@critiq/rules 0.2.0 → 0.4.0

package/rules/go/go.performance.utf8-decode-rune.rule.yaml

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.performance.utf8-decode-rune
+  title: Use `utf8.DecodeRuneInString` instead of `[]rune(string)[0]`
+  summary: The `[]rune(str)[0]` pattern allocates a rune slice. Use `utf8.DecodeRuneInString(str)` for single-rune access.
+  rationale: >-
+    Converting a string to `[]rune` allocates a new slice. For single-rune access,
+    `utf8.DecodeRuneInString` avoids the allocation entirely.
+  aliases:
+    - GO-P4006
+  tags:
+    - performance
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.performance.utf8-decode-rune
+    bind: issue
+emit:
+  finding:
+    category: performance.optimization
+    severity: high
+    confidence: 0.9
+    tags:
+      - performance
+      - go
+  message:
+    title: Use `utf8.DecodeRuneInString` instead of `[]rune(string)[0]`
+    summary: "Replace `${captures.issue.text}` with `utf8.DecodeRuneInString(str)` to avoid rune slice allocation."
+  remediation:
+    summary: "Replace `[]rune(str)[0]` with `r, _ := utf8.DecodeRuneInString(str)`."

package/rules/go/go.security.decompression-bomb.rule.yaml

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.decompression-bomb
+  title: Guard against decompression bomb denial-of-service
+  summary: >-
+    `io.Copy` or `io.CopyBuffer` with an uncompressed reader from a decompressor (`gzip.NewReader`, `zlib.NewReader`, etc.) without a size limit can exhaust memory or disk in a decompression bomb attack.
+  rationale: >-
+    An attacker can send a small compressed payload that decompresses to many times its original size, causing denial-of-service via memory exhaustion or disk filling. Use `io.CopyN` or `io.LimitReader` to cap the decompressed output.
+  aliases:
+    - GO-S2110
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-409
+      title: Improper Handling of Highly Compressed Data (Data Amplification)
+    - kind: owasp
+      title: Denial of Service Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - denial-of-service
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.decompression-bomb
+    bind: issue
+emit:
+  finding:
+    category: security.denial-of-service
+    severity: critical
+    confidence: 0.65
+    tags:
+      - security
+      - go
+  message:
+    title: Limit decompressed output size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` copies decompressor output without a size limit, risking decompression bomb exhaustion."
+  remediation:
+    summary: >-
+      Replace `io.Copy` with `io.CopyN` or wrap the decompressor reader with `io.LimitReader` to cap decompressed output to an acceptable maximum (e.g., 100MB).

package/rules/go/go.security.http-dir-path-traversal.rule.yaml

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.http-dir-path-traversal
+  title: Avoid exposing the root filesystem via http.Dir
+  summary: >-
+    `http.Dir("/")` or `http.Dir("\\")` used with `http.FileServer` or `http.StripPrefix` exposes the entire filesystem, enabling directory traversal.
+  rationale: >-
+    Serving files from the root directory allows callers to read arbitrary files on the server, including configuration, secrets, and system files. Always restrict file serving to a specific subdirectory using relative paths.
+  aliases:
+    - GO-S2111
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+  tags:
+    - security
+    - go
+    - path-traversal
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.http-dir-path-traversal
+    bind: issue
+emit:
+  finding:
+    category: security.path-traversal
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - go
+  message:
+    title: Restrict http.Dir to a subdirectory near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` serves files from the filesystem root, enabling directory traversal."
+  remediation:
+    summary: >-
+      Replace `http.Dir("/")` with a relative path such as `http.Dir("./public")` and validate that the directory contains only intended content.

package/rules/go/go.security.incomplete-hostname-regex.rule.yaml

@@ -0,0 +1,64 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.incomplete-hostname-regex
+  title: Use a complete and anchored regular expression for hostname validation
+  summary: >-
+    Regex patterns used for hostname validation should use start (`^`) and end
+    (`$`) anchors, escape literal dots, and avoid overly permissive character
+    classes that allow subdomains or non-hostname input through.
+  rationale: >-
+    Unanchored or unescaped hostname regexes accept malicious or malformed
+    input (e.g. `evil.com.evildomain.com`), enabling SSRF, open redirects,
+    and domain validation bypasses.
+  aliases:
+    - GO-S1016
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-185
+      title: Incorrect Regular Expression
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - regex
+    - hostname
+    - validation
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.incomplete-hostname-regex
+    bind: issue
+emit:
+  finding:
+    category: security.validation
+    severity: medium
+    confidence: 0.55
+    tags:
+      - security
+      - go
+      - regex
+  message:
+    title: Anchor hostname regex at start and end in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a regex that may accept broader input than intended for hostname validation."
+  remediation:
+    summary: >-
+      Anchor the pattern with `^` and `$`, escape literal dots with `\\.`, and
+      restrict character classes to valid hostname characters. For example:
+      `^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$`.

package/rules/go/go.security.insecure-ssl-protocol.rule.yaml

@@ -7,6 +7,8 @@ metadata:
     `tls.VersionSSL30`, SSLv2, or SSLv3 string literals indicate use of broken legacy protocols.
   rationale: >-
     SSLv2 and SSLv3 contain unrecoverable cryptographic weaknesses (POODLE, DROWN) and must not be negotiated.
+  aliases:
+    - GO-S1021
   detection:
     kind: pattern
   references:

package/rules/go/go.security.jwt-without-verification.rule.yaml

@@ -7,6 +7,8 @@ metadata:
     Parsing JWTs with `jwt.Parse` and a nil keyfunc, `jwt.ParseUnverified`, or `jwt.Decode` skips signature verification and lets attackers forge tokens.
   rationale: >-
     Trusting unverified JWTs allows attackers to impersonate users or escalate privileges by crafting tokens with arbitrary claims.
+  aliases:
+    - GO-S1019
   detection:
     kind: pattern
   references:

package/rules/go/go.security.net-http-missing-timeouts.rule.yaml

@@ -7,6 +7,9 @@ metadata:
     Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.
   rationale: >-
     Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.
+  aliases:
+    - GO-S2112
+    - GO-S2114
   detection:
     kind: pattern
   references:

package/rules/go/go.security.pprof-exposed.rule.yaml

@@ -7,6 +7,8 @@ metadata:
     Importing `net/http/pprof` or registering `/debug/pprof` handlers on the default mux exposes debugging endpoints to remote callers.
   rationale: >-
     Exposed pprof endpoints leak heap, goroutine, and CPU profiles and can be used for denial-of-service or sensitive data harvesting.
+  aliases:
+    - GO-S2108
   detection:
     kind: pattern
   references:

package/rules/go/go.security.squirrel-unsafe-quoting.rule.yaml

@@ -0,0 +1,64 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.squirrel-unsafe-quoting
+  title: Use safe parameterized queries with squirrel query builder
+  summary: >-
+    `squirrel.Expr` (or `sq.Expr`) with `fmt.Sprintf` interpolation constructs
+    SQL queries via string formatting, enabling SQL injection when arguments
+    contain untrusted data.
+  rationale: >-
+    String interpolation in query construction bypasses placeholder-based
+    parameterization, allowing attackers to inject SQL through user-controlled
+    input. Use `squirrel.Eq{}`, `squirrel.Eq{}`, or other safe builders that
+    emit parameterized queries.
+  aliases:
+    - GO-S1017
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - sql-injection
+    - squirrel
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.squirrel-unsafe-quoting
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.5
+    tags:
+      - security
+      - go
+      - sql-injection
+  message:
+    title: Use parameterized query instead of squirrel.Expr with string interpolation
+    summary: "`${captures.issue.text}` uses `squirrel.Expr` with `fmt.Sprintf` instead of safe builders like `squirrel.Eq{}`."
+  remediation:
+    summary: >-
+      Replace `squirrel.Expr(fmt.Sprintf(...))` with safe builders such as
+      `squirrel.Eq{"field": value}` or `squirrel.Expr("field = ?", value)`
+      with placeholder syntax.

package/rules/go/go.security.tainted-value-sink.rule.yaml

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tainted-value-sink
+  title: Avoid using tainted values in SQL and command sinks
+  summary: >-
+    User-controlled input (parameters named `input`, `data`, `body`, etc.) should not reach SQL execution or OS command sinks via `fmt.Sprintf` string interpolation.
+  rationale: >-
+    Building SQL queries or shell commands by interpolating user input with `fmt.Sprintf` enables SQL injection and command injection attacks. Use parameterized queries or sanitized APIs instead.
+  aliases:
+    - GO-S7000
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
+    - kind: cwe
+      id: CWE-78
+      title: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - injection
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tainted-value-sink
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.4
+    tags:
+      - security
+      - go
+      - experimental
+  message:
+    title: Use parameterized query instead of interpolation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` passes a potentially tainted value through `fmt.Sprintf` into a SQL or command sink."
+  remediation:
+    summary: >-
+      Replace `fmt.Sprintf` interpolation with parameterized queries (`db.ExecContext(ctx, query, args...)`) for SQL or use `exec.Command(name, arg...)` with separate arguments for OS commands.

package/rules/go/go.security.tls-missing-min-version.rule.yaml

@@ -7,6 +7,8 @@ metadata:
     `tls.Config` literals should set `MinVersion` to a modern protocol (`tls.VersionTLS12` or newer) to avoid downgrade attacks.
   rationale: >-
     Without `MinVersion`, the Go standard library accepts legacy TLS versions that are vulnerable to known protocol attacks.
+  aliases:
+    - GO-S1020
   detection:
     kind: pattern
   references:

package/rules/go/go.security.unsafe-defer-close.rule.yaml

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.unsafe-defer-close
+  title: Handle deferred Close errors explicitly
+  summary: >-
+    `defer f.Close()` silently discards the error returned by `Close()`. For writable files, this can mask data loss when buffered writes fail on close.
+  rationale: >-
+    The `Close()` method on `*os.File` and other `io.Closer` implementations can return errors (e.g., flush failures, disk-full). A deferred call without error handling may silently lose data. Consider handling the close error explicitly or calling `f.Sync()` before deferring close.
+  aliases:
+    - GO-S2307
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-754
+      title: Improper Check for Unusual or Exceptional Conditions
+    - kind: url
+      title: Effective Go - Defer
+      url: https://go.dev/doc/effective_go#defer
+  tags:
+    - security
+    - go
+    - error-handling
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.unsafe-defer-close
+    bind: issue
+emit:
+  finding:
+    category: security.exceptions
+    severity: high
+    confidence: 0.55
+    tags:
+      - security
+      - go
+  message:
+    title: Handle close error instead of deferring near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` defers a close call without capturing potential write errors."
+  remediation:
+    summary: >-
+      Call `f.Sync()` before the deferred `f.Close()`, or handle `f.Close()` explicitly with error checking instead of deferring it.

package/rules/go/go.security.weak-crypto-import.rule.yaml

@@ -7,6 +7,9 @@ metadata:
     Production Go code should not import `crypto/md5`, `crypto/sha1`, `crypto/des`, or `crypto/rc4` for security-sensitive purposes.
   rationale: >-
     MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases; using them as cryptographic primitives degrades confidentiality and integrity.
+  aliases:
+    - GO-S1022
+    - GO-S1023
   detection:
     kind: pattern
   references:

package/rules/go/go.security.weak-file-permission.rule.yaml

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-file-permission
+  title: Avoid overly permissive file permissions
+  summary: >-
+    `os.WriteFile` or `os.OpenFile` with permission bits above `0600` (owner read/write) may expose sensitive data to other users on the system.
+  rationale: >-
+    Overly permissive file modes (e.g., `0744`, `0777`) allow group or world access to files that may contain credentials, tokens, or sensitive data. Restrict to `0600` or `0400` for sensitive files.
+  aliases:
+    - GO-S2306
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-276
+      title: Incorrect Default Permissions
+    - kind: owasp
+      title: File Permission Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Permission_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - filesystem
+    - permissions
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-file-permission
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - go
+  message:
+    title: Restrict file permissions near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses permission bits above `0600` which may expose sensitive data."
+  remediation:
+    summary: >-
+      Use `0600` (owner read/write) or `0400` (owner read-only) for sensitive files. Avoid group or world access unless explicitly required and reviewed.

package/rules/java/java.correctness.annotation-check-always-false.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.annotation-check-always-false
+  title: Annotation retention prevents runtime check
+  summary: Checking for an annotation at runtime that is retained only at SOURCE or CLASS level will always return false.
+  rationale: The @Retention annotation controls whether an annotation is available at runtime via reflection. RetentionPolicy.SOURCE and RetentionPolicy.CLASS annotations are not preserved in the JVM, so isAnnotationPresent() will always return false. Only RetentionPolicy.RUNTIME annotations can be detected at runtime.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - JAVA-E1039
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.annotation-check-always-false
+    bind: issue
+emit:
+  finding:
+    category: correctness.reflection
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Annotation check always returns false
+    summary: "`${captures.issue.text}` checks for an annotation with SOURCE or CLASS retention, which is never available at runtime."
+  remediation:
+    summary: Change the annotation's retention to RetentionPolicy.RUNTIME if it needs to be detected via reflection at runtime, or remove the isAnnotationPresent check.

package/rules/java/java.correctness.array-compared-to-non-array.rule.yaml

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.array-compared-to-non-array
+  title: Array compared to non-array value
+  summary: Comparing an array variable to a non-array value (string literal, number, boolean) is almost certainly a logic bug.
+  rationale: "Comparing an array with `==` or `.equals()` to a non-array value like a string literal or number is almost always a programmer error. Arrays are objects; comparing them to primitives or strings with `==` will always be false, and `.equals()` will never match a non-array type."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-S0347
+  tags:
+    - correctness
+    - java
+    - equality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.array-compared-to-non-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.equality
+    severity: medium
+    confidence: 0.82
+    tags:
+      - correctness
+      - java
+  message:
+    title: Suspicious array comparison in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` compares an array variable to a non-array value."
+  remediation:
+    summary: "Review the comparison. If checking array contents, use `Arrays.equals(array, otherArray)`. If checking length, use `array.length`."

package/rules/java/java.correctness.array-index-bounds.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.array-index-bounds
+  title: Array or list access with out-of-bounds index
+  summary: An array, list, or string is accessed at length()/size(), which is always one past the last valid index.
+  rationale: Array indices range from 0 to length-1. Accessing index `length` throws ArrayIndexOutOfBoundsException.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+  aliases:
+    - JAVA-E1020
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.array-index-bounds
+    bind: issue
+emit:
+  finding:
+    category: correctness.bounds
+    severity: critical
+    confidence: 0.9
+    tags:
+      - correctness
+      - java
+  message:
+    title: Potential index out of bounds access in `${captures.issue.text}`
+    summary: An index expression uses length()/size() as the upper bound, which is always one element past the valid range.
+  remediation:
+    summary: Use `length - 1` or `size() - 1` to access the last element, or verify the index is valid before access.