npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/php/php.security.insecure-session-id-generation.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.insecure-session-id-generation
+  title: Avoid predictable or user-supplied session IDs
+  summary: >-
+    session_id must not be set from weak hash helpers, uniqid, or request-derived values.
+  rationale: >-
+    Predictable or attacker-controlled session identifiers enable fixation and session hijacking.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - session
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.insecure-session-id-generation
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - php
+      - session
+  message:
+    title: Harden session ID generation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sets session_id from weak or untrusted input."
+  remediation:
+    summary: >-
+      Let PHP generate session identifiers with session_start, or use random_bytes and bin2hex for custom IDs.

package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Session/cookie configuration should keep secure, httpOnly, and safe same-site posture for authenticated contexts.
   rationale: >-
     Weak cookie/session flags increase theft and replay risk across XSS, mixed transport, and cross-site request contexts.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
   tags:
     - security
     - php
@@ -40,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Set `secure=true`, `httponly=true`, and a restrictive same-site policy for authentication cookies in production traffic.

package/rules/php/php.security.laravel-sensitive-csrf-exclusion.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Wildcard CSRF exclusions should not cover account, billing, admin, password, or profile endpoints.
   rationale: >-
     Over-broad CSRF exemptions remove request integrity checks from high-impact authenticated actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Limit CSRF exceptions to explicitly signed webhook endpoints and avoid wildcard exclusions on authenticated user flows.

package/rules/php/php.security.laravel-unsafe-blade-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Raw Blade rendering (`{!! !!}`) should not directly render request, model, or translated user content.
   rationale: >-
     Unescaped template output can enable stored or reflected XSS when user-controlled values are rendered as HTML.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Prefer escaped Blade output (`{{ }}`) and sanitizer wrappers before rendering user-influenced HTML.

package/rules/php/php.security.laravel-unsafe-mass-assignment.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Eloquent writes should not use `$request->all()` or fully unguarded models for sensitive records.
   rationale: >-
     Raw request mass assignment lets attackers set privileged fields like role or account ownership.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Laravel security
+      url: https://laravel.com/docs/master/security
   tags:
     - security
     - php
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Use validated DTO/request objects and explicit allowlists (`only`) for model writes, and avoid `$guarded = []` on sensitive models.

package/rules/php/php.security.no-dynamic-eval.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.no-dynamic-eval
+  title: Avoid dynamic PHP code execution
+  summary: >-
+    Do not execute runtime-generated PHP via eval, string assert, or create_function.
+  rationale: >-
+    Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - php
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.no-dynamic-eval
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - php
+      - execution
+  message:
+    title: Remove dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes PHP code dynamically."
+  remediation:
+    summary: >-
+      Replace eval, string assert, and create_function with explicit control flow, parsing, or allowlisted dispatch.

package/rules/php/php.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound HTTP clients should not forward tainted request/session material without validation or redaction.
   rationale: >-
     Unchecked egress forwarding can leak tokens, credentials, or personal data to external systems.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - php
@@ -40,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Scrub secrets, restrict outbound destinations, and centralize external integrations behind audited request builders.

package/rules/php/php.security.symfony-csrf-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Symfony forms and controllers handling state changes should not disable CSRF protection without a clear API token boundary.
   rationale: >-
     Disabling CSRF for authenticated browser flows enables cross-site request forgery on sensitive actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Symfony security
+      url: https://symfony.com/doc/current/security.html
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Keep CSRF enabled for browser forms/controllers and only exempt endpoints that are explicitly authenticated by signed tokens.

package/rules/php/php.security.symfony-debug-exposure.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Production-like Symfony configuration should not enable debug mode or web profiler surfaces.
   rationale: >-
     Debug and profiler exposure can leak internals, stack traces, secrets, and request details.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Symfony security
+      url: https://symfony.com/doc/current/security.html
   tags:
     - security
     - php
@@ -42,3 +54,4 @@ emit:
   remediation:
     summary: >-
       Keep `APP_DEBUG=0` in production and disable profiler bundles/toolbars outside local dev/test environments.

package/rules/php/php.security.unsafe-file-upload-handling.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     PHP upload handlers should not persist raw `$_FILES` names without validation and normalization.
   rationale: >-
     Unsafely handled uploads can enable path traversal, executable file placement, and malicious payload storage.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - php
@@ -39,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Normalize filenames, enforce extension and MIME allowlists, and route uploads through dedicated validated storage helpers.

package/rules/php/php.security.unsafe-include-with-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-include-with-user-input
+  title: Avoid include/require with user-controlled paths
+  summary: >-
+    Include and require statements must not load files from request-derived or tainted path values.
+  rationale: >-
+    User-controlled includes can load attacker-chosen PHP and lead to remote code execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - inclusion
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-include-with-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - inclusion
+  message:
+    title: Harden include path in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` includes or requires a path influenced by untrusted input."
+  remediation:
+    summary: >-
+      Map user input to an allowlisted template name and include only fixed, reviewed file paths.

package/rules/php/php.security.unsafe-new-static.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-new-static
+  title: Avoid unsafe new static() instantiation
+  summary: "Using `new static()` can instantiate unexpected subclasses and weaken type guarantees."
+  rationale: "Late static binding with `new static()` can bypass intended class boundaries and create objects outside expected inheritance chains."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-470
+      title: Use of Externally-Controlled Input to Select Classes or Code
+  tags:
+    - security
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-new-static
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - php
+  message:
+    title: Avoid unsafe new static() instantiation
+    summary: "`${captures.issue.text}` matches php.security.unsafe-new-static."
+  remediation:
+    summary: "Late static binding with `new static()` can bypass intended class boundaries and create objects outside expected inheritance chains."

package/rules/php/php.security.weak-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.weak-cipher
+  title: Avoid weak PHP cipher algorithms
+  summary: >-
+    OpenSSL and mcrypt usage should not rely on DES, RC4, Blowfish, ECB mode, or legacy mcrypt APIs.
+  rationale: >-
+    Weak ciphers and modes are vulnerable to practical cryptanalysis and do not meet modern confidentiality standards.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - php
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.weak-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.weak-crypto
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - crypto
+  message:
+    title: Replace weak cipher usage in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
+  remediation:
+    summary: >-
+      Use modern authenticated encryption (for example AES-GCM) via sodium or OpenSSL with vetted algorithms and modes.

package/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     WordPress admin/AJAX mutation callbacks should verify nonce tokens and enforce capability checks.
   rationale: >-
     Missing nonce or authorization checks let attackers trigger privileged actions through forged or unauthorized requests.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: WordPress plugin security
+      url: https://developer.wordpress.org/apis/security/
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Add nonce verification (`check_ajax_referer`/`check_admin_referer`) and explicit capability checks (`current_user_can`) before performing mutations.

package/rules/php/php.security.wordpress-unprepared-sql.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     WordPress SQL calls should not interpolate request values directly into query strings.
   rationale: >-
     Dynamic SQL without `$wpdb->prepare` enables injection and unauthorized data access/manipulation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: WordPress plugin security
+      url: https://developer.wordpress.org/apis/security/
   tags:
     - security
     - php
@@ -40,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Build SQL through `$wpdb->prepare` placeholders and sanitize scalar inputs before passing them to query execution calls.

package/rules/php/php.security.xml-external-entity.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.xml-external-entity
+  title: Harden PHP XML parsing against external entities
+  summary: >-
+    XML parsing should disable external entities and avoid LIBXML_NOENT or libxml_disable_entity_loader(false).
+  rationale: >-
+    Unsafe XML parser configuration enables XXE attacks that can leak files and reach internal services.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+    - kind: owasp
+      title: XML External Entity (XXE) Processing
+      url: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+  tags:
+    - security
+    - php
+    - xml
+    - xxe
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.xml-external-entity
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - php
+      - xml
+      - xxe
+  message:
+    title: Harden XML parsing in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses XML without external-entity protections."
+  remediation:
+    summary: >-
+      Call libxml_disable_entity_loader(true) before parsing and pass LIBXML_NONET; never enable LIBXML_NOENT.

package/rules/python/py.correctness.assert-on-tuple.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.assert-on-tuple
+  title: Avoid tuple expression in assert
+  summary: Asserting a tuple literal-like expression is usually always truthy and can mask failing checks.
+  rationale: A non-empty tuple evaluates to true, so tuple assertions often pass even when the intended condition is false.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.assert-on-tuple
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Fix tuple-style assert `${captures.issue.text}`
+    summary: "`${captures.issue.text}` asserts a tuple expression, which may always evaluate to truthy."
+  remediation:
+    summary: Assert a single boolean predicate or split checks into separate assert statements.

package/rules/python/py.correctness.bare-except.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.bare-except
+  title: Avoid bare except handlers
+  summary: Bare exception handlers catch all errors and hide root causes.
+  rationale: Catching every throwable without narrowing can swallow interruptions and make failures hard to diagnose.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.bare-except
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.96
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace bare except `${captures.issue.text}`
+    summary: "`${captures.issue.text}` catches every exception type without restriction."
+  remediation:
+    summary: Catch specific expected exceptions and let unexpected failures propagate.

package/rules/python/py.correctness.broad-exception-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.broad-exception-handler
+  title: Avoid overly broad exception handlers
+  summary: Catching `Exception` or `BaseException` makes error handling too broad.
+  rationale: Broad handlers hide programming errors and can interfere with expected process-level exceptions.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.broad-exception-handler
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Narrow exception scope `${captures.issue.text}`
+    summary: "`${captures.issue.text}` catches a broad exception base type."
+  remediation:
+    summary: Catch only the concrete exception classes this block can recover from.

package/rules/python/py.correctness.dangerous-mutable-default.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.dangerous-mutable-default
+  title: Avoid mutable default function arguments
+  summary: Mutable defaults in function signatures retain state across calls.
+  rationale: Reusing the same list, dict, or set instance can leak data between calls and produce non-deterministic behavior.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.dangerous-mutable-default
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.96
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace mutable default `${captures.issue.text}`
+    summary: "`${captures.issue.text}` defines a mutable default argument that persists across invocations."
+  remediation:
+    summary: Use `None` as the default and construct a fresh mutable object inside the function.