npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/java/java.security.xxe-document-builder.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.xxe-document-builder
+  title: Disable external entities on Java XML parsers
+  summary: >-
+    `DocumentBuilderFactory`, `SAXParserFactory`, and `TransformerFactory` instances should enable secure processing and disable external entities before they parse untrusted XML.
+  rationale: >-
+    Java XML parser factories default to processing external DTDs and entities; without explicit hardening they expose XXE that can exfiltrate files or perform server-side requests.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - java
+    - xxe
+    - xml
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.xxe-document-builder
+    bind: issue
+emit:
+  finding:
+    category: security.xxe
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - java
+      - xxe
+      - xml
+  message:
+    title: Harden XML parser factory at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` constructs a Java XML factory without secure processing or external-entity hardening.
+  remediation:
+    summary: >-
+      Call `setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` and disable `disallow-doctype-decl`, `external-general-entities`, and `external-parameter-entities` before parsing untrusted XML.

package/rules/java/java.security.xxe-xml-input-factory.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.xxe-xml-input-factory
+  title: Disable DTD and external entities on XMLInputFactory
+  summary: >-
+    `XMLInputFactory.newInstance()` and `XMLInputFactory.newFactory()` should set `SUPPORT_DTD` and `IS_SUPPORTING_EXTERNAL_ENTITIES` to false before reading untrusted XML.
+  rationale: >-
+    StAX `XMLInputFactory` defaults expand DTDs and external entities; without explicit hardening the parser is vulnerable to XXE and external resource disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - java
+    - xxe
+    - stax
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.xxe-xml-input-factory
+    bind: issue
+emit:
+  finding:
+    category: security.xxe
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - java
+      - xxe
+      - stax
+  message:
+    title: Harden XMLInputFactory at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` returns an `XMLInputFactory` without disabling DTD support or external entities.
+  remediation:
+    summary: >-
+      Set `XMLInputFactory.SUPPORT_DTD` and `XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES` to `false` before creating any reader.

package/rules/php/php.correctness.abstract-method-outside-abstract-class.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.abstract-method-outside-abstract-class
+  title: Keep abstract methods inside abstract classes
+  summary: Only abstract classes may declare abstract methods.
+  rationale: Abstract methods in concrete classes cannot be implemented correctly and will fail at compile time.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.abstract-method-outside-abstract-class
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Keep abstract methods inside abstract classes
+    summary: "`${captures.issue.text}` matches php.correctness.abstract-method-outside-abstract-class."
+  remediation:
+    summary: Abstract methods in concrete classes cannot be implemented correctly and will fail at compile time.

package/rules/php/php.correctness.break-continue-outside-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.break-continue-outside-loop
+  title: Use break and continue only inside loops or switch
+  summary: "break and continue outside a loop or switch block are invalid control flow."
+  rationale: Misplaced break or continue statements usually indicate unfinished refactors or copy-paste errors.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.break-continue-outside-loop
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Use break and continue only inside loops or switch
+    summary: "`${captures.issue.text}` matches php.correctness.break-continue-outside-loop."
+  remediation:
+    summary: Misplaced break or continue statements usually indicate unfinished refactors or copy-paste errors.

package/rules/php/php.correctness.case-insensitive-define.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.case-insensitive-define
+  title: Avoid case-insensitive define calls
+  summary: The third argument to define() for case-insensitive constants is deprecated.
+  rationale: Case-insensitive constants behave inconsistently across PHP versions and should be replaced with normal constants.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.case-insensitive-define
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid case-insensitive define calls
+    summary: "`${captures.issue.text}` matches php.correctness.case-insensitive-define."
+  remediation:
+    summary: Case-insensitive constants behave inconsistently across PHP versions and should be replaced with normal constants.

package/rules/php/php.correctness.default-parameter-not-last.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.default-parameter-not-last
+  title: Place default parameters last
+  summary: Parameters with default values must appear after required parameters.
+  rationale: Misordered defaults are invalid PHP and break callers that rely on positional arguments.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.default-parameter-not-last
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Place default parameters last
+    summary: "`${captures.issue.text}` matches php.correctness.default-parameter-not-last."
+  remediation:
+    summary: Misordered defaults are invalid PHP and break callers that rely on positional arguments.

package/rules/php/php.correctness.deprecated-filter-constant.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.deprecated-filter-constant
+  title: Replace deprecated filter constants
+  summary: Several FILTER_* constants are deprecated and should not be used in new code.
+  rationale: Deprecated filter constants may be removed and can silently change sanitization behavior across PHP versions.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.deprecated-filter-constant
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Replace deprecated filter constants
+    summary: "`${captures.issue.text}` matches php.correctness.deprecated-filter-constant."
+  remediation:
+    summary: Deprecated filter constants may be removed and can silently change sanitization behavior across PHP versions.

package/rules/php/php.correctness.deprecated-libxml-entity-loader.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.deprecated-libxml-entity-loader
+  title: Remove deprecated libxml_disable_entity_loader calls
+  summary: libxml_disable_entity_loader() is deprecated and no longer needed on supported PHP versions.
+  rationale: The helper is deprecated and can give a false sense of protection compared to modern libxml defaults.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.deprecated-libxml-entity-loader
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove deprecated libxml_disable_entity_loader calls
+    summary: "`${captures.issue.text}` matches php.correctness.deprecated-libxml-entity-loader."
+  remediation:
+    summary: The helper is deprecated and can give a false sense of protection compared to modern libxml defaults.

package/rules/php/php.correctness.deprecated-unset-cast.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.deprecated-unset-cast
+  title: Remove deprecated (unset) casts
+  summary: "The `(unset)` cast is deprecated and should not be used in modern PHP code."
+  rationale: Deprecated casts break on newer PHP versions and hide intent compared to explicit unset calls.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.deprecated-unset-cast
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove deprecated (unset) casts
+    summary: "`${captures.issue.text}` matches php.correctness.deprecated-unset-cast."
+  remediation:
+    summary: Deprecated casts break on newer PHP versions and hide intent compared to explicit unset calls.

package/rules/php/php.correctness.duplicate-array-key.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.duplicate-array-key
+  title: Avoid duplicate keys in array literals
+  summary: Repeated keys in an array literal overwrite earlier entries.
+  rationale: Silent key replacement hides bugs and can invalidate intended configuration values.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.duplicate-array-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Resolve duplicate array key `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears multiple times in a single array literal."
+  remediation:
+    summary: Keep each key unique and merge or rename entries so earlier values are not silently replaced.

package/rules/php/php.correctness.duplicate-declaration.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.duplicate-declaration
+  title: Remove duplicate declarations
+  summary: Functions, classes, traits, and interfaces must be declared only once per file.
+  rationale: Duplicate declarations cause fatal errors and usually indicate incomplete refactors or copy-paste mistakes.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.duplicate-declaration
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove duplicate declarations
+    summary: "`${captures.issue.text}` matches php.correctness.duplicate-declaration."
+  remediation:
+    summary: Duplicate declarations cause fatal errors and usually indicate incomplete refactors or copy-paste mistakes.

package/rules/php/php.correctness.empty-array-literal-slot.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.empty-array-literal-slot
+  title: Remove empty slots from array literals
+  summary: Array literals with consecutive commas define empty slots that are easy to miss during review.
+  rationale: Empty array slots usually indicate typos or incomplete edits and can produce unexpected sparse arrays.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.empty-array-literal-slot
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove empty slots from array literals
+    summary: "`${captures.issue.text}` matches php.correctness.empty-array-literal-slot."
+  remediation:
+    summary: Empty array slots usually indicate typos or incomplete edits and can produce unexpected sparse arrays.

package/rules/php/php.correctness.empty-bracket-array-access.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.empty-bracket-array-access
+  title: Avoid empty bracket array reads
+  summary: "Reading from an array with `$value[]` appends null and returns the new element."
+  rationale: Empty bracket reads are rarely intentional and usually indicate a mistaken append or missing index.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.empty-bracket-array-access
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid empty bracket array reads
+    summary: "`${captures.issue.text}` matches php.correctness.empty-bracket-array-access."
+  remediation:
+    summary: Empty bracket reads are rarely intentional and usually indicate a mistaken append or missing index.

package/rules/php/php.correctness.empty-code-block.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.empty-code-block
+  title: Remove empty code blocks
+  summary: Empty control-flow blocks hide missing logic or unfinished branches.
+  rationale: Empty blocks make intent unclear and often survive incomplete refactors.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.empty-code-block
+    bind: issue
+emit:
+  finding:
+    category: correctness.maintainability
+    severity: low
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove empty code blocks
+    summary: "`${captures.issue.text}` matches php.correctness.empty-code-block."
+  remediation:
+    summary: Empty blocks make intent unclear and often survive incomplete refactors.

package/rules/php/php.correctness.empty-function-body.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.empty-function-body
+  title: Implement or remove empty functions
+  summary: Non-abstract functions with empty bodies hide missing behavior.
+  rationale: Empty function bodies often indicate stubs that were never completed or dead placeholders.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.empty-function-body
+    bind: issue
+emit:
+  finding:
+    category: correctness.maintainability
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Implement or remove empty functions
+    summary: "`${captures.issue.text}` matches php.correctness.empty-function-body."
+  remediation:
+    summary: Empty function bodies often indicate stubs that were never completed or dead placeholders.

package/rules/php/php.correctness.error-suppression-operator.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.error-suppression-operator
+  title: Avoid the error suppression operator
+  summary: The `@` operator hides warnings and errors instead of handling them explicitly.
+  rationale: Suppressed failures make debugging harder and can mask security or data integrity issues.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.error-suppression-operator
+    bind: issue
+emit:
+  finding:
+    category: correctness.error-handling
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove error suppression in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses `@` to suppress PHP errors or warnings."
+  remediation:
+    summary: Handle expected failures with explicit checks, try/catch where appropriate, or fix the underlying condition instead of silencing errors.

package/rules/php/php.correctness.function-comparison.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.function-comparison
+  title: Avoid comparing function values
+  summary: Comparing functions or callables with equality operators is unreliable.
+  rationale: Function comparisons rarely express intent correctly and usually indicate a logic bug.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.function-comparison
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid comparing function values
+    summary: "`${captures.issue.text}` matches php.correctness.function-comparison."
+  remediation:
+    summary: Function comparisons rarely express intent correctly and usually indicate a logic bug.