npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/go/go.security.insecure-rand-seed.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-rand-seed
+  title: Do not seed math/rand for security-sensitive randomness
+  summary: >-
+    `rand.Seed` from `math/rand` produces predictable streams; security-sensitive code must use `crypto/rand`.
+  rationale: >-
+    `math/rand` is a PRNG and remains predictable regardless of seed; tokens, secrets, and keys must come from `crypto/rand.Reader`.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-rand-seed
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+      - go
+      - cryptography
+  message:
+    title: Replace `${captures.issue.text}` with cryptographic randomness
+    summary: "`${captures.issue.text}` seeds `math/rand`, which is not a secure source of randomness."
+  remediation:
+    summary: >-
+      Use `crypto/rand.Reader` (or `crypto/rand.Read`) to generate secrets, tokens, and keys. `math/rand` should only be used for non-security-sensitive randomness and does not need seeding in Go 1.20+.

package/rules/go/go.security.insecure-ssh-host-key.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-ssh-host-key
+  title: Verify SSH host keys instead of ignoring them
+  summary: >-
+    `ssh.InsecureIgnoreHostKey()` disables host key verification and exposes SSH clients to man-in-the-middle attacks.
+  rationale: >-
+    Skipping host key verification lets any network attacker impersonate the remote host and steal credentials or hijack sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - ssh
+    - transport
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-ssh-host-key
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - go
+      - ssh
+      - transport
+  message:
+    title: Replace insecure host-key callback at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables SSH host key verification."
+  remediation:
+    summary: >-
+      Use `ssh.FixedHostKey`, `knownhosts.New`, or a callback that compares the remote host key to a trusted pin before completing the handshake.

package/rules/go/go.security.insecure-ssl-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-ssl-protocol
+  title: Reject SSLv2 and SSLv3 protocols
+  summary: >-
+    `tls.VersionSSL30`, SSLv2, or SSLv3 string literals indicate use of broken legacy protocols.
+  rationale: >-
+    SSLv2 and SSLv3 contain unrecoverable cryptographic weaknesses (POODLE, DROWN) and must not be negotiated.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-ssl-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Remove SSL legacy protocol from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a broken SSLv2/SSLv3 protocol."
+  remediation:
+    summary: >-
+      Use `tls.VersionTLS12` or `tls.VersionTLS13` instead of SSL legacy constants or string literals.

package/rules/go/go.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-temp-file
+  title: Avoid deprecated `ioutil` temporary file helpers
+  summary: >-
+    Go code should use `os.CreateTemp` and `os.MkdirTemp` instead of the deprecated `ioutil.TempFile` / `ioutil.TempDir` helpers.
+  rationale: >-
+    The `ioutil` temp helpers are deprecated and frequently appear alongside race-prone temp-file patterns; the `os` replacements receive ongoing security fixes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - go
+      - filesystem
+      - tempfile
+  message:
+    title: Replace deprecated temp helper at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a deprecated `ioutil` temporary file helper."
+  remediation:
+    summary: >-
+      Switch to `os.CreateTemp(dir, pattern)` or `os.MkdirTemp(dir, pattern)` and ensure the pattern includes a `*` so a random component is generated.

package/rules/go/go.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: >-
+    Parsing JWTs with `jwt.Parse` and a nil keyfunc, `jwt.ParseUnverified`, or `jwt.Decode` skips signature verification and lets attackers forge tokens.
+  rationale: >-
+    Trusting unverified JWTs allows attackers to impersonate users or escalate privileges by crafting tokens with arbitrary claims.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - go
+      - jwt
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses a JWT without verifying its signature."
+  remediation:
+    summary: >-
+      Provide a non-nil keyfunc to `jwt.Parse` (or `jwt.ParseWithClaims`) and validate the returned token's `.Valid` flag before reading claims.

package/rules/go/go.security.net-http-missing-timeouts.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.
   rationale: >-
     Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Construct `http.Server` with `ReadHeaderTimeout`, `ReadTimeout`, `WriteTimeout`, and `IdleTimeout`, and prefer `ListenAndServe` on that configured instance.

package/rules/go/go.security.pprof-exposed.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.pprof-exposed
+  title: Do not expose pprof endpoints on shared HTTP mux
+  summary: >-
+    Importing `net/http/pprof` or registering `/debug/pprof` handlers on the default mux exposes debugging endpoints to remote callers.
+  rationale: >-
+    Exposed pprof endpoints leak heap, goroutine, and CPU profiles and can be used for denial-of-service or sensitive data harvesting.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - net/http
+    - pprof
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.pprof-exposed
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - net/http
+  message:
+    title: Move pprof off the public mux near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exposes profiler endpoints without an authentication guard."
+  remediation:
+    summary: >-
+      Register pprof handlers on a private mux bound to localhost or a separate listener, and gate them behind authentication.

package/rules/go/go.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound `http.Post` bodies should not be built directly from request values without validation or redaction.
   rationale: >-
     Tainted POST bodies can exfiltrate secrets, replay cookies, or forward attacker payloads to internal integrations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -44,3 +53,4 @@ emit:
   remediation:
     summary: >-
       Allowlist outbound hosts, strip secrets from relayed payloads, and route integrations through audited helpers.

package/rules/go/go.security.tar-path-traversal.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Tar extraction must normalize `header.Name` with `filepath.Base` or `filepath.Clean` before opening destination files.
   rationale: >-
     Writing `hdr.Name` directly enables `../` traversal that escapes intended extraction directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Join destinations using a fixed root with `filepath.Join`, reject absolute paths, and always apply `filepath.Base` before `os.Create`.

package/rules/go/go.security.template-unescaped-request-value.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     `template.HTML`, `template.JS`, and `template.CSS` should not wrap request-derived strings unless they were sanitized first.
   rationale: >-
     Trusted template types disable escaping and turn reflected input into cross-site scripting when executed in browsers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Run untrusted strings through an HTML sanitizer such as bluemonday, prefer typed templates, or keep data in plain escaped fields.

package/rules/go/go.security.tls-missing-min-version.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tls-missing-min-version
+  title: Set a TLS minimum version on `tls.Config`
+  summary: >-
+    `tls.Config` literals should set `MinVersion` to a modern protocol (`tls.VersionTLS12` or newer) to avoid downgrade attacks.
+  rationale: >-
+    Without `MinVersion`, the Go standard library accepts legacy TLS versions that are vulnerable to known protocol attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tls-missing-min-version
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Set `MinVersion` on TLS config
+    summary: "`${captures.issue.text}` constructs a `tls.Config` without an explicit `MinVersion`."
+  remediation:
+    summary: >-
+      Add `MinVersion: tls.VersionTLS12` (or `tls.VersionTLS13`) to the configuration to enforce a modern protocol baseline.

package/rules/go/go.security.unsafe-package-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.unsafe-package-import
+  title: Avoid the `unsafe` package outside vetted boundaries
+  summary: >-
+    Production Go code should not import the `unsafe` package, which bypasses the type system and memory safety guarantees.
+  rationale: >-
+    `unsafe.Pointer` lets callers reinterpret arbitrary memory, hiding undefined behaviour and creating vulnerabilities that escape Go's compiler checks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - memory-safety
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.unsafe-package-import
+    bind: issue
+emit:
+  finding:
+    category: security.memory-safety
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - memory-safety
+  message:
+    title: Remove `unsafe` import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports `unsafe`, which bypasses Go's memory safety guarantees."
+  remediation:
+    summary: >-
+      Replace `unsafe.Pointer` usage with typed APIs from `reflect`, `encoding/binary`, or `cgo` boundaries that explicitly document and contain the unsafe scope.

package/rules/go/go.security.weak-bcrypt-cost.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-bcrypt-cost
+  title: Use a strong bcrypt cost factor
+  summary: >-
+    `bcrypt.GenerateFromPassword` (and similar helpers) must use a cost factor of at least `bcrypt.DefaultCost` (10).
+  rationale: >-
+    Low bcrypt costs make password hashes cheap to crack offline and undermine credential storage protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - passwords
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-bcrypt-cost
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - passwords
+  message:
+    title: Raise bcrypt cost in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` hashes passwords with a cost below the bcrypt default."
+  remediation:
+    summary: >-
+      Pass `bcrypt.DefaultCost` (or a higher value tuned to your performance budget) instead of a literal cost less than 10.

package/rules/go/go.security.weak-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-crypto-import
+  title: Avoid importing broken or deprecated crypto packages
+  summary: >-
+    Production Go code should not import `crypto/md5`, `crypto/sha1`, `crypto/des`, or `crypto/rc4` for security-sensitive purposes.
+  rationale: >-
+    MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases; using them as cryptographic primitives degrades confidentiality and integrity.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - hash
+    - cipher
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - cryptography
+  message:
+    title: Replace weak crypto import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a broken or deprecated crypto package."
+  remediation:
+    summary: >-
+      Use `crypto/sha256` or `crypto/sha512` for hashing, `crypto/aes` with GCM mode for ciphers, and avoid RC4 entirely.