npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/typescript/ts.react.no-set-state-in-component-did-mount.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-set-state-in-component-did-mount
+  title: Avoid setState in componentDidMount
+  summary: Synchronous state updates during mount trigger an extra render before the browser paints the initial tree.
+  rationale: Initial state belongs in the constructor or class field initializers so the first render already reflects the mounted view.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.set-state-in-component-did-mount
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.82
+    tags:
+      - react
+      - ui
+  message:
+    title: Initialize state before mount completes
+    summary: "`${captures.issue.text}` calls setState inside componentDidMount."
+  remediation:
+    summary: Move the initial value into state initialization or derive it from props with a guarded update strategy.

package/rules/typescript/ts.react.no-set-state-in-component-did-update.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-set-state-in-component-did-update
+  title: Guard setState in componentDidUpdate
+  summary: Unconditional setState in componentDidUpdate can recurse through renders when props or state change on every pass.
+  rationale: Updates should compare against prevProps or prevState so the component only re-renders when inputs actually changed.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.set-state-in-component-did-update
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.8
+    tags:
+      - react
+      - ui
+  message:
+    title: Compare previous inputs before updating state
+    summary: "`${captures.issue.text}` calls setState inside componentDidUpdate without a prevProps or prevState guard."
+  remediation:
+    summary: Wrap the update in a conditional that compares prevProps or prevState, or move synchronization into getDerivedStateFromProps.

package/rules/typescript/ts.react.no-target-blank-without-rel.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-target-blank-without-rel
+  title: Add rel=noopener to target=_blank links
+  summary: Opening links in a new tab without rel=noopener lets the destination page access window.opener.
+  rationale: Untrusted destinations can navigate or phish the opener tab unless noopener severs that relationship.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - react
+    - security
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.target-blank-without-rel
+    bind: issue
+emit:
+  finding:
+    category: security.ui
+    severity: high
+    confidence: 0.9
+    tags:
+      - react
+      - security
+      - ui
+  message:
+    title: Harden external links opened in a new tab
+    summary: "`${captures.issue.text}` uses target=_blank without rel containing noopener."
+  remediation:
+    summary: Add rel=noopener or rel="noopener noreferrer" whenever target="_blank" is present.

package/rules/typescript/ts.react.no-this-in-function-component.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-this-in-function-component
+  title: Do not use this in function components
+  summary: Function components have no instance, so `this` references are almost always mistakes copied from class components.
+  rationale: Hooks, props, and closures replace instance fields; leaving `this` in place breaks at runtime or hides missing refactors.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.this-in-function-component
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.76
+    tags:
+      - react
+      - ui
+  message:
+    title: Remove this from function components
+    summary: "`${captures.issue.text}` uses this inside a function component."
+  remediation:
+    summary: Use props, hooks, module-level helpers, or refs instead of instance fields accessed through this.

package/rules/typescript/ts.runtime.no-process-exit.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.runtime.no-process-exit
+  title: Avoid `process.exit` in application code
+  summary: Do not call `process.exit` from application logic; reserve termination for CLI entrypoints.
+  rationale: Forced process termination bypasses graceful shutdown, in-flight request draining, and cleanup hooks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - runtime
+    - node
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: runtime.process-exit
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.9
+    tags:
+      - runtime
+      - node
+  message:
+    title: Avoid `process.exit` in application code
+    summary: "`${captures.issue.text}` terminates the process abruptly and should be limited to CLI entrypoints."
+  remediation:
+    summary: Propagate errors to the caller or use graceful shutdown hooks instead of calling `process.exit`.

package/rules/typescript/ts.security.ajv-insecure-configuration.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Harden AJV compile options
   summary: AJV should not compile schemas with allErrors true unless strict mode is enabled.
   rationale: Missing strict-mode options historically enabled schema compilation DoS and unexpected coercion behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - validation
@@ -32,3 +41,4 @@ emit:
     summary: "${captures.issue.text} enables allErrors without strict, strictTypes, or strictSchema."
   remediation:
     summary: Enable AJV strict options appropriate to your major version and avoid compiling untrusted schemas with permissive settings.

package/rules/typescript/ts.security.angular-dom-sanitizer-bypass-untrusted-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid trusting unsanitized Angular bypass sinks
   summary: DomSanitizer bypass helpers should not receive route, storage, or request-derived values without validation.
   rationale: Bypass helpers disable Angular templating protections and turn downstream sinks into XSS execution points.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Angular security guide
+      url: https://angular.dev/best-practices/security
   tags:
     - security
     - angular
@@ -33,3 +45,4 @@ emit:
   remediation:
     summary: >-
       Keep sensitive markup on Angular-safe bindings or sanitize with a reviewed helper before calling bypassSecurityTrust helpers.

package/rules/typescript/ts.security.apollo-server-csrf-disabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Keep Apollo Server CSRF protections enabled
   summary: Apollo Server should not explicitly disable CSRF prevention for browser-accessible endpoints.
   rationale: GraphQL POST endpoints are vulnerable to cross-site writes when CSRF defenses are turned off.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Remove `csrfPrevention: false` or replace it with an equivalent POST-only plus preflight strategy documented by Apollo.

package/rules/typescript/ts.security.apollo-server-graphql-dev-tooling-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid shipping GraphQL dev landing or playground plugins without a production guard
   summary: Apollo Server dev landing pages, sandbox UIs, and GraphQL Playground-style plugins should not load unconditionally in production builds.
   rationale: Interactive GraphQL explorers widen attack surface and often expose schema details beyond what production APIs should advertise by default.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Load sandbox or local landing plugins only outside production, prefer `ApolloServerPluginLandingPageProductionDefault`, or disable interactive explorers behind authentication at the edge.

package/rules/typescript/ts.security.apollo-server-introspection-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Avoid unconditional GraphQL introspection
   summary: Apollo Server should not hard-enable introspection without environment guards.
   rationale: Introspection aids attackers in mapping schemas on production deployments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -33,3 +48,4 @@ emit:
     summary: Apollo Server enables introspection with a literal `true` flag.
   remediation:
     summary: Bind introspection to non-production environments or protect the endpoint behind authenticated tooling.

package/rules/typescript/ts.security.apollo-server-missing-query-limits.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Add GraphQL query depth or complexity controls
   summary: Apollo Server bootstrap should declare validation rules or plugins that bound query cost.
   rationale: Without depth, complexity, persisted operations, or gateway limits, GraphQL endpoints are easier to abuse with expensive queries.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+    - kind: owasp
+      title: GraphQL Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -33,3 +48,4 @@ emit:
     summary: Apollo Server is constructed without recognizable validation rules or protective plugins.
   remediation:
     summary: Add depth limits, query complexity rules, persisted operations, rate limits, or terminate behind a gateway/WAF that enforces GraphQL policies.

package/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Astro and Vite define entries for import.meta.env.PUBLIC_* must not map to high-risk process.env secrets.
   rationale: >-
     PUBLIC_* keys are intended for browser-visible configuration; wiring database passwords or API secrets through vite.define exposes them to client bundles.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
   tags:
     - security
     - astro
@@ -37,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Keep secrets on the server, use private server-only env vars, and reserve PUBLIC_* keys for intentionally public identifiers such as analytics IDs.

package/rules/typescript/ts.security.bind-to-all-interfaces.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid binding to all interfaces
   summary: Network-facing services should not explicitly bind to every interface unless public exposure is intentional and protected.
   rationale: Binding to `0.0.0.0` or `::` can expose a service beyond the expected trust boundary and widen the reachable attack surface.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
   tags:
     - security
     - network
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly binds a network-facing service to every interface."
   remediation:
     summary: Bind to loopback or a specific interface unless public exposure is an intentional deployment requirement with compensating controls.

package/rules/typescript/ts.security.browser-token-storage.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid browser token storage
   summary: Access and session tokens should not be stored in long-lived browser storage.
   rationale: Long-lived browser storage exposes tokens to script access and increases the impact of XSS or device compromise.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Keep tokens in HttpOnly cookies or in memory, and avoid long-lived cleartext browser storage.

package/rules/typescript/ts.security.dangerous-insert-html.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe DOM HTML insertion sinks
   summary: "`outerHTML`, `document.write*`, and `insertAdjacentHTML` should only receive fixed or explicitly sanitized HTML."
   rationale: HTML-capable DOM insertion sinks can execute attacker-controlled markup unless the HTML is fixed or strongly sanitized first.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses an HTML-capable DOM sink with non-literal, non-sanitized content."
   remediation:
     summary: Insert text with safe DOM APIs, or pass only fixed or explicitly sanitized HTML to the sink.

package/rules/typescript/ts.security.dangerously-set-inner-html.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe `dangerouslySetInnerHTML`
   summary: React `dangerouslySetInnerHTML` should only render fixed or explicitly sanitized HTML.
   rationale: React bypasses its normal escaping model when `dangerouslySetInnerHTML` is used, which makes unsanitized HTML a direct XSS sink.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` bypasses React escaping with non-literal, non-sanitized HTML."
   remediation:
     summary: Prefer normal React rendering, or pass only fixed or explicitly sanitized HTML to `dangerouslySetInnerHTML`.

package/rules/typescript/ts.security.datadog-browser-track-user-interactions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Review Datadog RUM user interaction capture
   summary: Datadog Browser RUM should not enable broad user interaction capture without a privacy review.
   rationale: Automatic interaction capture can leak sensitive page content or element labels to third-party telemetry.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Disable broad interaction capture or add explicit scrubbing and allowlisted action naming before enabling it.

package/rules/typescript/ts.security.debug-mode-enabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not expose debug routes or middleware in production
   summary: Debug handlers, stack-showing middleware, and diagnostic endpoints should stay behind explicit development-only guards.
   rationale: Debug endpoints and stack-showing middleware can disclose internal topology, environment details, and request data with very little attacker effort.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` enables debug or diagnostic exposure without a visible same-file development guard."
   remediation:
     summary: Wrap the registration in an explicit development-only guard or remove the endpoint or middleware from production builds.

package/rules/typescript/ts.security.debug-statement-in-source.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: "Remove leftover `console.trace` calls from production paths"
   summary: "`console.trace()` calls should not ship in production code outside an explicit dev-only branch."
   rationale: "`console.trace` dumps a stack trace to stdout/stderr and is almost always leftover developer instrumentation. Stack traces in shipped output disclose internal call structure and inflate logs."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
   tags:
     - security
     - logging
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` is leftover developer instrumentation that ships a stack trace to stdout or stderr."
   remediation:
     summary: Remove the call or guard it behind an explicit dev-only check (`process.env.NODE_ENV !== 'production'`, `import.meta.env.DEV`, or `__DEV__`).

package/rules/typescript/ts.security.dynamodb-query-injection.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid request-driven DynamoDB queries
   summary: DynamoDB query and scan inputs should not be built directly from request input.
   rationale: Raw request data in DynamoDB helpers can widen query scope or let attackers control expressions, filters, and key conditions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
   tags:
     - security
     - injection
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` receives request-controlled DynamoDB input without narrowing it to trusted expressions or key maps."
   remediation:
     summary: Build DynamoDB requests from fixed expressions and allowlisted fields instead of forwarding request-shaped input.

package/rules/typescript/ts.security.electron-dangerous-webpreferences.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Harden Electron webPreferences
   summary: Electron renderers should not run with unsafe webPreferences that weaken isolation or transport protection.
   rationale: Options such as nodeIntegration, contextIsolation, and webSecurity directly control whether renderer compromise becomes host compromise.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-749
+      title: Exposed Dangerous Method or Function
+    - kind: url
+      title: Electron Security
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} weakens Electron renderer isolation or transport protection."
   remediation:
     summary: Keep contextIsolation and webSecurity enabled, disable nodeIntegration and enableRemoteModule, and prefer sandbox true.

package/rules/typescript/ts.security.electron-insecure-local-state.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid storing secrets in Electron local stores without hardening
   summary: electron-store writes that look like credentials should use OS-level secret storage instead.
   rationale: Local JSON stores are readable by other processes and backups unless encrypted with platform APIs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-749
+      title: Exposed Dangerous Method or Function
+    - kind: url
+      title: Electron Security
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} persists sensitive-looking data through electron-store."
   remediation:
     summary: Prefer OS keychains, encrypted vaults, or short-lived session material instead of long-lived plaintext secrets on disk.

package/rules/typescript/ts.security.electron-missing-ipc-origin-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Validate IPC sender origins in Electron
   summary: Privileged ipcMain handlers should validate event.sender origins before acting.
   rationale: Missing origin checks let any loaded renderer invoke privileged main-process behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-749
+      title: Exposed Dangerous Method or Function
+    - kind: url
+      title: Electron Security
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} handles privileged IPC without validating the sender frame origin."
   remediation:
     summary: Assert trusted origins or channels before running privileged logic and reject unexpected senders early.

package/rules/typescript/ts.security.electron-shell-open-external-unvalidated.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Do not open external URLs from request data in Electron
   summary: shell.openExternal should not receive request-controlled URLs without validation.
   rationale: Open redirects and SSRF-style flows in the main process can pivot to arbitrary system browsers or handlers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+    - kind: url
+      title: Electron security tutorial
+      url: https://www.electronjs.org/docs/latest/tutorial/security
   tags:
     - security
     - electron
@@ -33,3 +45,4 @@ emit:
     summary: "${captures.issue.text} opens a URL derived from request-controlled input."
   remediation:
     summary: Allowlist URL schemes and hosts, normalize targets, and block private IP ranges before calling openExternal.

package/rules/typescript/ts.security.exposed-directory-listing.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid exposed directory listings
   summary: Directory listing middleware should not be enabled on public paths without a deliberate review.
   rationale: Directory listings expose internal file names and make unintended resources easier to discover and fetch.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Remove directory listing middleware or protect it behind strict authorization and path scoping.