npm - @critiq/rules - Versions diffs - 0.2.0 → 0.3.0 - Mend

@critiq/rules 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (199) hide show

package/rules/ruby/ruby.bug-risk.raw-sql-without-squish.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.raw-sql-without-squish
+  title: Squish heredoc SQL passed to where
+  summary: >-
+    Normalize heredoc SQL with squish before passing to where or find_by_sql.
+  rationale: >-
+    Unsquished heredoc SQL preserves accidental whitespace and hurts readability.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.raw-sql-without-squish
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.raw-sql-without-squish`."
+  remediation:
+    summary: >-
+      Normalize heredoc SQL with squish before passing to where or find_by_sql.

package/rules/ruby/ruby.security.debugger-call.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.debugger-call
+  title: Remove debugger calls from application code
+  summary: >-
+    Debugger breakpoints must not ship in non-test Ruby sources.
+  rationale: >-
+    Leftover `debugger`, `byebug`, or `binding.break` calls pause production workers and can expose live request state.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-489
+      title: Active Debug Code
+  tags:
+    - security
+    - ruby
+    - debug
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+      - "**/spec/**"
+      - "**/test/**"
+      - "**/tests/**"
+match:
+  fact:
+    kind: ruby.security.debugger-call
+    bind: issue
+emit:
+  finding:
+    category: security.debug-exposure
+    severity: medium
+    confidence: 0.92
+    tags:
+      - security
+      - ruby
+      - debug
+  message:
+    title: Remove debugger call in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` leaves an interactive debugger breakpoint in application code."
+  remediation:
+    summary: >-
+      Delete debugger statements before merge or gate them behind development-only configuration.

package/rules/ruby/ruby.security.dynamic-code-execution.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.dynamic-code-execution
+  title: Avoid dynamic Ruby code execution
+  summary: >-
+    Do not execute runtime-generated Ruby via eval, exec, or *_eval helpers.
+  rationale: >-
+    Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - ruby
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.dynamic-code-execution
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.94
+    tags:
+      - security
+      - ruby
+      - execution
+  message:
+    title: Remove dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes Ruby code dynamically."
+  remediation:
+    summary: >-
+      Replace eval and *_eval calls with explicit parsing, allowlisted dispatch, or data structures that do not execute code.

package/rules/ruby/ruby.security.insecure-json-load.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.insecure-json-load
+  title: Avoid insecure JSON load helpers
+  summary: >-
+    Prefer `JSON.parse` over `JSON.load`, `JSON.restore`, or permissive Oj/MultiJson loaders.
+  rationale: >-
+    Load-style JSON APIs can deserialize arbitrary Ruby types and expand deserialization gadget risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - ruby
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.insecure-json-load
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - ruby
+      - deserialization
+  message:
+    title: Use safe JSON parsing in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a JSON loader that can deserialize unsafe Ruby objects."
+  remediation:
+    summary: >-
+      Parse JSON with `JSON.parse` and validate the resulting structure; avoid `JSON.load`, `JSON.restore`, and default `Oj.load` on untrusted input.

package/rules/ruby/ruby.security.kernel-open.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.kernel-open
+  title: Avoid Kernel.open pipe mode
+  summary: >-
+    Do not use `Kernel.open` with a leading pipe, which spawns a shell command.
+  rationale: >-
+    Pipe-mode `open` delegates to the shell and enables command injection when the argument is influenced by users.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: Improper Neutralization of Special Elements used in an OS Command
+    - kind: owasp
+      title: Command Injection
+      url: https://owasp.org/www-community/attacks/Command_Injection
+  tags:
+    - security
+    - ruby
+    - command-execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.kernel-open
+    bind: issue
+emit:
+  finding:
+    category: security.command-execution
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - ruby
+      - command-execution
+  message:
+    title: Replace pipe-mode open in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses `Kernel.open` pipe mode, which can execute shell commands."
+  remediation:
+    summary: >-
+      Use `IO.popen` only with a fixed argv array, `Open3` with explicit command arrays, or file APIs that do not invoke a shell.

package/rules/ruby/ruby.security.plaintext-password-in-callback.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.plaintext-password-in-callback
+  title: Avoid plaintext passwords in HTTP basic auth
+  summary: >-
+    Do not pass literal passwords to http_basic_authenticate_with.
+  rationale: >-
+    Hard-coded basic-auth passwords leak when source is exposed.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.plaintext-password-in-callback
+    bind: issue
+emit:
+  finding:
+    category: security.credentials
+    severity: high
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.plaintext-password-in-callback`."
+  remediation:
+    summary: >-
+      Do not pass literal passwords to http_basic_authenticate_with.

package/rules/ruby/ruby.security.rails-link-to-blank-without-noopener.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-link-to-blank-without-noopener
+  title: Add rel noopener to link_to with target _blank
+  summary: >-
+    External links opened in a new tab should set rel noopener or noreferrer.
+  rationale: >-
+    Pages opened via target _blank can access window.opener for tab-nabbing.
+  detection:
+    kind: pattern
+  references:
+    - kind: owasp
+      title: Reverse Tabnabbing
+      url: https://owasp.org/www-community/attacks/Reverse_Tabnabbing
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+      - "**/*.erb"
+      - "**/*.erb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-link-to-blank-without-noopener
+    bind: issue
+emit:
+  finding:
+    category: security.session-management
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.rails-link-to-blank-without-noopener`."
+  remediation:
+    summary: >-
+      External links opened in a new tab should set rel noopener or noreferrer.

package/rules/ruby/ruby.security.rails-output-unsafe.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.rails-output-unsafe
+  title: Avoid output-unsafe Rails helpers
+  summary: >-
+    Do not use html_safe, raw, or safe_concat to bypass escaping.
+  rationale: >-
+    Output-unsafe helpers mark content HTML-safe without escaping user input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Improper Neutralization of Input During Web Page Generation
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+      - "**/*.erb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.rails-output-unsafe
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.rails-output-unsafe`."
+  remediation:
+    summary: >-
+      Do not use html_safe, raw, or safe_concat to bypass escaping.