npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/ruby/ruby.security.plaintext-password-in-callback.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.plaintext-password-in-callback
+  title: Avoid plaintext passwords in HTTP basic auth
+  summary: >-
+    Do not pass literal passwords to http_basic_authenticate_with.
+  rationale: >-
+    Hard-coded basic-auth passwords leak when source is exposed.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.plaintext-password-in-callback
+    bind: issue
+emit:
+  finding:
+    category: security.credentials
+    severity: high
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.plaintext-password-in-callback`."
+  remediation:
+    summary: >-
+      Do not pass literal passwords to http_basic_authenticate_with.

package/rules/ruby/ruby.security.rails-csrf-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Browser-facing Rails controllers should keep forgery protection enabled with a safe strategy.
   rationale: >-
     Skipping CSRF verification or downgrading to `null_session` lets attackers replay cross-site requests against authenticated sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Remove broad `skip_forgery_protection` usage, prefer `protect_from_forgery with: :exception`, and keep `verify_authenticity_token` enabled for state-changing browser actions.

package/rules/ruby/ruby.security.rails-detailed-exceptions-enabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Production environments should not enable local-style exception pages or verbose Action Dispatch exception rendering.
   rationale: >-
     Detailed exceptions leak stack traces, secrets, and implementation details that attackers can use to refine exploits.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -42,3 +54,4 @@ emit:
   remediation:
     summary: >-
       Set `consider_all_requests_local` and `show_detailed_exceptions` to safe defaults, route errors through monitored handlers, and keep `config.action_dispatch.show_exceptions` off verbose modes in production.

package/rules/ruby/ruby.security.rails-link-to-blank-without-noopener.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-link-to-blank-without-noopener
+  title: Add rel noopener to link_to with target _blank
+  summary: >-
+    External links opened in a new tab should set rel noopener or noreferrer.
+  rationale: >-
+    Pages opened via target _blank can access window.opener for tab-nabbing.
+  detection:
+    kind: pattern
+  references:
+    - kind: owasp
+      title: Reverse Tabnabbing
+      url: https://owasp.org/www-community/attacks/Reverse_Tabnabbing
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+      - "**/*.erb"
+      - "**/*.erb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-link-to-blank-without-noopener
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.rails-link-to-blank-without-noopener`."
+  remediation:
+    summary: >-
+      External links opened in a new tab should set rel noopener or noreferrer.

package/rules/ruby/ruby.security.rails-open-redirect.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Redirect helpers must not send users to hosts or paths derived directly from request input without validation.
   rationale: >-
     `redirect_to` and `redirect_back` calls that honor `params`, `request` URLs, or `allow_other_host: true` with tainted data are a common phishing and OAuth bypass vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-601
+      title: URL Redirection to Untrusted Site
+    - kind: owasp
+      title: Unvalidated Redirects and Forwards Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Use an allowlisted path helper, reject off-host targets, and avoid pairing `allow_other_host: true` with user-controlled URLs.

package/rules/ruby/ruby.security.rails-output-unsafe.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-output-unsafe
+  title: Avoid output-unsafe Rails helpers
+  summary: >-
+    Do not use html_safe, raw, or safe_concat to bypass escaping.
+  rationale: >-
+    Output-unsafe helpers mark content HTML-safe without escaping user input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Improper Neutralization of Input During Web Page Generation
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+      - "**/*.erb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-output-unsafe
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.rails-output-unsafe`."
+  remediation:
+    summary: >-
+      Do not use html_safe, raw, or safe_concat to bypass escaping.

package/rules/ruby/ruby.security.rails-unsafe-html-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not mark request-driven strings as HTML safe or bypass sanitization in views or helpers.
   rationale: >-
     `raw`, `html_safe`, `sanitize: false`, and ERB double-equals disable escaping and commonly become reflected XSS sinks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -44,3 +56,4 @@ emit:
   remediation:
     summary: >-
       Prefer default escaping, pass sanitized fragments, or centralize HTML generation through a vetted sanitizer instead of `raw`/`html_safe`.

package/rules/ruby/ruby.security.rails-unsafe-render.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `render` options such as `html:`, `plain:`, or `inline:` must not consume unvalidated request data.
   rationale: >-
     These render modes bypass templates and can reflect attacker-controlled markup or scripts when fed tainted strings.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Prefer templates with escaping, sanitize any rich text, or map request identifiers to trusted server-side content instead of rendering raw params.

package/rules/ruby/ruby.security.rails-unsafe-session-or-cookie-store.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Session and signed cookie stores should not persist raw `params` blobs that attackers can influence.
   rationale: >-
     Writing `params` directly into `session` or `cookies` enables tampering, fixation, and oversized payload attacks unless additional integrity controls exist.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Store opaque identifiers, use signed or encrypted cookie jars appropriately, and validate any user-derived values before persistence.

package/rules/ruby/ruby.security.rails-unsafe-strong-parameters.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Strong parameters and mass assignment sinks should not accept unfiltered request hashes or privileged attributes.
   rationale: >-
     Permissive `permit!`, privileged `permit` fields, and direct `params` mass assignment enable attackers to escalate privileges or overwrite protected columns.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -44,3 +56,4 @@ emit:
   remediation:
     summary: >-
       Replace `permit!` with an explicit attribute list, drop privileged symbols from `permit`, and route updates through vetted strong-parameter helpers instead of raw `params`.

package/rules/ruby/ruby.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound HTTP helpers should not receive URLs or bodies directly from `params` or other tainted sources without validation.
   rationale: >-
     User-controlled egress enables SSRF, data exfiltration, and token theft when combined with open HTTP clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - ruby
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Allowlist hosts, strip secrets from outbound payloads, and route external calls through audited integration points.

package/rules/ruby/ruby.security.sidekiq-web-unauthenticated-mount.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Sidekiq Web must not be exposed on public routes without an authentication or network guard.
   rationale: >-
     Unauthenticated Sidekiq Web consoles expose queues and often lead to remote code execution via job replay or configuration changes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - ruby
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Wrap mounts in `authenticate`, add route constraints, use basic auth or VPN-only routing, and keep consoles off public networks.

package/rules/rust/rust.correctness.block-on-in-async.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.block-on-in-async
+  title: Avoid block_on inside async functions
+  summary: Calling block_on from async code can deadlock the runtime.
+  rationale: >-
+    `Handle::current().block_on`, `Runtime::block_on`, and `futures::executor::block_on`
+    block the async executor thread and can deadlock when invoked from `async fn`.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.block-on-in-async
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Remove block_on from async code
+    summary: "`${captures.issue.text}` can deadlock the async runtime."
+  remediation:
+    summary: Await the future directly or run blocking work on a dedicated runtime thread.

package/rules/rust/rust.correctness.forget-join-handle.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.forget-join-handle
+  title: Do not forget spawned task handles
+  summary: Forgetting a JoinHandle leaks the task and drops panic propagation.
+  rationale: >-
+    `std::mem::forget` on a `tokio::spawn` return value or `JoinHandle` abandons
+    the task without awaiting completion or observing panics.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.forget-join-handle
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Await or detach spawned tasks explicitly
+    summary: "`${captures.issue.text}` forgets a task handle instead of awaiting it."
+  remediation:
+    summary: Store the `JoinHandle`, await it, or use a structured shutdown path.

package/rules/rust/rust.correctness.mutex-held-across-await.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.mutex-held-across-await
+  title: Do not hold a Mutex guard across await
+  summary: Holding a std::sync::Mutex guard across an await point can deadlock the async executor.
+  rationale: >-
+    A `std::sync::Mutex` guard must not be held while the task yields at `.await`.
+    Use an async mutex or release the guard before awaiting.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.mutex-held-across-await
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Release the mutex guard before `${captures.issue.text}`
+    summary: A `std::sync::Mutex` guard from `.lock().unwrap()` or `.lock().expect(...)` is still used after `.await`.
+  remediation:
+    summary: Drop the guard before awaiting or switch to `tokio::sync::Mutex` for async code.

package/rules/rust/rust.correctness.std-mutex-in-async-fn.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.std-mutex-in-async-fn
+  title: Prefer async mutex primitives in async functions
+  summary: std::sync::Mutex in async code encourages blocking and await deadlocks.
+  rationale: >-
+    `std::sync::Mutex` blocks the executor when contended. In `async fn`, prefer
+    `tokio::sync::Mutex` or `async_lock` primitives that cooperate with the runtime.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.std-mutex-in-async-fn
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Replace std mutex in async code
+    summary: "`${captures.issue.text}` uses `std::sync::Mutex` inside an `async fn`."
+  remediation:
+    summary: Switch to `tokio::sync::Mutex` or keep blocking locks outside async contexts.

package/rules/rust/rust.correctness.thread-sleep-in-async.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.thread-sleep-in-async
+  title: Avoid blocking thread sleep in async functions
+  summary: std::thread::sleep blocks the executor thread inside async code.
+  rationale: >-
+    `std::thread::sleep` blocks the current OS thread. Inside `async fn` this stalls
+    the runtime worker and harms throughput. Prefer `tokio::time::sleep` instead.
+  tags:
+    - correctness
+    - rust
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.thread-sleep-in-async
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - concurrency
+  message:
+    title: Replace blocking sleep in async code
+    summary: "`${captures.issue.text}` blocks an async executor thread."
+  remediation:
+    summary: Use `tokio::time::sleep` or move blocking work to `spawn_blocking`.

package/rules/rust/rust.correctness.unbounded-channel.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.unbounded-channel
+  title: Avoid unbounded async channels
+  summary: Unbounded channels can grow without backpressure and exhaust memory.
+  rationale: >-
+    `tokio::sync::mpsc::unbounded_channel` and `futures::channel::mpsc::unbounded`
+    accept messages without capacity limits, which can cause unbounded memory growth
+    under load.
+  tags:
+    - correctness
+    - rust
+    - resource-leak
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.unbounded-channel
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-leak
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - rust
+      - resource-leak
+  message:
+    title: Prefer bounded channels for backpressure
+    summary: "`${captures.issue.text}` creates an unbounded channel."
+  remediation:
+    summary: Use a bounded `mpsc::channel` with an explicit capacity.