npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Eval or dynamic code execution
   summary: Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.
   rationale: Dynamic execution turns data into code, widens the attack surface, and bypasses normal control flow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
   tags:
     - security
     - execution
@@ -32,3 +41,4 @@ emit:
     summary: "`${captures.issue.text}` executes dynamic code and should be replaced with a safer alternative."
   remediation:
     summary: Replace dynamic execution with explicit parsing, fixed dispatch tables, or normal function callbacks.

package/rules/typescript/ts.security.no-fs-readfile-sync-in-handler.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-fs-readfile-sync-in-handler
+  title: Avoid synchronous file reads in HTTP handlers
+  summary: Request handlers should not call `readFileSync` or equivalent blocking file APIs.
+  rationale: Blocking disk I/O inside request handlers stalls the Node.js event loop and hurts availability under load.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.readfile-sync-in-request-handler
+    bind: issue
+emit:
+  finding:
+    category: security.availability
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - express
+      - filesystem
+  message:
+    title: Replace blocking file read `${captures.issue.text}` in this handler
+    summary: "`${captures.issue.text}` performs synchronous disk I/O on the request path."
+  remediation:
+    summary: Use `fs.promises.readFile`, streams, or preload static assets outside the hot request path.

package/rules/typescript/ts.security.no-global-native-reassignment.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-global-native-reassignment
+  title: Do not reassign global native bindings
+  summary: Do not assign to global native bindings such as `Object`, `Array`, or `undefined`.
+  rationale: Reassigning global natives breaks language invariants and can disable security checks that rely on them.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.global-native-reassignment
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.97
+    tags:
+      - security
+      - language
+  message:
+    title: Do not reassign global native bindings
+    summary: "`${captures.issue.text}` reassigns a global native binding and can break runtime guarantees."
+  remediation:
+    summary: Use local variables with distinct names instead of overwriting global natives.

package/rules/typescript/ts.security.no-innerhtml-assignment.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe `innerHTML` assignment
   summary: "`innerHTML` assignments should only use fixed or explicitly sanitized HTML."
   rationale: Direct HTML injection can allow untrusted or weakly reviewed content to execute in the browser.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - output-encoding
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` inserts non-literal, non-sanitized HTML into `innerHTML`."
   remediation:
     summary: Prefer text-only rendering APIs or assign only fixed or explicitly sanitized HTML.

package/rules/typescript/ts.security.no-javascript-url.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-javascript-url
+  title: Avoid `javascript:` URLs
+  summary: Do not use `javascript:` URLs in string literals, template literals, or JSX link attributes.
+  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.javascript-url
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - xss
+  message:
+    title: "Avoid `javascript:` URLs"
+    summary: "`${captures.issue.text}` uses a `javascript:` URL that can execute arbitrary script."
+  remediation:
+    summary: "Use safe HTTPS links, in-app handlers, or explicit event callbacks instead of `javascript:` URLs."

package/rules/typescript/ts.security.no-native-prototype-extension.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-native-prototype-extension
+  title: Do not extend native prototypes
+  summary: Do not assign properties on built-in prototype objects such as `Array.prototype`.
+  rationale: Mutating native prototypes affects every consumer of that type and can introduce subtle security bugs across the runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.native-prototype-extension
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.96
+    tags:
+      - security
+      - language
+  message:
+    title: Do not extend native prototypes
+    summary: "`${captures.issue.text}` mutates a built-in prototype and can change behavior globally."
+  remediation:
+    summary: Use utility functions or wrapper types instead of modifying native prototypes.

package/rules/typescript/ts.security.no-sync-child-process-exec.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-sync-child-process-exec
+  title: Avoid synchronous child process execution with dynamic commands
+  summary: execSync and spawnSync should not run commands built from variables or template strings.
+  rationale: Synchronous shell execution blocks the event loop and dynamic command strings are a common command-injection surface.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - child-process
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.sync-child-process-exec
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - child-process
+  message:
+    title: Avoid synchronous shell execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` runs a child process synchronously with a non-literal command string."
+  remediation:
+    summary: Prefer async APIs with fixed command allowlists, or validate and normalize inputs before invoking shell commands.

package/rules/typescript/ts.security.no-throw-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-throw-literal
+  title: Throw `Error` objects instead of literals
+  summary: Only throw `Error` instances (or subclasses), not strings, numbers, or plain objects.
+  rationale: Throwing literals loses stack traces and makes error handling inconsistent across callers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - reliability
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.throw-literal
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - reliability
+  message:
+    title: Throw an `Error` instead of a literal
+    summary: "`${captures.issue.text}` throws a non-`Error` value that is harder to inspect and handle safely."
+  remediation:
+    summary: Throw `new Error(...)` or a typed error subclass with a clear message.

package/rules/typescript/ts.security.no-with-statement.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-with-statement
+  title: Avoid `with` statements
+  summary: "`with` statements make binding resolution unpredictable and are disallowed in strict mode."
+  rationale: The `with` statement introduces dynamic scope and makes static analysis, optimization, and security review unreliable.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.with-statement
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: high
+    confidence: 0.98
+    tags:
+      - security
+      - language
+  message:
+    title: Avoid `with` statements
+    summary: "`${captures.issue.text}` uses a `with` statement that makes binding resolution unpredictable."
+  remediation:
+    summary: Replace the `with` block with explicit property access on a named object.

package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid attacker-controlled filesystem read paths
   summary: Direct filesystem read APIs should not consume request- or upload-controlled filenames.
   rationale: Dynamic read paths can expose unintended local files or bypass expected file-selection constraints.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` reads from a filename derived from external input."
   remediation:
     summary: Resolve reads from a trusted allowlist or a validated server-controlled mapping instead of external filenames.

package/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Sensitive credentials must not be exposed through runtimeConfig.public, which is visible to client bundles.
   rationale: >-
     Nuxt exposes runtimeConfig.public to the browser; placing secret material there leaks API keys, database passwords, and signing material to every visitor.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
   tags:
     - security
     - nuxt
@@ -36,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Keep secrets in the private runtimeConfig tree (non-public) and expose only publishable identifiers to the client after reviewing Nuxt runtime config documentation.

package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use constant-time secret comparison
   summary: Secrets and tokens should not be compared with ordinary equality operators.
   rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use a constant-time comparison helper such as `crypto.timingSafeEqual` for secrets, tokens, and password hashes.

package/rules/typescript/ts.security.open-redirect.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Open redirect via request-controlled target
   summary: Redirect and navigation sinks should not use request-controlled destinations without validation.
   rationale: Redirect targets that are derived from user input can send authenticated users to attacker-controlled destinations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-601
+      title: URL Redirection to Untrusted Site
+    - kind: owasp
+      title: Unvalidated Redirects and Forwards Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
   tags:
     - security
     - input-validation
@@ -37,3 +46,4 @@ emit:
   remediation:
     summary: Normalize the target to an internal path or validate it against a trusted origin allowlist before redirecting.

package/rules/typescript/ts.security.permissive-allow-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not allow every origin in CORS policy
   summary: CORS should not fall back to wildcard or implicit allow-all origin settings.
   rationale: Wildcard or implicit allow-all CORS policies expose authenticated browser responses across origins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - cors
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` allows any origin through wildcard or implicit CORS policy."
   remediation:
     summary: Configure an explicit allowlist or validated origin callback instead of allowing all origins.

package/rules/typescript/ts.security.permissive-file-permissions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid permissive file modes
   summary: Files that can carry user or security data should not be created with world-accessible modes.
   rationale: Broad file permissions expose application data to local users or processes that should not read or modify it.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
   tags:
     - security
     - filesystem
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use the minimum required file mode and remove world-readable or world-writable bits.

package/rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid wildcard `postMessage` targets
   summary: "`postMessage` calls should not use `*` as the target origin when they carry application data."
   rationale: Wildcard targets allow the browser to deliver the message to any origin that receives the window reference.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - browser
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses `*` as the `postMessage` target origin."
   remediation:
     summary: Set the target origin to a strict expected origin instead of `*`.

package/rules/typescript/ts.security.predictable-token-generation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid predictable token generation
   summary: Tokens, reset links, and session secrets should be generated from cryptographically strong randomness.
   rationale: Predictable token material makes it easier to guess reset links, invite codes, and session secrets.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` builds a token-like value from predictable inputs."
   remediation:
     summary: Generate the value with `crypto.randomBytes`, `crypto.randomUUID`, or an approved secure token source.

package/rules/typescript/ts.security.raw-html-using-user-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid raw HTML with request input
   summary: Request-derived values should not be interpolated into raw HTML strings.
   rationale: Raw HTML construction with request data is a common path to reflected and stored XSS.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use framework escaping, a trusted sanitizer, or safe DOM APIs instead of raw HTML interpolation.

package/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid request-driven array indexing without bounds checks
   summary: Arrays indexed with request-derived keys can read or write out-of-bounds entries.
   rationale: Attacker-controlled indexes bypass assumptions about array length and element initialization.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - correctness
@@ -31,3 +40,4 @@ emit:
     summary: "Array access uses a computed index derived from ${captures.issue.text}."
   remediation:
     summary: Parse and bound-check indexes, prefer maps keyed by stable identifiers, or avoid indexing arrays with request data.

package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sensitive data egress to third-party processors
   summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
   rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
     summary: "`${captures.issue.text}` sends normalized sensitive datatypes to an outbound processor or external service."
   remediation:
     summary: Minimize the payload, redact the sensitive fields, or route the data only to approved processors.

package/rules/typescript/ts.security.sensitive-data-in-exception.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid sensitive data in thrown errors
   summary: Exceptions and rejection payloads should not include raw secrets or personal data.
   rationale: Exception payloads often reach logs, APM tools, and client responses with less review than normal business data.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Replace raw secrets and personal data with opaque identifiers or redacted summaries before throwing or rejecting.

package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid writing sensitive data to files
   summary: Data exports and local file writes should not persist raw secrets or personal fields.
   rationale: Static files, exports, and backups are easy to copy or retain beyond their intended lifetime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Redact, hash, or exclude the sensitive fields before writing the file.

package/rules/typescript/ts.security.ssrf.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Server-side request forgery
   summary: Outbound requests should not use attacker-controlled targets or private hosts.
   rationale: Request-controlled targets can force the server to call internal services, metadata endpoints, or attacker-controlled infrastructure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+    - kind: owasp
+      title: Server-Side Request Forgery
+      url: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
   tags:
     - security
     - network
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.ssrfCall.text}` sends an outbound request to a request-controlled or private target."
   remediation:
     summary: Resolve URLs against a trusted allowlist, reject private hosts, and proxy outbound requests through a vetted server-side helper.