `${captures.issue.text}`
+    summary: "`${captures.issue.text}` catches every exception type without restriction."
+  remediation:
+    summary: Catch specific expected exceptions and let unexpected failures propagate.

package/rules/python/py.correctness.broad-exception-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.broad-exception-handler
+  title: Avoid overly broad exception handlers
+  summary: Catching `Exception` or `BaseException` makes error handling too broad.
+  rationale: Broad handlers hide programming errors and can interfere with expected process-level exceptions.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.broad-exception-handler
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Narrow exception scope `${captures.issue.text}`
+    summary: "`${captures.issue.text}` catches a broad exception base type."
+  remediation:
+    summary: Catch only the concrete exception classes this block can recover from.

package/rules/python/py.correctness.dangerous-mutable-default.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.dangerous-mutable-default
+  title: Avoid mutable default function arguments
+  summary: Mutable defaults in function signatures retain state across calls.
+  rationale: Reusing the same list, dict, or set instance can leak data between calls and produce non-deterministic behavior.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.dangerous-mutable-default
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.96
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace mutable default `${captures.issue.text}`
+    summary: "`${captures.issue.text}` defines a mutable default argument that persists across invocations."
+  remediation:
+    summary: Use `None` as the default and construct a fresh mutable object inside the function.

package/rules/python/py.correctness.duplicate-dict-key.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.duplicate-dict-key
+  title: Avoid duplicate keys in dict literals
+  summary: Repeated keys in a dict literal overwrite earlier entries.
+  rationale: Silent key replacement hides bugs and can invalidate intended configuration values.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.duplicate-dict-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Resolve duplicate dict key `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears multiple times in a single dict literal."
+  remediation:
+    summary: Keep each key unique and merge or rename entries so earlier values are not silently replaced.

package/rules/python/py.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.bind-all-interfaces
+  title: Avoid binding Python services to all interfaces
+  summary: Python network services should avoid explicit binds to `0.0.0.0` or `::` unless public exposure is intentional and controlled.
+  rationale: Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - python
+    - network
+    - exposure
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/python/py.security.debugger-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.debugger-import
+  title: Remove debugger imports from production code
+  summary: Production Python modules should not ship with interactive debugger imports.
+  rationale: Debugger modules can expose introspection hooks and halt execution paths in deployed environments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - debugging
+    - hardening
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.debugger-import
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - python
+      - debugging
+      - hardening
+  message:
+    title: Remove debugger import `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a debugger module in runtime code."
+  remediation:
+    summary: Remove debugger imports from committed runtime modules and gate debugging tools to local-only workflows.

package/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
   rationale: >-
     Using django.decorators.csrf.csrf_exempt removes CSRF defenses for session-backed browsers,
     enabling cross-site request forgery against unsafe methods.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -44,3 +56,4 @@ emit:
     summary: "`${captures.issue.text}` is applied near code that handles POST/PUT/PATCH/DELETE or `request.POST`, which is risky for browser sessions."
   remediation:
     summary: Remove `@csrf_exempt`, enforce CSRF tokens for browser views, or constrain the endpoint to non-session authentication with explicit CSRF policy.

package/rules/python/py.security.django-format-html-unsafe.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-format-html-unsafe
+  title: Review dynamic interpolation in Django format_html
+  summary: Django `format_html` calls with placeholder templates and dynamic arguments should be reviewed for unsafe output composition.
+  rationale: Unsafe interpolation patterns can still produce dangerous HTML when trusted and untrusted fragments are mixed incorrectly.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.django-format-html-unsafe
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - django
+      - xss
+  message:
+    title: Audit Django HTML interpolation `${captures.issue.text}`
+    summary: "`${captures.issue.text}` interpolates dynamic values into `format_html`; confirm values are safe for the rendered context."
+  remediation:
+    summary: Keep templates static, ensure interpolated values are trusted for the target context, and avoid assembling HTML from user-controlled fragments.

package/rules/python/py.security.django-mark-safe.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-mark-safe
+  title: Avoid Django mark_safe for dynamic content
+  summary: "Django responses should avoid `mark_safe` when content can include untrusted input."
+  rationale: "`mark_safe` bypasses Django escaping and can introduce cross-site scripting when values are not strictly trusted."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.django-mark-safe
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - django
+      - xss
+  message:
+    title: Remove unsafe HTML trust `${captures.issue.text}`
+    summary: "`${captures.issue.text}` bypasses escaping and can expose XSS when rendered with variable data."
+  remediation:
+    summary: "Prefer Django auto-escaping or sanitize untrusted values before rendering instead of forcing trust with `mark_safe`."

package/rules/python/py.security.django-missing-csrf-middleware.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Enable Django CSRF middleware for browser apps
   summary: Django projects using cookie-backed sessions should include `CsrfViewMiddleware` in `MIDDLEWARE`.
   rationale: Without CSRF middleware, Django cannot enforce CSRF tokens on unsafe HTTP methods for browser clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -45,3 +57,4 @@ emit:
     summary: "`MIDDLEWARE` is declared without `django.middleware.csrf.CsrfViewMiddleware`, which disables framework CSRF checks."
   remediation:
     summary: Insert `django.middleware.csrf.CsrfViewMiddleware` into `MIDDLEWARE` according to the Django deployment checklist ordering guidance.

package/rules/python/py.security.django-security-middleware-missing.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-security-middleware-missing
+  title: Include Django SecurityMiddleware in middleware stack
+  summary: Django settings should include `django.middleware.security.SecurityMiddleware` in `MIDDLEWARE`.
+  rationale: Missing SecurityMiddleware can disable key hardening controls such as transport, header, and redirect protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-security-middleware-missing
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - django
+      - configuration
+  message:
+    title: Add Django SecurityMiddleware near `${captures.issue.text}`
+    summary: "`MIDDLEWARE` is declared without `django.middleware.security.SecurityMiddleware`."
+  remediation:
+    summary: Add `django.middleware.security.SecurityMiddleware` to `MIDDLEWARE` following Django ordering guidance.

package/rules/python/py.security.django-unsafe-production-settings.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid unsafe Django production settings
   summary: Production Django settings should disable debug mode, restrict hosts, protect secrets, and enable HTTPS-aligned cookie flags.
   rationale: Misconfigured Django defaults expose debug traces, enable host header attacks, leak secrets, and weaken cookie transport protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -45,3 +57,4 @@ emit:
     summary: "`${captures.issue.text}` weakens production security posture for Django deployment."
   remediation:
     summary: Align settings with your deployment checklist—disable DEBUG, pin ALLOWED_HOSTS, load secrets from the environment, and enable secure cookie and HTTPS flags.

package/rules/python/py.security.drf-allow-any-default.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid AllowAny as DRF default permission
   summary: Django REST Framework APIs should default to authenticated permission classes instead of `AllowAny`.
   rationale: Default `AllowAny` exposes mutation-heavy APIs unless every view overrides permissions explicitly.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -44,3 +56,4 @@ emit:
     summary: "`REST_FRAMEWORK` enables `AllowAny` via `DEFAULT_PERMISSION_CLASSES`, which is unsafe for default API posture."
   remediation:
     summary: Prefer `IsAuthenticated` or another restrictive default, then opt-in public access only where documented.

package/rules/python/py.security.drf-allow-any-unsafe-method.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid AllowAny on unsafe DRF methods
   summary: DRF views that accept POST, PUT, PATCH, or DELETE should not declare `AllowAny` unless the endpoint is intentionally public.
   rationale: Open unsafe methods allow unauthenticated clients to mutate data and violate least-privilege API access.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -44,3 +56,4 @@ emit:
     summary: "`${captures.issue.text}` combines `AllowAny` with an unsafe HTTP method declaration."
   remediation:
     summary: Require authentication or scoped permissions for unsafe verbs unless the handler is explicitly public and documented.