npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/python/py.correctness.duplicate-dict-key.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.duplicate-dict-key
+  title: Avoid duplicate keys in dict literals
+  summary: Repeated keys in a dict literal overwrite earlier entries.
+  rationale: Silent key replacement hides bugs and can invalidate intended configuration values.
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+match:
+  fact:
+    kind: python.correctness.duplicate-dict-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+  message:
+    title: Resolve duplicate dict key `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears multiple times in a single dict literal."
+  remediation:
+    summary: Keep each key unique and merge or rename entries so earlier values are not silently replaced.

package/rules/python/py.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.bind-all-interfaces
+  title: Avoid binding Python services to all interfaces
+  summary: Python network services should avoid explicit binds to `0.0.0.0` or `::` unless public exposure is intentional and controlled.
+  rationale: Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - python
+    - network
+    - exposure
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/python/py.security.debugger-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.debugger-import
+  title: Remove debugger imports from production code
+  summary: Production Python modules should not ship with interactive debugger imports.
+  rationale: Debugger modules can expose introspection hooks and halt execution paths in deployed environments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - debugging
+    - hardening
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.debugger-import
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - python
+      - debugging
+      - hardening
+  message:
+    title: Remove debugger import `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a debugger module in runtime code."
+  remediation:
+    summary: Remove debugger imports from committed runtime modules and gate debugging tools to local-only workflows.

package/rules/python/py.security.django-csrf-exempt-state-changing.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
   rationale: >-
     Using django.decorators.csrf.csrf_exempt removes CSRF defenses for session-backed browsers,
     enabling cross-site request forgery against unsafe methods.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -44,3 +56,4 @@ emit:
     summary: "`${captures.issue.text}` is applied near code that handles POST/PUT/PATCH/DELETE or `request.POST`, which is risky for browser sessions."
   remediation:
     summary: Remove `@csrf_exempt`, enforce CSRF tokens for browser views, or constrain the endpoint to non-session authentication with explicit CSRF policy.

package/rules/python/py.security.django-format-html-unsafe.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-format-html-unsafe
+  title: Review dynamic interpolation in Django format_html
+  summary: Django `format_html` calls with placeholder templates and dynamic arguments should be reviewed for unsafe output composition.
+  rationale: Unsafe interpolation patterns can still produce dangerous HTML when trusted and untrusted fragments are mixed incorrectly.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.django-format-html-unsafe
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - django
+      - xss
+  message:
+    title: Audit Django HTML interpolation `${captures.issue.text}`
+    summary: "`${captures.issue.text}` interpolates dynamic values into `format_html`; confirm values are safe for the rendered context."
+  remediation:
+    summary: Keep templates static, ensure interpolated values are trusted for the target context, and avoid assembling HTML from user-controlled fragments.

package/rules/python/py.security.django-mark-safe.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-mark-safe
+  title: Avoid Django mark_safe for dynamic content
+  summary: "Django responses should avoid `mark_safe` when content can include untrusted input."
+  rationale: "`mark_safe` bypasses Django escaping and can introduce cross-site scripting when values are not strictly trusted."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.django-mark-safe
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - django
+      - xss
+  message:
+    title: Remove unsafe HTML trust `${captures.issue.text}`
+    summary: "`${captures.issue.text}` bypasses escaping and can expose XSS when rendered with variable data."
+  remediation:
+    summary: "Prefer Django auto-escaping or sanitize untrusted values before rendering instead of forcing trust with `mark_safe`."

package/rules/python/py.security.django-missing-csrf-middleware.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Enable Django CSRF middleware for browser apps
   summary: Django projects using cookie-backed sessions should include `CsrfViewMiddleware` in `MIDDLEWARE`.
   rationale: Without CSRF middleware, Django cannot enforce CSRF tokens on unsafe HTTP methods for browser clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -45,3 +57,4 @@ emit:
     summary: "`MIDDLEWARE` is declared without `django.middleware.csrf.CsrfViewMiddleware`, which disables framework CSRF checks."
   remediation:
     summary: Insert `django.middleware.csrf.CsrfViewMiddleware` into `MIDDLEWARE` according to the Django deployment checklist ordering guidance.

package/rules/python/py.security.django-security-middleware-missing.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.django-security-middleware-missing
+  title: Include Django SecurityMiddleware in middleware stack
+  summary: Django settings should include `django.middleware.security.SecurityMiddleware` in `MIDDLEWARE`.
+  rationale: Missing SecurityMiddleware can disable key hardening controls such as transport, header, and redirect protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
+  tags:
+    - security
+    - python
+    - django
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/settings/**/*.py"
+      - "**/*settings*.py"
+    exclude:
+      - "**/settings/local.py"
+      - "**/settings/dev.py"
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.django-security-middleware-missing
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - django
+      - configuration
+  message:
+    title: Add Django SecurityMiddleware near `${captures.issue.text}`
+    summary: "`MIDDLEWARE` is declared without `django.middleware.security.SecurityMiddleware`."
+  remediation:
+    summary: Add `django.middleware.security.SecurityMiddleware` to `MIDDLEWARE` following Django ordering guidance.

package/rules/python/py.security.django-unsafe-production-settings.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid unsafe Django production settings
   summary: Production Django settings should disable debug mode, restrict hosts, protect secrets, and enable HTTPS-aligned cookie flags.
   rationale: Misconfigured Django defaults expose debug traces, enable host header attacks, leak secrets, and weaken cookie transport protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -45,3 +57,4 @@ emit:
     summary: "`${captures.issue.text}` weakens production security posture for Django deployment."
   remediation:
     summary: Align settings with your deployment checklist—disable DEBUG, pin ALLOWED_HOSTS, load secrets from the environment, and enable secure cookie and HTTPS flags.

package/rules/python/py.security.drf-allow-any-default.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid AllowAny as DRF default permission
   summary: Django REST Framework APIs should default to authenticated permission classes instead of `AllowAny`.
   rationale: Default `AllowAny` exposes mutation-heavy APIs unless every view overrides permissions explicitly.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -44,3 +56,4 @@ emit:
     summary: "`REST_FRAMEWORK` enables `AllowAny` via `DEFAULT_PERMISSION_CLASSES`, which is unsafe for default API posture."
   remediation:
     summary: Prefer `IsAuthenticated` or another restrictive default, then opt-in public access only where documented.

package/rules/python/py.security.drf-allow-any-unsafe-method.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid AllowAny on unsafe DRF methods
   summary: DRF views that accept POST, PUT, PATCH, or DELETE should not declare `AllowAny` unless the endpoint is intentionally public.
   rationale: Open unsafe methods allow unauthenticated clients to mutate data and violate least-privilege API access.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Django deployment checklist
+      url: https://docs.djangoproject.com/en/stable/howto/deployment/checklist/
   tags:
     - security
     - python
@@ -44,3 +56,4 @@ emit:
     summary: "`${captures.issue.text}` combines `AllowAny` with an unsafe HTTP method declaration."
   remediation:
     summary: Require authentication or scoped permissions for unsafe verbs unless the handler is explicitly public and documented.

package/rules/python/py.security.dynamic-code-execution.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.dynamic-code-execution
+  title: Avoid dynamic code execution with eval or exec
+  summary: Python services should not execute runtime-generated code via `eval` or `exec`.
+  rationale: Dynamic code execution turns untrusted data into executable behavior and expands code-injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - python
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.dynamic-code-execution
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - execution
+      - injection
+  message:
+    title: Avoid dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes code dynamically with `eval` or `exec`."
+  remediation:
+    summary: Replace dynamic execution with explicit parsing, allowlisted operations, or fixed function dispatch tables.

package/rules/python/py.security.fastapi-insecure-cors.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid permissive FastAPI CORS with credentials
   summary: FastAPI `CORSMiddleware` should not combine wildcard origins, methods, or headers with `allow_credentials=True`.
   rationale: Wildcard CORS policies plus credentials mirror insecure browser CORS combinations that attackers can abuse from malicious origins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: FastAPI security
+      url: https://fastapi.tiangolo.com/tutorial/security/
   tags:
     - security
     - python
@@ -41,3 +53,4 @@ emit:
     summary: "`${captures.issue.text}` configures `CORSMiddleware` with wildcards while credentials are enabled."
   remediation:
     summary: Replace wildcard origins, methods, and headers with explicit allowlists when credentials are required.

package/rules/python/py.security.flask-debug-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-debug-enabled
+  title: Disable Flask debug mode in runtime configuration
+  summary: Flask applications should not enable debug mode through `app.run`, config assignment, or `FLASK_DEBUG`.
+  rationale: Debug mode can expose interactive tracebacks and internal application state to external users.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - flask
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-debug-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - flask
+      - configuration
+  message:
+    title: Disable Flask debug setting `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables Flask debug behavior that should remain off outside local development."
+  remediation:
+    summary: Remove debug flags from runtime code and environment assignments, then gate development-only behavior behind safe configuration.

package/rules/python/py.security.flask-missing-upload-body-limit.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Set Flask MAX_CONTENT_LENGTH for uploads
   summary: Flask apps handling uploads should configure `MAX_CONTENT_LENGTH` to bound request bodies.
   rationale: Missing upload limits enables trivial denial-of-service via oversized multipart payloads.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
   tags:
     - security
     - python
@@ -42,3 +54,4 @@ emit:
     summary: "Upload handling references `${captures.issue.text}` but no `MAX_CONTENT_LENGTH` configuration was detected in this file."
   remediation:
     summary: Set `app.config["MAX_CONTENT_LENGTH"]` (or equivalent) to a bounded maximum aligned with product limits.

package/rules/python/py.security.flask-unsafe-html-output.rule.yaml CHANGED Viewed

@@ -6,6 +6,18 @@ metadata:
   summary: Flask responses should not bypass escaping when interpolating `request` input into HTML helpers or template strings.
   rationale: >-
     Markup helpers, render_template_string, and Jinja safe filters bypass escaping and commonly become XSS sinks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
   tags:
     - security
     - python
@@ -42,3 +54,4 @@ emit:
     summary: "`${captures.issue.text}` mixes request-controlled values with markup helpers or unescaped template paths."
   remediation:
     summary: Use automatic escaping, `render_template` with trusted contexts, or a vetted sanitizer instead of raw markup shortcuts.

package/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Sanitize Flask upload filenames before saving
   summary: Flask upload handlers should pass filenames through `secure_filename` (or equivalent) before persisting to disk.
   rationale: Attacker-controlled filenames enable traversal sequences, extension spoofing, and collisions when saved verbatim.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
   tags:
     - security
     - python
@@ -42,3 +54,4 @@ emit:
     summary: "`${captures.issue.text}` persists uploads using an unsanitized client-provided filename."
   remediation:
     summary: Generate trusted server-side names or wrap uploads with `werkzeug.utils.secure_filename` before calling `save`.