@critiq/rules 0.1.0 → 0.3.0

package/rules/typescript/ts.security.express-cookie-missing-http-only.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Set `HttpOnly` on Express session cookies
   summary: Express session and cookie-session configs should not disable the `HttpOnly` flag.
   rationale: Script-readable session cookies are easier to steal after an XSS bug.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -34,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables the `HttpOnly` cookie flag in Express session configuration."
   remediation:
     summary: "Set `httpOnly: true` so browser scripts cannot read the session cookie."
+

package/rules/typescript/ts.security.express-default-cookie-config.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Override Express cookie defaults
   summary: Express session cookie settings should not omit explicit lifetime, scope, and transport attributes.
   rationale: Implicit cookie defaults vary by middleware and make auth state harder to audit consistently.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -37,3 +52,4 @@ emit:
   remediation:
     summary: Set explicit cookie lifetime, scope, and transport attributes instead of relying on middleware defaults.
 
+

package/rules/typescript/ts.security.express-default-session-config.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Override Express session defaults
   summary: Express session middleware should not rely on default session naming and configuration.
   rationale: Default session settings make applications easier to fingerprint and often skip explicit hardening choices.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Set an explicit session name and hardening options instead of relying on middleware defaults.
 
+

package/rules/typescript/ts.security.express-error-handler-information-disclosure.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Avoid returning raw errors from Express error middleware
   summary: Express error handlers should not send the err object directly to clients in production paths.
   rationale: Returning raw errors leaks stack traces, internal identifiers, and implementation details to attackers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -33,3 +48,4 @@ emit:
     summary: "${captures.issue.text} forwards the caught error directly to res.send or res.json."
   remediation:
     summary: Log detailed errors server-side and return stable, generic client responses with correlation identifiers.
+

package/rules/typescript/ts.security.express-insecure-cookie.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Set `Secure` on Express session cookies
   summary: Express session and cookie-session configs should not disable the `Secure` flag.
   rationale: Cookies sent over non-HTTPS transport are easier to intercept or replay.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -34,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables the `Secure` cookie flag in Express session configuration."
   remediation:
     summary: "Set `secure: true` and serve the cookie only over HTTPS."
+

package/rules/typescript/ts.security.express-missing-helmet.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Apply Helmet to Express apps
   summary: Express apps should use Helmet or equivalent header hardening middleware.
   rationale: Helmet packages several response-header protections that are easy to miss or drift when managed ad hoc.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Apply `helmet()` or an equivalent set of header protections near application startup.
 
+

package/rules/typescript/ts.security.express-nosql-injection.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Avoid request-driven model queries
   summary: Express handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines.
   rationale: Request-shaped filters, operators, or pipelines can expand query scope and inject unintended behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - injection
@@ -34,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` receives request-controlled query input without an allowlisted query or pipeline shape."
   remediation:
     summary: Build the NoSQL query or aggregation pipeline from fixed fields or validated filter builders instead of passing request data directly.
+

package/rules/typescript/ts.security.express-permissive-cookie-config.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Avoid permissive Express session cookie scope
   summary: Express session cookies should not explicitly opt into cross-site or wildcard-style scope.
   rationale: Broad cookie scope increases where session cookies are sent and makes cross-site misuse harder to contain.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - authentication
@@ -36,3 +51,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly widens session cookie scope with cross-site or wildcard-style settings."
   remediation:
     summary: Prefer exact cookie domains and `SameSite=Lax` or `Strict` unless a reviewed cross-site requirement exists.
+

package/rules/typescript/ts.security.express-permissive-cors.rule.yaml

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-permissive-cors
+  title: Do not combine permissive CORS origins with credentials
+  summary: CORS middleware must not reflect every origin or use a wildcard while `credentials` is enabled.
+  rationale: Allowing credentials with wildcard or reflected origins lets untrusted sites read authenticated browser responses.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
+  tags:
+    - security
+    - express
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.express-permissive-cors
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - express
+      - cors
+  message:
+    title: Restrict CORS origins when `${captures.issue.text}` sends credentials
+    summary: "`${captures.issue.text}` enables credentials with a wildcard, implicit, or reflected origin policy."
+  remediation:
+    summary: Use an explicit trusted-origin allowlist and disable credentials unless every allowed origin is intentional.
+

package/rules/typescript/ts.security.express-reduce-fingerprint.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Reduce Express fingerprinting
   summary: Express apps should disable `x-powered-by` or equivalent fingerprinting headers.
   rationale: Framework fingerprinting gives attackers unnecessary detail about the stack they are targeting.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Disable `x-powered-by` or use equivalent middleware to reduce framework fingerprinting.
 
+

package/rules/typescript/ts.security.express-static-assets-after-session.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Serve static assets before session middleware
   summary: Static assets should be mounted before session middleware when they do not need session state.
   rationale: Serving public assets after session middleware broadens the session surface and adds unnecessary auth-state handling to static traffic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -35,3 +50,4 @@ emit:
   remediation:
     summary: Mount `express.static()` before session middleware unless the static path genuinely requires session state.
 
+

package/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Do not allow dotfiles in Express static middleware
   summary: express.static should not serve dotfiles from disk unless explicitly required and reviewed.
   rationale: Allowing dotfiles can expose hidden configuration and secrets through the static file middleware.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -33,3 +48,4 @@ emit:
     summary: "${captures.issue.text} is configured with dotfiles allow, which can leak hidden files."
   remediation:
     summary: Use the default dotfiles ignore behavior or serve dotfiles from a tightly scoped directory with access controls.
+

package/rules/typescript/ts.security.express-unbounded-body-parser.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Set explicit Express body parser and multer size limits
   summary: Express and Body Parser middleware plus Multer should declare explicit payload limits.
   rationale: Default limits drift across frameworks and deployments; explicit caps reduce oversized-request abuse.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -32,3 +47,4 @@ emit:
     summary: "`${captures.issue.text}` runs without visible size limits."
   remediation:
     summary: Pass `limit` options to JSON/urlencoded/raw/text parsers and `limits.fileSize` (or equivalent) to Multer.
+

package/rules/typescript/ts.security.express-user-controlled-static-mount.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Avoid request-controlled Express static mount paths
   summary: The path prefix for express.static should not be derived directly from request objects.
   rationale: User-controlled mount paths can collapse routing assumptions and expose unintended directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Express production security best practices
+      url: https://expressjs.com/en/advanced/best-practice-security.html
   tags:
     - security
     - express
@@ -33,3 +48,4 @@ emit:
     summary: "${captures.issue.text} mounts express.static under a request-derived URL prefix."
   remediation:
     summary: Use fixed, reviewed path prefixes and map external identifiers to internal paths through an allowlist.
+

package/rules/typescript/ts.security.external-file-upload.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Do not persist upload filenames directly
   summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
   rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
   remediation:
     summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.
+

package/rules/typescript/ts.security.fastify-excessive-body-limit.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Avoid excessive Fastify body limits
   summary: Fastify applications should not disable body limits or configure unusually large defaults without compensating controls.
   rationale: Oversized bodies amplify denial-of-service risk on services without upstream buffering limits.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Fastify recommendations
+      url: https://fastify.dev/docs/latest/Guides/Recommendation/
   tags:
     - security
     - fastify
@@ -32,3 +47,4 @@ emit:
     summary: Fastify is configured with an oversized or disabled bodyLimit.
   remediation:
     summary: Lower `bodyLimit`, enforce route-specific caps, or terminate traffic behind an API gateway or proxy that caps body size.
+

package/rules/typescript/ts.security.fastify-public-bind-without-trust-proxy.rule.yaml

@@ -7,6 +7,21 @@ metadata:
     Fastify instances listening on all interfaces should enable trustProxy or terminate behind a reverse proxy you register in code.
   rationale: >-
     Without trustProxy, client IP and protocol metadata from an edge proxy are easy to misread, and public binds amplify exposure when the process is not intentionally perimeter-hardened.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-668
+      title: Exposure of Resource to Wrong Sphere
+    - kind: url
+      title: CWE-668 Exposure of Resource to Wrong Sphere
+      url: https://cwe.mitre.org/data/definitions/668.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Fastify recommendations
+      url: https://fastify.dev/docs/latest/Guides/Recommendation/
   tags:
     - security
     - fastify
@@ -36,3 +51,4 @@ emit:
   remediation:
     summary: >-
       Set trustProxy when running behind a reverse proxy, prefer non-public bind addresses in development, or register an explicit Fastify proxy plugin so client metadata and TLS termination assumptions stay correct.
+

package/rules/typescript/ts.security.file-generation.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Constrain local file generation paths
   summary: Local file writes should not derive their destination path from request or upload input.
   rationale: Attacker-controlled write paths can overwrite local state, escape intended directories, or create files in sensitive locations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` writes to a path derived from external input without a trusted local filename."
   remediation:
     summary: Generate the destination name on the server or constrain writes to an allowlisted directory and filename set.
+

package/rules/typescript/ts.security.format-string-using-user-input.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Avoid request-controlled format strings
   summary: Logging and formatting helpers should not take request input as the format string itself.
   rationale: Request-controlled format strings can corrupt logs, leak structure, or produce unexpected formatting behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - logging
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses request-controlled input as the formatting template."
   remediation:
     summary: Keep the format string fixed and pass request data as ordinary arguments or structured fields.
+

package/rules/typescript/ts.security.frontend-only-authorization.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Authorization enforced only on frontend
   summary: Backend routes should enforce authorization directly instead of relying on frontend gating alone.
   rationale: Frontend checks are easy to bypass, so sensitive routes need server-side authorization on the backend path itself.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "Route `${captures.issue.text}` appears gated in frontend code but not on the backend handler."
   remediation:
     summary: Add a backend authorization or permission check on the matching route handler.
+

package/rules/typescript/ts.security.graphql-upload-without-csrf-guard.rule.yaml

@@ -5,6 +5,21 @@ metadata:
   title: Pair GraphQL multipart uploads with CSRF-safe server posture
   summary: Legacy GraphQL multipart upload helpers should not run alongside Apollo Server configurations that disable CSRF protections.
   rationale: Multipart GraphQL requests complicate browser CSRF defenses; when Apollo CSRF prevention is explicitly disabled, upload middleware is a high-risk combination for cross-site writes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: Apollo Server security
+      url: https://www.apollographql.com/docs/apollo-server/security/security
   tags:
     - security
     - graphql
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Keep Apollo csrfPrevention enabled (default in supported releases), add an explicit preflight header policy, or move uploads behind authenticated, non-browser APIs.
+

package/rules/typescript/ts.security.handlebars-no-escape.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Keep Handlebars escaping enabled at template trust boundaries
   summary: "Server-side Handlebars compilation should not disable HTML escaping with `noEscape: true`."
   rationale: Disabling Handlebars escaping weakens the template trust boundary and can turn server-rendered output into attacker-controlled HTML.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` disables Handlebars escaping at a server-template trust boundary."
   remediation:
     summary: Leave Handlebars escaping enabled, or treat raw HTML rendering as an explicit, narrowly reviewed trust boundary.
+

package/rules/typescript/ts.security.hardcoded-auth-secret.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Avoid hardcoded auth secrets
   summary: JWT, session, and strategy secrets should not be embedded directly in source code.
   rationale: Hardcoded auth secrets are hard to rotate and are exposed whenever the codebase or build artifacts leak.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Load the secret from environment-backed configuration or a secret manager and rotate the exposed value.
 
+

package/rules/typescript/ts.security.iframe-missing-sandbox-attribute.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Add a sandbox attribute to iframes
   summary: Intrinsic iframe elements should declare a sandbox attribute to reduce blast radius.
   rationale: Sandboxed iframes limit scripts, forms, and top-level navigation when embedded third-party content is compromised.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - react
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} is missing a sandbox attribute."
   remediation:
     summary: Add the most restrictive sandbox token set that still allows required behavior, and combine with a strict CSP.
+

package/rules/typescript/ts.security.import-using-user-input.rule.yaml

@@ -5,6 +5,15 @@ metadata:
   title: Constrain module-loading trust boundaries
   summary: "`require()` and dynamic `import()` should not resolve modules from untrusted input."
   rationale: Untrusted module paths let attackers steer module-loading boundaries toward unintended files, packages, or plugins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
   tags:
     - security
     - execution
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` crosses a module-loading trust boundary with untrusted input."
   remediation:
     summary: Resolve modules from a fixed allowlist or explicit dispatcher instead of untrusted request or event data.
+