npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/python/py.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-temp-file
+  title: Avoid insecure temporary file name helpers
+  summary: Python temporary files should not use `mktemp` or `tempnam` helpers that create race-prone filenames.
+  rationale: Predictable temporary filenames can enable symlink races and unauthorized file access before creation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.92
+    tags:
+      - security
+      - python
+      - filesystem
+      - tempfile
+  message:
+    title: Replace insecure temp helper `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an insecure temporary filename API."
+  remediation:
+    summary: Use `tempfile.NamedTemporaryFile` or `tempfile.mkstemp` to create secure files atomically.

package/rules/python/py.security.insecure-yaml-load.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-yaml-load
+  title: Use SafeLoader with yaml.load
+  summary: Python YAML parsing should use `SafeLoader` when calling `yaml.load`.
+  rationale: Unsafe YAML deserialization can instantiate arbitrary Python objects and lead to unexpected code paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - yaml
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-yaml-load
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - yaml
+      - deserialization
+  message:
+    title: Use a safe YAML loader in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` calls `yaml.load` without a safe loader."
+  remediation:
+    summary: Prefer `yaml.safe_load` or pass `Loader=yaml.SafeLoader` explicitly for trusted-safe parsing behavior.

package/rules/python/py.security.jinja-autoescape-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.jinja-autoescape-disabled
+  title: Avoid disabling Jinja autoescape
+  summary: Jinja2 environments should keep autoescaping enabled for HTML rendering contexts.
+  rationale: Disabling autoescape can allow untrusted template data to render as executable markup in browser clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - jinja
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.jinja-autoescape-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - jinja
+      - xss
+  message:
+    title: Enable Jinja autoescape in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures a Jinja environment with `autoescape=False`."
+  remediation:
+    summary: Keep `autoescape` enabled for HTML templates and isolate trusted non-HTML rendering pipelines explicitly.

package/rules/python/py.security.subprocess-shell-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.subprocess-shell-enabled
+  title: Avoid enabling shell mode in subprocess calls
+  summary: Python process execution should avoid `shell=True` unless shell interpretation is explicitly required and tightly controlled.
+  rationale: Shell-enabled process execution introduces command parsing behavior that increases injection and execution risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - subprocess
+    - execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.subprocess-shell-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.93
+    tags:
+      - security
+      - python
+      - subprocess
+      - execution
+  message:
+    title: Review shell-enabled process call `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables shell interpretation via `shell=True`."
+  remediation:
+    summary: Use argument-list execution with `shell=False` by default, and only allow fixed commands when shell mode is unavoidable.

package/rules/ruby/ruby.bug-risk.assignment-in-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.assignment-in-condition
+  title: Avoid assignment inside conditionals
+  summary: >-
+    Extract assignments from if, unless, while, and until conditions.
+  rationale: >-
+    Assignment in conditions is easy to mistake for comparison.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.assignment-in-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.assignment-in-condition`."
+  remediation:
+    summary: >-
+      Extract assignments from if, unless, while, and until conditions.

package/rules/ruby/ruby.bug-risk.deprecated-uri-escape.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.deprecated-uri-escape
+  title: Avoid deprecated URI.escape helpers
+  summary: >-
+    Use CGI.escape, URI.encode_www_form_component, or Addressable instead.
+  rationale: >-
+    URI.escape and URI.unescape are deprecated and removed in modern Ruby.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.deprecated-uri-escape
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.deprecated-uri-escape`."
+  remediation:
+    summary: >-
+      Use CGI.escape, URI.encode_www_form_component, or Addressable instead.

package/rules/ruby/ruby.bug-risk.division-by-zero.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.division-by-zero
+  title: Avoid division by zero literals
+  summary: >-
+    Do not divide by literal zero.
+  rationale: >-
+    Division by zero raises ZeroDivisionError at runtime.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.division-by-zero
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.division-by-zero`."
+  remediation:
+    summary: >-
+      Do not divide by literal zero.

package/rules/ruby/ruby.bug-risk.duplicate-hash-keys.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.duplicate-hash-keys
+  title: Avoid duplicate keys in hash literals
+  summary: >-
+    Remove duplicate symbol or string keys in the same hash literal.
+  rationale: >-
+    Later duplicate keys silently override earlier entries.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.duplicate-hash-keys
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.duplicate-hash-keys`."
+  remediation:
+    summary: >-
+      Remove duplicate symbol or string keys in the same hash literal.

package/rules/ruby/ruby.bug-risk.exception-class-overwritten.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.exception-class-overwritten
+  title: Do not assign rescue result to exception class names
+  summary: >-
+    Use rescue StandardError or rescue StandardError => e, not rescue => StandardError.
+  rationale: >-
+    rescue => StandardError shadows the exception class with the rescued value.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.exception-class-overwritten
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.exception-class-overwritten`."
+  remediation:
+    summary: >-
+      Use rescue StandardError or rescue StandardError => e, not rescue => StandardError.

package/rules/ruby/ruby.bug-risk.raw-sql-without-squish.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.raw-sql-without-squish
+  title: Squish heredoc SQL passed to where
+  summary: >-
+    Normalize heredoc SQL with squish before passing to where or find_by_sql.
+  rationale: >-
+    Unsquished heredoc SQL preserves accidental whitespace and hurts readability.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.raw-sql-without-squish
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.raw-sql-without-squish`."
+  remediation:
+    summary: >-
+      Normalize heredoc SQL with squish before passing to where or find_by_sql.

package/rules/ruby/ruby.security.debugger-call.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.debugger-call
+  title: Remove debugger calls from application code
+  summary: >-
+    Debugger breakpoints must not ship in non-test Ruby sources.
+  rationale: >-
+    Leftover `debugger`, `byebug`, or `binding.break` calls pause production workers and can expose live request state.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-489
+      title: Active Debug Code
+  tags:
+    - security
+    - ruby
+    - debug
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+      - "**/spec/**"
+      - "**/test/**"
+      - "**/tests/**"
+match:
+  fact:
+    kind: ruby.security.debugger-call
+    bind: issue
+emit:
+  finding:
+    category: security.debug-exposure
+    severity: medium
+    confidence: 0.92
+    tags:
+      - security
+      - ruby
+      - debug
+  message:
+    title: Remove debugger call in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` leaves an interactive debugger breakpoint in application code."
+  remediation:
+    summary: >-
+      Delete debugger statements before merge or gate them behind development-only configuration.

package/rules/ruby/ruby.security.dynamic-code-execution.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.dynamic-code-execution
+  title: Avoid dynamic Ruby code execution
+  summary: >-
+    Do not execute runtime-generated Ruby via eval, exec, or *_eval helpers.
+  rationale: >-
+    Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - ruby
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.dynamic-code-execution
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - ruby
+      - execution
+  message:
+    title: Remove dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes Ruby code dynamically."
+  remediation:
+    summary: >-
+      Replace eval and *_eval calls with explicit parsing, allowlisted dispatch, or data structures that do not execute code.

package/rules/ruby/ruby.security.insecure-json-load.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.insecure-json-load
+  title: Avoid insecure JSON load helpers
+  summary: >-
+    Prefer `JSON.parse` over `JSON.load`, `JSON.restore`, or permissive Oj/MultiJson loaders.
+  rationale: >-
+    Load-style JSON APIs can deserialize arbitrary Ruby types and expand deserialization gadget risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - ruby
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.insecure-json-load
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - ruby
+      - deserialization
+  message:
+    title: Use safe JSON parsing in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a JSON loader that can deserialize unsafe Ruby objects."
+  remediation:
+    summary: >-
+      Parse JSON with `JSON.parse` and validate the resulting structure; avoid `JSON.load`, `JSON.restore`, and default `Oj.load` on untrusted input.

package/rules/ruby/ruby.security.kernel-open.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.kernel-open
+  title: Avoid Kernel.open pipe mode
+  summary: >-
+    Do not use `Kernel.open` with a leading pipe, which spawns a shell command.
+  rationale: >-
+    Pipe-mode `open` delegates to the shell and enables command injection when the argument is influenced by users.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: Improper Neutralization of Special Elements used in an OS Command
+    - kind: owasp
+      title: Command Injection
+      url: https://owasp.org/www-community/attacks/Command_Injection
+  tags:
+    - security
+    - ruby
+    - command-execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.kernel-open
+    bind: issue
+emit:
+  finding:
+    category: security.command-execution
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - ruby
+      - command-execution
+  message:
+    title: Replace pipe-mode open in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses `Kernel.open` pipe mode, which can execute shell commands."
+  remediation:
+    summary: >-
+      Use `IO.popen` only with a fixed argv array, `Open3` with explicit command arrays, or file APIs that do not invoke a shell.