npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/python/py.security.insecure-ssl-version.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-ssl-version
+  aliases:
+    - BAN-B507
+  title: Avoid insecure SSL/TLS protocol versions
+  summary: SSLv2, SSLv3, and TLSv1 are known to be vulnerable to protocol-level attacks
+  rationale: SSLv2, SSLv3, and early TLS versions have known vulnerabilities including POODLE, BEAST, and downgrade attacks. Only TLS 1.2 and TLS 1.3 should be used.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+  tags:
+    - security
+    - python
+    - transport
+    - ssl
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-ssl-version
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - transport
+      - ssl
+  message:
+    title: Upgrade SSL/TLS version in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an insecure or deprecated SSL/TLS protocol version."
+  remediation:
+    summary: Use TLS 1.2 or higher (e.g. `ssl.PROTOCOL_TLSv1_2` or `ssl.PROTOCOL_TLS`). Prefer letting the library negotiate the highest available version.

package/rules/python/py.security.insecure-urllib-method.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-urllib-method
+  aliases:
+    - BAN-B309
+  title: Avoid insecure urllib URL fetching methods
+  summary: urllib.urlopen() and urlretrieve() do not validate TLS certificates by default
+  rationale: urllib functions like `urlopen()` and `urlretrieve()` do not perform proper TLS certificate validation by default, making HTTPS connections vulnerable to man-in-the-middle attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+  tags:
+    - security
+    - python
+    - transport
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-urllib-method
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - transport
+  message:
+    title: Replace urllib with requests in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses urllib functions with insecure defaults."
+  remediation:
+    summary: Use the `requests` library which performs TLS certificate validation by default. For urllib, explicitly configure an SSL context with certificate verification enabled.

package/rules/python/py.security.insecure-xml-parser.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-xml-parser
+  aliases:
+    - BAN-B409
+  title: Avoid insecure XML parsers
+  summary: Standard library XML parsers are vulnerable to XXE and entity expansion attacks
+  rationale: Python's standard library XML parsers (xml.etree, xml.dom, xml.sax) process external entities and DTDs by default, enabling XML External Entity (XXE) and billion laughs attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-611
+      title: Improper Restriction of XML External Entity Reference
+  tags:
+    - security
+    - python
+    - injection
+    - xml
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-xml-parser
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - injection
+      - xml
+  message:
+    title: Replace insecure XML parser in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a standard library XML parser vulnerable to XXE."
+  remediation:
+    summary: Use `defusedxml` (e.g. `from defusedxml.ElementTree import parse`) which disables external entity processing by default.

package/rules/python/py.security.mako-insecure-templates.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.mako-insecure-templates
+  aliases:
+    - BAN-B702
+  title: Avoid insecure Mako template configuration
+  summary: Mako templates with empty default_filters or disable_unicode=True are vulnerable to XSS
+  rationale: Mako templates configured without output filters (`default_filters=[]`) or with unicode escaping disabled (`disable_unicode=True`) render user-controlled data as raw HTML, enabling cross-site scripting (XSS) attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Improper Neutralization of Input During Web Page Generation
+  tags:
+    - security
+    - python
+    - injection
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.mako-insecure-templates
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - injection
+      - xss
+  message:
+    title: Add output filters to Mako template in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures a Mako template with insecure default filters."
+  remediation:
+    summary: Set `default_filters=['h']` to enable HTML escaping by default, or specify an explicit safe filter list per template.

package/rules/python/py.security.path-traversal-user-input.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.path-traversal-user-input
+  title: Avoid user-controlled filesystem path segments in Python
+  summary: Python path construction and file delivery helpers should not consume request- or route-derived segments without validation.
+  rationale: Building paths from external input enables traversal outside trusted storage roots before reads, writes, or downloads occur.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+  tags:
+    - security
+    - filesystem
+    - path-traversal
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
+match:
+  fact:
+    kind: python.security.path-traversal-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - filesystem
+      - path-traversal
+      - python
+  message:
+    title: Validate user input used by `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds a filesystem path from external input without an evident trusted-root validation step."
+  remediation:
+    summary: Resolve paths under a fixed base directory and validate or allowlist user-supplied segments before joining, opening, or sending files.

package/rules/python/py.security.request-path-file-read.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.request-path-file-read
+  aliases:
+    - BAN-B108
+  title: Avoid reading files using request-controlled paths
+  summary: Python file read operations should not consume request-controlled path segments.
+  rationale: Attacker-controlled file paths can traverse directories and read arbitrary files outside the intended root.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Improper Limitation of a Pathname to a Restricted Directory
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - filesystem
+    - path-traversal
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.request-path-file-read
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.90
+    tags:
+      - security
+      - python
+      - filesystem
+      - path-traversal
+  message:
+    title: Avoid request-controlled file path in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` reads a file using a request-controlled path, enabling path traversal."
+  remediation:
+    summary: Validate and sanitize user-supplied path segments. Use a allowlisted file map or restrict traversal outside the intended root directory.

package/rules/python/py.security.sensitive-logging.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.sensitive-logging
+  aliases:
+    - BAN-W101
+  title: Prevent sensitive data in Python log statements
+  summary: Python log statements should not include tokens, secrets, or personal data that could leak in log output.
+  rationale: Logs are often persisted and may have broader access than the source itself. Leaking secrets or personal data in logs violates compliance and security policies.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+  tags:
+    - security
+    - python
+    - logging
+    - rules-catalog
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.sensitive-data-in-logs-and-telemetry
+    bind: issue
+emit:
+  finding:
+    category: security.data
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - python
+      - logging
+  message:
+    title: Sensitive data logged in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` may write sensitive data to logs."
+  remediation:
+    summary: Redact or remove secrets, tokens, and personal identifiers from log statements.

package/rules/python/py.security.sql-interpolation.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.sql-interpolation
+  aliases:
+    - BAN-B608
+  title: Avoid SQL query string interpolation
+  summary: Python SQL queries should not be built via f-string or string-formatting with user input.
+  rationale: String interpolation concatenates user data directly into SQL, enabling injection attacks that bypass parameterized safeguards.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: Improper Neutralization of Special Elements used in an SQL Command
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - injection
+    - sql
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.sql-interpolation
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: critical
+    confidence: 0.90
+    tags:
+      - security
+      - python
+      - injection
+      - sql
+  message:
+    title: Use parameterized query instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds a SQL query via string interpolation with user input."
+  remediation:
+    summary: Use parameterized queries with placeholders and bound arguments instead of f-string or format-based SQL construction.

package/rules/python/py.security.ssh-host-key-validation.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.ssh-host-key-validation
+  aliases:
+    - BAN-B507
+  title: Ensure SSH host key validation is enabled
+  summary: AutoAddPolicy disables SSH host key verification, enabling MITM attacks
+  rationale: Using `AutoAddPolicy` or `WarningPolicy` for SSH host key checking bypasses host key verification, allowing man-in-the-middle attackers to intercept SSH connections without detection.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-295
+      title: Improper Certificate Validation
+  tags:
+    - security
+    - python
+    - transport
+    - ssh
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.ssh-host-key-validation
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - transport
+      - ssh
+  message:
+    title: Enable host key verification in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a host key policy that disables verification."
+  remediation:
+    summary: Use `RejectPolicy` or implement a custom host key verification callback. Only use `AutoAddPolicy` for first-connection trust-on-first-use (TOFU) with user confirmation.

package/rules/python/py.security.telnet-usage.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.telnet-usage
+  aliases:
+    - BAN-B312
+  title: Avoid Telnet protocol usage
+  summary: Telnet sends credentials and data in cleartext
+  rationale: Telnet transmits all data including credentials in plaintext across the network, making it trivial for attackers to intercept sensitive information via network sniffing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+  tags:
+    - security
+    - python
+    - transport
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.telnet-usage
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - transport
+  message:
+    title: Replace Telnet with SSH in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports or uses the insecure Telnet protocol."
+  remediation:
+    summary: Use SSH-based libraries like `paramiko` for encrypted remote shell access instead of Telnet.

package/rules/python/py.security.tls-verification-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.tls-verification-disabled
+  aliases:
+    - BAN-B501
+  title: Do not disable TLS certificate verification
+  summary: Python HTTPS clients should not set `verify=False`, which disables server certificate validation.
+  rationale: Disabling TLS verification exposes connections to man-in-the-middle attacks by accepting any certificate presented by the server.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-295
+      title: Improper Certificate Validation
+    - kind: owasp
+      title: Certificate Pinning Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - transport
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.tls-verification-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - transport
+      - tls
+  message:
+    title: Enable TLS verification in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables TLS certificate verification with `verify=False`."
+  remediation:
+    summary: Remove `verify=False` or set `verify=True`. For internal dev environments, configure a trusted internal CA rather than disabling verification.

package/rules/python/py.security.unsafe-deserialization.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.unsafe-deserialization
+  aliases:
+    - BAN-B301
+  title: Avoid unsafe deserialization with pickle
+  summary: Python deserialization of untrusted data via `pickle` can enable arbitrary code execution.
+  rationale: pickle.loads on attacker-controlled input can execute arbitrary Python code, leading to full remote code execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - deserialization
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.unsafe-deserialization
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - python
+      - deserialization
+      - injection
+  message:
+    title: Replace unsafe deserialization in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` deserializes untrusted data via `pickle`, which can execute arbitrary code."
+  remediation:
+    summary: Use `json` or another safe serialization format for user-controlled input. Never unpickle untrusted data.

package/rules/python/py.security.weak-crypto-key.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.weak-crypto-key
+  aliases:
+    - BAN-B505
+  title: Avoid weak cryptographic key sizes
+  summary: RSA/DSA keys below 3072 bits are insufficient for modern security
+  rationale: RSA and DSA keys smaller than 3072 bits can be factored with sufficient computational resources. NIST recommends at least 2048 bits for legacy compatibility and 3072 bits for new deployments.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-326
+      title: Inadequate Encryption Strength
+  tags:
+    - security
+    - python
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.weak-crypto-key
+    bind: issue
+emit:
+  finding:
+    category: security.crypto
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - crypto
+  message:
+    title: Increase key size in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` generates a cryptographic key with insufficient bit length."
+  remediation:
+    summary: Use at least 3072-bit RSA/DSA keys (e.g. `RSA.generate(4096)`) for production deployments.