npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/rust/rust.correctness.unchecked-index.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.correctness.unchecked-index
+  title: Prefer fallible slice access for variable indices
+  summary: Direct indexing with a variable can panic when the index is out of bounds.
+  rationale: >-
+    Slice indexing with a non-literal index panics on bounds failure. Use `.get(index)`
+    when the index comes from a variable and handle `None` explicitly.
+  tags:
+    - correctness
+    - rust
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/testdata/**"
+      - "**/examples/**"
+      - "**/benches/**"
+      - "**/*_test.rs"
+      - "**/*.spec.rs"
+match:
+  fact:
+    kind: rust.correctness.unchecked-index
+    bind: issue
+emit:
+  finding:
+    category: correctness.runtime
+    severity: medium
+    confidence: 0.8
+    tags:
+      - correctness
+      - rust
+  message:
+    title: Use fallible access for variable indices
+    summary: "`${captures.issue.text}` indexes a slice with a variable that may be out of bounds."
+  remediation:
+    summary: Replace direct indexing with `.get(index)` and handle the `None` case.

package/rules/rust/rust.security.actix-wildcard-cors-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `actix_cors` configurations must not combine `allow_any_origin` with `supports_credentials`.
   rationale: >-
     Wildcard origins with credentials violate browser CORS expectations and usually indicate a missing explicit origin allowlist.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Use `allowed_origin` with explicit HTTPS origins, or disable credentials when anonymous public access is intended.

package/rules/rust/rust.security.axum-body-limit-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Axum apps should keep a finite `DefaultBodyLimit` (or equivalent) so request bodies cannot exhaust memory.
   rationale: >-
     `DefaultBodyLimit::disable()` removes the framework guardrail against huge bodies and is unsafe on routes that accept untrusted input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Set an explicit max body size with `DefaultBodyLimit::max`, add `tower_http::limit::RequestBodyLimitLayer`, or enforce limits at your edge proxy before accepting large uploads.

package/rules/rust/rust.security.axum-insecure-cors-with-credentials.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not pair wildcard or `very_permissive` origin policies with credentialed CORS or private-network access in `tower-http`.
   rationale: >-
     Browsers treat credentialed CORS as trusted cross-origin behavior; permissive origin lists undermine that contract and often hide missing explicit allowlists.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer explicit HTTPS `AllowOrigin` lists, avoid `CorsLayer::very_permissive` with `allow_credentials(true)`, and only enable `allow_private_network` with strict origin controls.

package/rules/rust/rust.security.bind-all-interfaces.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.bind-all-interfaces
+  title: Avoid binding Rust services to all interfaces
+  summary: >-
+    Rust network services should avoid explicit binds to `0.0.0.0`, `::`, or `[::]` unless public exposure is intentional and controlled.
+  rationale: >-
+    Binding every interface can unintentionally expose internal services beyond expected trust boundaries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - rust
+    - network
+    - exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.bind-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - network
+      - exposure
+  message:
+    title: Restrict interface bind in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` binds a service to all network interfaces."
+  remediation:
+    summary: >-
+      Prefer loopback or an explicit interface bind unless broad exposure is required and defended by network controls.

package/rules/rust/rust.security.insecure-ssh-host-key.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-ssh-host-key
+  title: Verify SSH host keys before connecting
+  summary: >-
+    SSH clients must not disable host key verification.
+  rationale: >-
+    Skipping host key checks enables person-in-the-middle attacks against SSH sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+  tags:
+    - security
+    - rust
+    - ssh
+    - network
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-ssh-host-key
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - ssh
+      - network
+  message:
+    title: Enable SSH host key verification near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables SSH host key verification."
+  remediation:
+    summary: >-
+      Keep host key checking enabled and pin known host keys or use a trusted known_hosts store.

package/rules/rust/rust.security.insecure-ssl-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-ssl-protocol
+  title: Reject deprecated SSL/TLS protocol versions
+  summary: >-
+    Rust code must not enable SSLv3, TLS 1.0, or TLS 1.1 in TLS configuration.
+  rationale: >-
+    These protocol versions have known weaknesses and are deprecated for secure transport.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-ssl-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Remove insecure TLS protocol near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a deprecated SSL/TLS protocol version."
+  remediation:
+    summary: >-
+      Require TLS 1.2 or TLS 1.3 and remove SSLv3, TLS 1.0, and TLS 1.1 from allowed protocol lists.

package/rules/rust/rust.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-temp-file
+  title: Avoid predictable or permissionless temporary files
+  summary: >-
+    Temporary file creation should use secure helpers with random suffixes and restrictive permissions.
+  rationale: >-
+    Predictable temp paths and default-permission temp files enable symlink races and information disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - filesystem
+      - tempfile
+  message:
+    title: Use secure temp file creation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` creates a temporary file with an insecure pattern."
+  remediation:
+    summary: >-
+      Use `tempfile::Builder` with explicit permissions and patterns containing `*`, or `std::env::temp_dir` with random names.

package/rules/rust/rust.security.insecure-yaml-load.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.insecure-yaml-load
+  title: Avoid untyped YAML deserialization
+  summary: >-
+    Untyped `serde_yaml` deserialization can instantiate arbitrary types from untrusted input.
+  rationale: >-
+    YAML loaders without strict typing enable unsafe object graphs and unexpected type coercion.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - yaml
+    - deserialization
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.insecure-yaml-load
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - yaml
+      - deserialization
+  message:
+    title: Use typed YAML parsing near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` deserializes YAML without a constrained target type."
+  remediation:
+    summary: >-
+      Deserialize into explicit structs or enums and validate input before use.

package/rules/rust/rust.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: >-
+    JWT parsing must use a verification key and must not disable signature validation.
+  rationale: >-
+    Trusting unverified JWTs allows attackers to forge tokens with arbitrary claims.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - jwt
+      - authentication
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses a JWT without verifying its signature."
+  remediation:
+    summary: >-
+      Pass a `DecodingKey` to `decode` and validate claims with a strict `Validation` configuration.

package/rules/rust/rust.security.panic-in-async-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.panic-in-async-handler
+  title: Avoid panic and unwrap in async handlers
+  summary: >-
+    Async request handlers should propagate errors instead of panicking or unwrapping Results.
+  rationale: >-
+    Panics in async handlers can abort tasks and leak error details under load.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - async
+    - reliability
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.panic-in-async-handler
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - async
+      - reliability
+  message:
+    title: Handle errors in async handler near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` panics or unwraps inside an async function."
+  remediation:
+    summary: >-
+      Return `Result` from async handlers and map errors to appropriate HTTP responses.

package/rules/rust/rust.security.rocket-panic-prone-request-handler.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Rocket route handlers should not `unwrap`, `expect`, or otherwise panic on values derived from the HTTP request.
   rationale: >-
     Panics become hard failures and can be abused for denial-of-service or to leak error detail; prefer `Result` and typed rejections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Return `Result`, `Option`, or `status::Custom`, map errors to HTTP responses, and reserve `unwrap` for tests or statically known invariants.

package/rules/rust/rust.security.rocket-unsafe-template-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not wrap request-sourced strings in `RawHtml` (or similar) without escaping in Rocket handlers.
   rationale: >-
     Raw HTML bypasses Rocket's escaping defaults and is a common XSS footgun when fed from path, query, or body inputs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer typed templates with auto-escaping, sanitize with a vetted HTML policy crate, or return plain text/JSON instead of `RawHtml`.

package/rules/rust/rust.security.shell-command-spawn.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.shell-command-spawn
+  title: Avoid shell invocation via Command
+  summary: >-
+    Spawning `/bin/sh` or `bash` with `-c` enables shell metacharacter injection.
+  rationale: >-
+    Shell interpretation expands attacker-controlled input into arbitrary command execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - command-injection
+    - shell
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.shell-command-spawn
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - command-injection
+      - shell
+  message:
+    title: Avoid shell spawn near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` spawns a shell with `-c`, enabling command injection."
+  remediation:
+    summary: >-
+      Invoke binaries directly with explicit arguments instead of routing through a shell.

package/rules/rust/rust.security.sqlx-diesel-raw-interpolated-query.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not pass `format!(...)` (or equivalent string concatenation) into `sqlx::query` or `diesel::sql_query` sinks.
   rationale: >-
     Interpolated SQL is the primary SQL injection pattern in Rust ORMs; compile-time macros and bind parameters keep queries safe.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer `sqlx::query!` / `query_as!`, use `.bind(...)` on typed query builders, or Diesel's query DSL with bound parameters instead of raw interpolated strings.

package/rules/rust/rust.security.template-unescaped-request-value.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Tera, Maud, and similar engines should not insert request-sourced strings into contexts or `PreEscaped`/`raw` sinks without sanitization.
   rationale: >-
     Template `safe`/raw sinks disable escaping; feeding path, query, form, or JSON extractors there is a direct XSS vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - rust
@@ -45,3 +54,4 @@ emit:
   remediation:
     summary: >-
       HTML-escape with a vetted policy (for example `ammonia::clean`), keep auto-escaping on, and avoid `PreEscaped`/`Markup::raw` for untrusted strings.