npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/php/php.correctness.invalid-cookie-options.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.invalid-cookie-options
+  title: Use valid cookie option keys
+  summary: setcookie and setrawcookie option arrays only accept documented keys.
+  rationale: Invalid cookie option keys are ignored at runtime and can leave security attributes unset.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.invalid-cookie-options
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Use valid cookie option keys
+    summary: "`${captures.issue.text}` matches php.correctness.invalid-cookie-options."
+  remediation:
+    summary: Invalid cookie option keys are ignored at runtime and can leave security attributes unset.

package/rules/php/php.correctness.invalid-regex-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.invalid-regex-literal
+  title: Fix invalid regular expression literals
+  summary: preg_* calls must use a valid delimiter and closing pattern literal.
+  rationale: Invalid regex literals fail at runtime and often hide copy-paste or escaping mistakes.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.invalid-regex-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Fix invalid regular expression literals
+    summary: "`${captures.issue.text}` matches php.correctness.invalid-regex-literal."
+  remediation:
+    summary: Invalid regex literals fail at runtime and often hide copy-paste or escaping mistakes.

package/rules/php/php.correctness.missing-member-visibility.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.missing-member-visibility
+  title: Declare explicit member visibility
+  summary: Class properties and methods should declare public, protected, or private visibility.
+  rationale: Missing visibility relies on legacy defaults and makes class contracts harder to review.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.missing-member-visibility
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Declare explicit member visibility
+    summary: "`${captures.issue.text}` matches php.correctness.missing-member-visibility."
+  remediation:
+    summary: Missing visibility relies on legacy defaults and makes class contracts harder to review.

package/rules/php/php.correctness.nested-function-declaration.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nested-function-declaration
+  title: Avoid nested function declarations
+  summary: Declaring functions inside other functions is discouraged and hard to test.
+  rationale: Nested functions create hidden scope and make code harder to reuse, mock, and reason about.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nested-function-declaration
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid nested function declarations
+    summary: "`${captures.issue.text}` matches php.correctness.nested-function-declaration."
+  remediation:
+    summary: Nested functions create hidden scope and make code harder to reuse, mock, and reason about.

package/rules/php/php.correctness.nested-switch.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nested-switch
+  title: Avoid nested switch statements
+  summary: Switch statements nested inside other switch statements are hard to follow.
+  rationale: Nested switch blocks increase cognitive load and often hide missing decomposition or polymorphism.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nested-switch
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid nested switch statements
+    summary: "`${captures.issue.text}` matches php.correctness.nested-switch."
+  remediation:
+    summary: Nested switch blocks increase cognitive load and often hide missing decomposition or polymorphism.

package/rules/php/php.correctness.nullsafe-returned-by-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nullsafe-returned-by-reference
+  title: Do not return nullsafe access by reference
+  summary: By-reference arrow functions cannot safely return nullsafe property access.
+  rationale: Nullsafe access may evaluate to null, which cannot be returned by reference and triggers runtime errors.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nullsafe-returned-by-reference
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.92
+    tags:
+      - correctness
+      - php
+  message:
+    title: Fix by-reference arrow function using nullsafe access
+    summary: "`${captures.issue.text}` returns a nullsafe property access by reference."
+  remediation:
+    summary: Return a value by copy, guard against null before returning a reference, or avoid by-reference arrow functions for nullable targets.

package/rules/php/php.correctness.redundant-string-cast-concat.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.redundant-string-cast-concat
+  title: Remove redundant string casts before concatenation
+  summary: Casting to string immediately before concatenation is usually redundant in PHP.
+  rationale: Redundant casts add noise without changing behavior and can hide type problems that should be fixed directly.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.redundant-string-cast-concat
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove redundant string casts before concatenation
+    summary: "`${captures.issue.text}` matches php.correctness.redundant-string-cast-concat."
+  remediation:
+    summary: Redundant casts add noise without changing behavior and can hide type problems that should be fixed directly.

package/rules/php/php.correctness.self-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.self-assignment
+  title: Remove self assignments
+  summary: Assigning a variable to itself has no effect.
+  rationale: Self assignments usually indicate incomplete refactors or accidental duplication.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.self-assignment
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove self assignments
+    summary: "`${captures.issue.text}` matches php.correctness.self-assignment."
+  remediation:
+    summary: Self assignments usually indicate incomplete refactors or accidental duplication.

package/rules/php/php.correctness.switch-multiple-default.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.switch-multiple-default
+  title: Use only one default case per switch
+  summary: A switch statement must not declare more than one default branch.
+  rationale: Multiple default cases are invalid PHP and indicate a copy-paste or merge mistake.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.switch-multiple-default
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.98
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove extra default case in switch
+    summary: "This switch declares more than one `default` branch."
+  remediation:
+    summary: Keep a single default case and move additional logic into earlier cases or refactor the control flow.

package/rules/php/php.correctness.todo-fixme-marker.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.todo-fixme-marker
+  title: Resolve TODO or FIXME markers
+  summary: TODO, FIXME, XXX, and HACK comments mark unfinished or risky work.
+  rationale: Tracked markers in production code often hide deferred fixes that should be ticketed or resolved before merge.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.todo-fixme-marker
+    bind: issue
+emit:
+  finding:
+    category: correctness.maintainability
+    severity: low
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Resolve TODO or FIXME markers
+    summary: "`${captures.issue.text}` matches php.correctness.todo-fixme-marker."
+  remediation:
+    summary: Tracked markers in production code often hide deferred fixes that should be ticketed or resolved before merge.

package/rules/php/php.correctness.unknown-magic-method.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unknown-magic-method
+  title: Use only supported magic methods
+  summary: PHP recognizes a fixed set of double-underscore magic methods.
+  rationale: Unknown magic methods are never invoked by the runtime and usually indicate typos or dead code.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unknown-magic-method
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Use only supported magic methods
+    summary: "`${captures.issue.text}` matches php.correctness.unknown-magic-method."
+  remediation:
+    summary: Unknown magic methods are never invoked by the runtime and usually indicate typos or dead code.

package/rules/php/php.correctness.unreachable-after-return.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unreachable-after-return
+  title: Remove unreachable statements after return or throw
+  summary: Code after `return` or `throw` in the same block never runs.
+  rationale: Unreachable statements usually indicate dead code, incomplete refactors, or missing control-flow fixes.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unreachable-after-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove unreachable statement
+    summary: "This statement appears after a `return` or `throw` in the same block and will not execute."
+  remediation:
+    summary: Delete the dead code or move it before the terminal statement if it is still required.

package/rules/php/php.correctness.useless-post-increment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.useless-post-increment
+  title: Remove useless post-increment statements
+  summary: Standalone post-increment statements with discarded results are usually mistakes.
+  rationale: Post-increment statements that do not feed a larger expression often indicate dead or accidental code.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.useless-post-increment
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove useless post-increment statements
+    summary: "`${captures.issue.text}` matches php.correctness.useless-post-increment."
+  remediation:
+    summary: Post-increment statements that do not feed a larger expression often indicate dead or accidental code.

package/rules/php/php.correctness.useless-unset.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.useless-unset
+  title: Remove useless unset calls
+  summary: Calling unset on literals or non-variables has no effect.
+  rationale: Useless unset calls add noise and suggest the author misunderstood PHP unset semantics.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.useless-unset
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove useless unset calls
+    summary: "`${captures.issue.text}` matches php.correctness.useless-unset."
+  remediation:
+    summary: Useless unset calls add noise and suggest the author misunderstood PHP unset semantics.

package/rules/php/php.performance.expensive-loop-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.expensive-loop-condition
+  title: Avoid expensive calls in loop conditions
+  summary: Functions like count() and strlen() inside loop conditions run on every iteration.
+  rationale: Recomputing expensive conditions in loops adds avoidable overhead in hot paths.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.performance.expensive-loop-condition
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.85
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid expensive calls in loop conditions
+    summary: "`${captures.issue.text}` matches php.performance.expensive-loop-condition."
+  remediation:
+    summary: Recomputing expensive conditions in loops adds avoidable overhead in hot paths.

package/rules/php/php.security.debug-function-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.debug-function-exposure
+  title: Remove debug dump helpers from production PHP
+  summary: >-
+    var_dump, print_r, debug_zval_dump, and xdebug helpers should not ship in application code paths.
+  rationale: >-
+    Debug helpers can leak secrets, PII, and internal object state to logs or HTTP responses.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - debug
+    - information-leakage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.php"
+match:
+  fact:
+    kind: php.security.debug-function-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.information-leakage
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - php
+      - debug
+  message:
+    title: Remove debug helper in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a debug dump helper in non-test code."
+  remediation:
+    summary: >-
+      Remove debug helpers from production paths or route diagnostics through structured logging with redaction.

package/rules/php/php.security.insecure-cors-wildcard-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     PHP CORS responses should not allow credentials when origin is set to `*`.
   rationale: >-
     Wildcard origins with credential support break origin isolation and can expose authenticated data cross-site.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - php
@@ -39,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Replace wildcard origins with explicit allowlists and keep credentials disabled unless strictly required.

package/rules/php/php.security.insecure-mail-or-file-transport.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound mail/file transfer code should not rely on plaintext transport endpoints for sensitive traffic.
   rationale: >-
     Unencrypted transfer channels expose credentials and payloads to interception or tampering.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
   tags:
     - security
     - php
@@ -39,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Use encrypted transport endpoints and modern client libraries with certificate validation enabled.