npm - @critiq/rules - Versions diffs - 0.2.0 → 0.4.0 - Mend

@critiq/rules 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (907) hide show

package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml CHANGED Viewed

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.missing-request-timeout-or-retry
-  title: Missing request timeout or retry protection
-  summary: External calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows.
-  rationale: Authentication and dependency calls that have neither timeout nor retry protection fail unpredictably under network stress.
+  title: "[DEPRECATED] Use ts.correctness.missing-timeout-on-external-call instead"
+  summary: "DEPRECATED: This rule is consolidated into ts.correctness.missing-timeout-on-external-call. External calls should define timeout, cancellation, or retry behavior."
+  rationale: "DEPRECATED: Consolidated with the correctness variant. See ts.correctness.missing-timeout-on-external-call for the current rule."
   detection:
     kind: pattern
   references:
@@ -19,6 +19,7 @@ metadata:
     - resilience
     - rules-catalog
     - crq-sec-030
+    - deprecated
   stability: stable
   appliesTo: block
 scope:
@@ -37,9 +38,10 @@ emit:
     tags:
       - security
       - resilience
+      - deprecated
   message:
-    title: Add timeout or retry protection to external calls
-    summary: "`${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
+    title: "[DEPRECATED] Add timeout or retry protection to external calls"
+    summary: "DEPRECATED — Consolidated into ts.correctness.missing-timeout-on-external-call. `${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
   remediation:
-    summary: Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical.
+    summary: "This rule is deprecated. Use ts.correctness.missing-timeout-on-external-call instead. Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical."

package/rules/typescript/ts.security.no-assign-mutable-export.rule.yaml CHANGED Viewed

@@ -14,6 +14,8 @@ metadata:
     - kind: owasp
       title: Secure Configuration Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  aliases:
+    - JS-E1009
   tags:
     - security
     - express

package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml CHANGED Viewed

@@ -4,7 +4,7 @@ metadata:
   id: ts.security.no-dynamic-execution
   title: Eval or dynamic code execution
   summary: Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.
-  rationale: Dynamic execution turns data into code, widens the attack surface, and bypasses normal control flow.
+  rationale: Dynamic execution turns data into code and widens the attack surface. Without taint tracking, this rule fires on legitimate library and template code patterns where the input is fully controlled.
   detection:
     kind: pattern
   references:
@@ -31,8 +31,8 @@ match:
 emit:
   finding:
     category: security.execution
-    severity: high
-    confidence: 0.95
+    severity: low
+    confidence: 0.55
     tags:
       - security
       - execution

package/rules/typescript/ts.security.no-javascript-url.rule.yaml CHANGED Viewed

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.no-javascript-url
-  title: Avoid `javascript:` URLs
-  summary: Do not use `javascript:` URLs in string literals, template literals, or JSX link attributes.
-  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets."
+  title: "Avoid `javascript:` URLs in href, src, or navigation attributes"
+  summary: "`javascript:` URLs can execute arbitrary script when used as navigation targets in href, src, or action attributes."
+  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets. Only flag when the URL appears in contexts that could reach a browser — test assertions, sanitizer inputs, and type-test files are intentionally excluded."
   detection:
     kind: pattern
   references:
@@ -14,6 +14,8 @@ metadata:
     - kind: owasp
       title: Cross Site Scripting Prevention Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  aliases:
+    - JS-0421
   tags:
     - security
     - xss
@@ -24,6 +26,16 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/__mocks__/**"
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/.github/actions/**"
+      - "**/types/**/*-tests.*"
 match:
   fact:
     kind: security.javascript-url
@@ -31,14 +43,36 @@ match:
 emit:
   finding:
     category: security.output-encoding
-    severity: high
-    confidence: 0.94
+    severity: medium
+    confidence: 0.85
     tags:
       - security
       - xss
   message:
-    title: "Avoid `javascript:` URLs"
-    summary: "`${captures.issue.text}` uses a `javascript:` URL that can execute arbitrary script."
+    title: "Avoid `javascript:` URLs in link attributes"
+    summary: "${captures.issue.text} uses a `javascript:` URL. When assigned to `href`, `src`, or `action` attributes, `javascript:` URLs execute arbitrary code in the user's browser and enable XSS attacks."
   remediation:
-    summary: "Use safe HTTPS links, in-app handlers, or explicit event callbacks instead of `javascript:` URLs."
+    summary: |-
+      Replace `javascript:` URLs with safe alternatives:
+      - Use `https://` links for external navigation
+      - Use in-app route handlers for internal navigation (e.g., React Router, Next.js `Link`)
+      - Use explicit event handlers (`onClick`, `onSubmit`) instead of `javascript:` in href
+      ### Unsafe example
+      ```html
+      <a href="javascript:doSomething()">click</a>
+      ```
+      ### Safe alternatives
+      ```tsx
+      <a href="https://example.com">External link</a>
+      <button onClick={() => doSomething()}>Click me</button>
+      <Link to="/path">Internal link</Link>
+      ```
+      ### References
+      - CWE-79: Cross-site Scripting (XSS)
+      - OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

package/rules/typescript/ts.security.no-native-prototype-extension.rule.yaml CHANGED Viewed

@@ -24,6 +24,18 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/__tests__/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/e2e/**"
+      - "**/zone.js/**"
+      - "**/polyfill*/**"
+      - "**/shim*/**"
+      - "**/types/**/*-tests.ts"
 match:
   fact:
     kind: security.native-prototype-extension
@@ -31,7 +43,7 @@ match:
 emit:
   finding:
     category: security.language
-    severity: high
+    severity: low
     confidence: 0.96
     tags:
       - security

package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml CHANGED Viewed

@@ -25,6 +25,18 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/sandbox/**"
+      - "**/tests/setup/**"
+      - "**/tests/smoke/**"
+      - "**/e2e/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/spec/**"
 match:
   fact:
     kind: security.non-literal-fs-filename
@@ -32,7 +44,7 @@ match:
 emit:
   finding:
     category: security.filesystem
-    severity: high
+    severity: medium
     confidence: 0.9
     tags:
       - security

package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml CHANGED Viewed

@@ -4,7 +4,7 @@ metadata:
   id: ts.security.observable-timing-discrepancy
   title: Use constant-time secret comparison
   summary: Secrets and tokens should not be compared with ordinary equality operators.
-  rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material.
+  rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material. Note that the current heuristic is pattern-based without taint tracking and produces false positives on non-secret comparisons.
   detection:
     kind: pattern
   references:
@@ -32,8 +32,8 @@ match:
 emit:
   finding:
     category: security.cryptography
-    severity: high
-    confidence: 0.9
+    severity: medium
+    confidence: 0.55
     tags:
       - security
       - cryptography

package/rules/typescript/ts.security.open-redirect.rule.yaml CHANGED Viewed

@@ -27,6 +27,12 @@ scope:
     - javascript
     - java
     - go
+    - python
+  paths:
+    exclude:
+      - "**/lib/**"
+      - "**/node_modules/**"
+      - "**/vendor/**"
 match:
   fact:
     kind: security.open-redirect

package/rules/typescript/ts.security.path-join-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.path-join-user-input
+  title: Avoid user-controlled path segments in path.join and path.resolve
+  summary: Path construction APIs should not consume request- or upload-derived segments without a trusted root and validation.
+  rationale: Joining external input into filesystem paths can enable directory traversal outside the intended base directory.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+  tags:
+    - security
+    - filesystem
+    - path-traversal
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
+match:
+  fact:
+    kind: security.path-join-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - filesystem
+      - path-traversal
+  message:
+    title: Validate path segments passed to `${captures.issue.text}`
+    summary: "`${captures.issue.text}` joins external input into a filesystem path without a validated trusted root."
+  remediation:
+    summary: Resolve files under a fixed base directory and validate or allowlist user-supplied segments before joining paths.

package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml CHANGED Viewed

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.sensitive-data-written-to-file
-  title: Avoid writing sensitive data to files
-  summary: Data exports and local file writes should not persist raw secrets or personal fields.
-  rationale: Static files, exports, and backups are easy to copy or retain beyond their intended lifetime.
+  title: Sensitive data written to file
+  summary: File writes that persist fields like passwords, tokens, secrets, credentials, or PII (email, SSN, phone) risk data exposure.
+  rationale: Static files, exports, backups, and logs are easy to copy or retain beyond their intended lifetime. Sensitive fields should be redacted or excluded before writing.
   detection:
     kind: pattern
   references:
@@ -25,6 +25,16 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/__tests__/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/scripts/**"
+      - "**/deprecated-packages/**"
+      - "**/benchmarks/**"
 match:
   fact:
     kind: security.sensitive-data-written-to-file
@@ -32,7 +42,7 @@ match:
 emit:
   finding:
     category: security.privacy
-    severity: high
+    severity: medium
     confidence: 0.9
     tags:
       - security
@@ -40,8 +50,8 @@ emit:
       - filesystem
   message:
     title: Remove sensitive fields before `${captures.issue.text}`
-    summary: "`${captures.issue.text}` writes sensitive data into a local file sink."
+    summary: "`${captures.issue.text}` writes data containing sensitive fields (password, token, secret, credential, email, SSN, phone) to a file. This risks data exposure if the file is leaked, backed up, or retained beyond its intended lifetime."
   remediation:
-    summary: Redact, hash, or exclude the sensitive fields before writing the file.
+    summary: Remove sensitive fields (passwords, tokens, secrets, credentials, email, SSN, phone) before writing to a file. Destructure to exclude them, or hash/encrypt the values. Build scripts, benchmarks, test fixtures, and deprecated packages are exempt.

package/rules/typescript/ts.security.ssrf.rule.yaml CHANGED Viewed

@@ -24,6 +24,7 @@ scope:
     - typescript
     - javascript
     - go
+    - python
 match:
   fact:
     kind: security.ssrf

package/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml CHANGED Viewed

@@ -14,10 +14,13 @@ metadata:
     - kind: owasp
       title: File Upload Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  aliases:
+    - JS-0262
   tags:
     - security
     - filesystem
     - rules-catalog
+    - public-directory-parity
   stability: stable
   appliesTo: block
 scope:

package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml CHANGED Viewed

@@ -2,8 +2,8 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.unsanitized-http-response
-  title: Avoid unsafe raw HTTP response output
-  summary: Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.
+  title: Avoid raw response output driven by request input
+  summary: Raw response sinks should not echo request data without escaping or sanitization. JSON.stringify and JSON responses are excluded — their output is not executable markup.
   rationale: Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.
   detection:
     kind: pattern
@@ -25,6 +25,17 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/sandbox/**"
+      - "**/tests/setup/**"
+      - "**/tests/smoke/**"
+      - "**/e2e/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/test/**"
+      - "**/tests/**"
 match:
   fact:
     kind: security.unsanitized-http-response
@@ -32,7 +43,7 @@ match:
 emit:
   finding:
     category: security.output-encoding
-    severity: high
+    severity: medium
     confidence: 0.88
     tags:
       - security

package/rules/typescript/ts.security.user-controlled-regexp.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.user-controlled-regexp
+  title: Avoid user-controlled regular expression patterns
+  summary: Regular expression construction should not consume request-derived pattern strings without validation.
+  rationale: Attacker-controlled regex patterns can trigger catastrophic backtracking and block the Node.js event loop.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1333
+      title: Inefficient Regular Expression Complexity
+    - kind: owasp
+      title: Denial of Service Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
+  tags:
+    - security
+    - redos
+    - input-validation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
+      - "**/vendor/**"
+      - "**/lib/**"
+match:
+  fact:
+    kind: security.user-controlled-regexp
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - redos
+      - input-validation
+  message:
+    title: Validate regex pattern before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds a regular expression from request-controlled input."
+  remediation:
+    summary: Use fixed or allowlisted regex patterns, or validate and bound user-supplied patterns before compiling them.

package/rules/typescript/ts.testing.no-flaky-timer-test.rule.yaml CHANGED Viewed

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.testing.no-flaky-timer-test
-  title: Prefer fake timers in unit tests
-  summary: Real timers, sleeps, or wall-clock reads in unit tests are flaky unless fake timers are enabled for the file.
-  rationale: Wall-clock based tests race CI load and parallelization; fake timers keep behavior deterministic.
+  title: Avoid timer-dependent assertions in unit tests
+  summary: Unit tests using real timers (setTimeout/setInterval with delays >50ms) without fake timers may produce flaky results under CI load.
+  rationale: Wall-clock-based tests race CI load and parallelization; fake timers keep behavior deterministic. Performance measurement (performance.now, Date.now) and sub-50ms micro-delays for event-loop yielding are exempt.
   tags:
     - testing
     - quality
@@ -27,12 +27,12 @@ emit:
   finding:
     category: quality.testing
     severity: low
-    confidence: 0.68
+    confidence: 0.55
     tags:
       - testing
       - timers
   message:
-    title: Stabilize timer usage in `${captures.issue.text}`
-    summary: "`${captures.issue.text}` uses real timers or wall-clock reads without `jest.useFakeTimers` / `vi.useFakeTimers` in the same file."
+    title: Timer-dependent assertion without fake timers in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses real timers with a delay >50ms without `jest.useFakeTimers` / `vi.useFakeTimers` in the same file. Micro-delays (<=50ms) and performance clocks (performance.now, Date.now) are not flagged."
   remediation:
-    summary: Enable fake timers for the suite, inject a clock abstraction, or move timing assertions behind a test double.
+    summary: Enable fake timers for the suite, inject a clock abstraction, or move timing-dependent assertions behind a test double. If the delay is intentional for testing a timeout path, consider using jest.advanceTimersByTime instead of real waits.

package/rules/typescript/ts.testing.no-legacy-test-waiter.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-legacy-test-waiter
+  title: Avoid legacy test waiters
+  summary: Deprecated test waiting APIs like wait(), waitForElement(), and waitForDomChange() should be replaced with waitFor().
+  rationale: These APIs were removed in React Testing Library v13+ and create brittle, timing-dependent tests. The modern waitFor() API provides a more reliable and consistent approach to waiting for asynchronous DOM changes.
+  aliases:
+    - JS-0794
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: testing.legacy-waiter
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: high
+    confidence: 0.82
+    tags:
+      - testing
+      - migration
+  message:
+    title: Replace legacy test waiter with waitFor
+    summary: "${captures.issue.text} uses a deprecated testing-library waiter API. Use waitFor() instead."
+  remediation:
+    summary: Replace wait(), waitForElement(), or waitForDomChange() calls with waitFor() from the same testing-library package.

package/rules/typescript/ts.testing.no-network-call-in-unit-test.rule.yaml CHANGED Viewed

@@ -18,7 +18,13 @@ scope:
   paths:
     exclude:
       - "**/e2e/**"
+      - "**/browser/**"
+      - "**/smoke/**"
+      - "**/sandbox/**"
+      - "**/setup/**"
       - "**/*.integration.test.*"
+      - "**/*.browser.test.*"
+      - "**/*.smoke.test.*"
 match:
   fact:
     kind: testing.real-network-in-unit-test
@@ -26,7 +32,7 @@ match:
 emit:
   finding:
     category: quality.testing
-    severity: medium
+    severity: low
     confidence: 0.74
     tags:
       - testing

package/rules/typescript/ts.testing.no-skipped-test-without-ticket.rule.yaml CHANGED Viewed

@@ -28,7 +28,7 @@ emit:
       - testing
       - coverage
   message:
-    title: Add a ticket or suppression note for `${captures.issue.text}`
-    summary: "`${captures.issue.text}` skips a test without an adjacent issue key, GitHub issue URL, or TODO(expires) style note."
+    title: Skipped test lacks adequate justification — add a reason, ticket, or comment
+    summary: "`${captures.issue.text}` skips a test without a descriptive name, explicit reason string, ticket reference, or explanatory comment."
   remediation:
-    summary: Link the skip to a tracker id, add a short expiry note, or replace the skip with a focused assertion.
+    summary: Add a descriptive test name, explicit reason string, ticket reference, or explanatory comment to document why this test is skipped.

package/rules/typescript/ts.testing.useless-assertion.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.useless-assertion
+  title: Useless assertion testing a constant value
+  summary: Assertions that compare a static primitive literal against itself will never fail.
+  rationale: "`expect(true).toBe(true)` or similar tautological assertions always pass regardless of code behavior. They indicate leftover debug code or a mistaken test."
+  aliases:
+    - JS-W1039
+  tags:
+    - testing
+    - correctness
+    - rules-catalog
+    - public-directory-parity
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: testing.useless-assertion
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.95
+    tags:
+      - testing
+      - quality
+  message:
+    title: Useless assertion
+    summary: "`${captures.issue.text}` is a tautological assertion that always passes."
+  remediation:
+    summary: Replace the assertion with a meaningful check against actual runtime values, or remove dead test code.

package/rules/typescript/ts.vue.emits-validator-return-boolean.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.emits-validator-return-boolean
+  title: Emits validators must return a boolean
+  summary: "Emit event validators are expected to return a boolean value indicating whether the event payload is valid."
+  rationale: Vue emits validators, like prop validators, are expected to return a boolean. Returning non-boolean values or omitting the return statement can lead to unexpected behavior. Validators that return nothing or return non-boolean values make the emit always appear valid.
+  aliases:
+    - JS-0660
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.emits-validator-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.75
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Return boolean from emits validator
+    summary: "${captures.issue.text} has an emits validator that does not return a boolean. Add a boolean return statement."
+  remediation:
+    summary: "Ensure each emits validator function returns a boolean value. For example: `emits: { submit: (payload) => { return typeof payload === 'string'; } }`."