npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/typescript/ts.security.token-or-session-not-validated.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Token or session not validated
   summary: Session and token values from external input should be verified before authentication or identity use.
   rationale: Parsing or loading session state without verification allows forged or stale credentials to influence authorization paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` uses token or session input without any preceding validation step."
   remediation:
     summary: Verify or authenticate the token or session value before decoding, loading, or deriving identity from it.

package/rules/typescript/ts.security.ui-redress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not derive anti-framing headers from request input
   summary: Framing and CSP headers should not be set from request-controlled values.
   rationale: Request-controlled anti-framing headers weaken protections against clickjacking and UI redress attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - clickjacking
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Set framing and CSP headers from fixed server policy instead of request data.

package/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-dirname-path-concat
+  title: Avoid string-built paths from `__dirname` or `__filename`
+  summary: Do not build filesystem paths by concatenating `__dirname` or `__filename` with strings or templates.
+  rationale: String-built paths are easy to get wrong and can enable directory traversal when any segment is dynamic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.unsafe-dirname-path-concat
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - filesystem
+  message:
+    title: Avoid string-built paths from `__dirname` or `__filename`
+    summary: "`${captures.issue.text}` builds a path by concatenating `__dirname` or `__filename`, which is fragile and risky."
+  remediation:
+    summary: Use `path.join`, `path.resolve`, or `import.meta.url` with validated segments instead of string concatenation.

package/rules/typescript/ts.security.unsafe-dompurify-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Upgrade DOM sanitization dependency
   summary: DOM sanitization libraries should stay on patched versions before they are trusted for untrusted HTML.
   rationale: Older sanitizer versions can miss browser parsing edge cases and leave XSS protections incomplete.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1104
+      title: Use of Unmaintained Third Party Components
+    - kind: owasp
+      title: Vulnerable Dependency Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html
   tags:
     - security
     - dependency
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` is below the minimum sanitizer version Critiq treats as safe for untrusted HTML."
   remediation:
     summary: Upgrade the package, then keep HTML sanitizer usage behind a small reviewed wrapper.

package/rules/typescript/ts.security.unsafe-marked-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Upgrade Markdown rendering dependency
   summary: Markdown renderers should stay on patched versions before rendering untrusted content.
   rationale: Older Markdown renderer versions can expose unsafe HTML handling and parser edge cases.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1104
+      title: Use of Unmaintained Third Party Components
+    - kind: owasp
+      title: Vulnerable Dependency Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html
   tags:
     - security
     - dependency
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` is below the minimum Markdown renderer version Critiq treats as safe for untrusted content."
   remediation:
     summary: Upgrade the package and keep untrusted Markdown rendering behind explicit sanitization.

package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe raw HTTP response output
   summary: Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.
   rationale: Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` writes request-controlled data into a raw HTTP response sink without a trusted HTML escaping model."
   remediation:
     summary: Escape or sanitize the data with a trusted helper, or switch to a response format that does not treat it as executable markup.

package/rules/typescript/ts.security.unvalidated-external-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Validate untrusted input before parser construction
   summary: Untrusted input should be validated before it is used to construct sensitive parsers or runtime objects.
   rationale: Passing untrusted text across regex or URL construction boundaries increases the risk of parser abuse, denial of service, and downstream policy bypass.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - input-validation
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` constructs a sensitive parser or runtime object from untrusted input without a trust-boundary check."
   remediation:
     summary: Validate, sanitize, or normalize the untrusted value before passing it into URL, RegExp, or similarly sensitive constructors.

package/rules/typescript/ts.security.user-controlled-sendfile.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain `res.sendFile` to a trusted root
   summary: "`res.sendFile()` should not resolve filenames or options from request input without a trusted root."
   rationale: Request-controlled file responses are a common path to path traversal and unintended local file disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+    - kind: owasp
+      title: Server-Side Request Forgery
+      url: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` serves a request-controlled file path or options object without a trusted root."
   remediation:
     summary: Resolve files from an allowlisted directory and validate request input before it reaches `res.sendFile()`.

package/rules/typescript/ts.security.user-controlled-view-render.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain `res.render()` trust boundaries
   summary: Express view names should not cross into server-side rendering from untrusted input.
   rationale: Untrusted template names can expose internal views, bypass intended route behavior, or widen a server-side template boundary.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` selects a server-side template across a trust boundary using untrusted input."
   remediation:
     summary: Resolve the template from an allowlist or fixed route mapping before calling `res.render()`.

package/rules/typescript/ts.security.weak-cipher-or-mode.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak cipher algorithms and modes
   summary: Cryptographic ciphers should use modern authenticated modes and approved algorithms.
   rationale: Weak modes such as ECB and legacy ciphers such as DES or RC4 do not provide adequate confidentiality.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - crypto
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
   remediation:
     summary: Use modern authenticated encryption such as AES-GCM with approved key sizes and IV handling.

package/rules/typescript/ts.security.weak-key-strength.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak key-generation strength
   summary: Key-generation helpers should use current minimum strengths for RSA, AES, and HMAC keys.
   rationale: Weak modulus or key lengths make brute-force and cryptanalytic attacks more practical, even when the API itself is correct.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` configures a key length or modulus size below the current minimum expected for production cryptography."
   remediation:
     summary: Use at least 2048-bit RSA keys and at least 128-bit AES or HMAC keys unless a clearly documented compatibility boundary requires otherwise.

package/rules/typescript/ts.security.weak-tls-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Require modern TLS minimum versions
   summary: Transport clients should not explicitly allow SSLv3, TLS 1.0, or TLS 1.1.
   rationale: Legacy TLS protocol floors weaken transport security and keep obsolete downgrade-compatible settings alive in production code.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly allows an obsolete TLS or SSL protocol version."
   remediation:
     summary: Set `minVersion` to at least `TLSv1.2` or `TLSv1.3` and remove legacy `secureProtocol` values.

package/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not parse untrusted XML with permissive parsers
   summary: parseString and similar XML helpers should not consume request-controlled payloads without hardening.
   rationale: Untrusted XML can enable XXE-style parser abuse depending on the underlying implementation and parser flags.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
   tags:
     - security
     - xml
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} parses XML that appears request-driven."
   remediation:
     summary: Disable external entities, validate payloads against a strict schema, and parse with a hardened XML configuration.