@critiq/rules 0.3.0 → 0.4.0

package/rules/rust/rust.security.differently-sized-slice-conversion.rule.yaml

@@ -0,0 +1,61 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.differently-sized-slice-conversion
+  title: Conversion between differently sized raw slices
+  summary: >-
+    Casting between raw slices of different element sizes can produce out-of-bounds
+    access and memory corruption.
+  rationale: >-
+    Converting a `*const [T1]` to `*const [T2]` where `T1` and `T2` have different
+    sizes changes how memory is interpreted. When the target type is smaller, reads
+    extend beyond the original allocation; when it is larger, reads underflow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-704
+      title: Incorrect Type Conversion or Cast
+    - kind: url
+      title: CWE-704
+      url: https://cwe.mitre.org/data/definitions/704.html
+  tags:
+    - security
+    - rust
+    - unsafe-code
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1013
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.differently-sized-slice-conversion
+    bind: issue
+emit:
+  finding:
+    category: security.unsafe-code
+    severity: high
+    confidence: 0.80
+    tags:
+      - security
+      - rust
+      - unsafe-code
+  message:
+    title: Differently sized slice conversion in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` casts between slices of different element sizes."
+  remediation:
+    summary: >-
+      Avoid casting between slices of different element sizes. If conversion
+      is necessary, use safe methods like `copy_from_slice` or cast element by
+      element with explicit bounds checking.

package/rules/rust/rust.security.global-write-permission.rule.yaml

@@ -0,0 +1,61 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.global-write-permission
+  title: Setting global write permission on file
+  summary: >-
+    Using world-writable permissions (0o777, 0o666) on files or directories allows
+    any user to modify them, creating a security risk.
+  rationale: >-
+    World-writable permissions allow any user on the system to modify the file or
+    directory, which can lead to privilege escalation, data tampering, or
+    unauthorized access.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: url
+      title: CWE-732
+      url: https://cwe.mitre.org/data/definitions/732.html
+  tags:
+    - security
+    - rust
+    - permissions
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1016
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.global-write-permission
+    bind: issue
+emit:
+  finding:
+    category: security.permissions
+    severity: critical
+    confidence: 0.90
+    tags:
+      - security
+      - rust
+      - permissions
+  message:
+    title: Global write permission set in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sets world-writable permissions on a file or directory."
+  remediation:
+    summary: >-
+      Avoid world-writable permissions. Use restrictive masks like `0o600` for
+      files or `0o700` for directories. Only grant the minimum permissions
+      necessary for intended users or groups.

package/rules/rust/rust.security.insecure-temp-file.rule.yaml

@@ -24,6 +24,8 @@ metadata:
     - rules-catalog
   stability: experimental
   appliesTo: block
+  aliases:
+    - RS-S1003
 scope:
   languages:
     - rust

package/rules/rust/rust.security.invisible-unicode.rule.yaml

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.invisible-unicode
+  title: Invisible Unicode character detected
+  summary: >-
+    Invisible Unicode characters such as zero-width spaces, bidi markers, and
+    BOM characters can be used for Trojan Source attacks.
+  rationale: >-
+    Invisible or control Unicode characters can alter the logic of source code
+    without being visible during code review. These include zero-width spaces,
+    bidi overrides, and other invisible formatting characters.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1007
+      title: Inadequate Encoding for Output
+    - kind: url
+      title: Trojan Source (CVE-2021-42574)
+      url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574
+  tags:
+    - security
+    - rust
+    - code-injection
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1010
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.invisible-unicode
+    bind: issue
+emit:
+  finding:
+    category: security.code-injection
+    severity: high
+    confidence: 0.90
+    tags:
+      - security
+      - rust
+      - code-injection
+  message:
+    title: Invisible Unicode character detected in `${captures.issue.text}`
+    summary: "An invisible Unicode character was found in the source code."
+  remediation:
+    summary: >-
+      Remove invisible Unicode characters from source files. Use a linter
+      or character filter to prevent these characters from being committed.

package/rules/rust/rust.security.manual-error-type-id.rule.yaml

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.manual-error-type-id
+  title: Avoid overriding `Error::type_id` manually
+  summary: >-
+    Implementing `fn type_id` inside `impl Error for` blocks leaks internal type
+    details and breaks trait object safety guarantees.
+  rationale: >-
+    Manual `type_id` overrides violate the intended abstraction of the `Error`
+    trait and are associated with CVEs such as CVE-2019-12083.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: url
+      title: CVE-2019-12083
+      url: https://nvd.nist.gov/vuln/detail/CVE-2019-12083
+  tags:
+    - security
+    - rust
+    - error-handling
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1001
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.manual-error-type-id
+    bind: issue
+emit:
+  finding:
+    category: security.unsafe-implementation
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - error-handling
+  message:
+    title: Remove manual `fn type_id` override in Error impl near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` manually overrides Error::type_id."
+  remediation:
+    summary: >-
+      Remove the `fn type_id` override from the `Error` implementation. Rely on
+      the trait's default implementation instead.

package/rules/rust/rust.security.missing-regex-anchor.rule.yaml

@@ -0,0 +1,61 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.missing-regex-anchor
+  title: Anchor regex patterns with `^` or `(?`
+  summary: >-
+    Regex patterns compiled with `Regex::new` should be anchored to avoid
+    unintended substring matches, which can lead to security bypasses.
+  rationale: >-
+    Unanchored regex patterns may match unintended substrings, enabling input
+    validation bypass (CWE-20, CWE-918).
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+  tags:
+    - security
+    - rust
+    - regex
+    - input-validation
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1008
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.missing-regex-anchor
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - regex
+      - input-validation
+  message:
+    title: Anchor regex pattern with `^` or `(?` near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an unanchored regex pattern."
+  remediation:
+    summary: >-
+      Add a `^` anchor at the start of the regex pattern, or use `(?...)` for
+      flags followed by `^` to ensure the pattern matches from the beginning.

package/rules/rust/rust.security.misused-bitwise-xor.rule.yaml

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.misused-bitwise-xor
+  title: Use `pow()` instead of bitwise XOR for exponentiation
+  summary: >-
+    Bitwise XOR (`^`) should not be used for exponentiation. `X ^ Y` performs
+    bitwise XOR, not `X` to the power of `Y`.
+  rationale: >-
+    Using `^` for exponentiation is a common logic error. Rust uses `^` for
+    bitwise XOR; exponentiation should use `.pow()`.
+  detection:
+    kind: pattern
+  tags:
+    - security
+    - rust
+    - logic
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1007
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.misused-bitwise-xor
+    bind: issue
+emit:
+  finding:
+    category: bug-risk.logic
+    severity: medium
+    confidence: 0.75
+    tags:
+      - security
+      - rust
+      - logic
+      - bug-risk
+  message:
+    title: Replace bitwise XOR with `.pow()` near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` looks like a mistaken exponentiation attempt."
+  remediation:
+    summary: >-
+      If you meant exponentiation, use `N.pow(Y)` instead of `N ^ Y`. If you
+      intended bitwise XOR, consider whether the operands are correct.

package/rules/rust/rust.security.open-redirect.rule.yaml

@@ -0,0 +1,64 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.open-redirect
+  title: Open redirect from possibly tainted source
+  summary: >-
+    URLs returned from redirect helpers that include user-controlled input may
+    enable open redirect attacks, bypassing domain validation.
+  rationale: >-
+    An open redirect vulnerability occurs when user input flows into a redirect
+    destination without validation, allowing attackers to craft URLs that redirect
+    users to malicious sites.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-601
+      title: URL Redirection to Untrusted Site (Open Redirect)
+    - kind: url
+      title: CWE-601
+      url: https://cwe.mitre.org/data/definitions/601.html
+    - kind: owasp
+      title: OWASP Open Redirect
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - url-redirection
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1009
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+      - "**/benches/**"
+match:
+  fact:
+    kind: rust.security.open-redirect
+    bind: issue
+emit:
+  finding:
+    category: security.url-redirection
+    severity: high
+    confidence: 0.80
+    tags:
+      - security
+      - rust
+      - url-redirection
+  message:
+    title: Open redirect detected in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` may redirect users to an attacker-controlled destination."
+  remediation:
+    summary: >-
+      Validate and sanitize user-controlled redirect targets. Use a whitelist of
+      allowed destinations or apply URL validation before returning a redirect response.

package/rules/rust/rust.security.potentially-vulnerable-regex.rule.yaml

@@ -0,0 +1,61 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.potentially-vulnerable-regex
+  title: Potentially vulnerable regex crate version usage
+  summary: >-
+    Usage of `regex::Regex::new` with patterns containing nested quantifiers may
+    be susceptible to ReDoS attacks when using a vulnerable crate version.
+  rationale: >-
+    Regular expressions with nested quantifiers such as `(a+)+` can exhibit
+    catastrophic backtracking, leading to denial of service. Additionally, the
+    `regex` crate version should be checked for known CVEs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1333
+      title: Inefficient Regular Expression Complexity (ReDoS)
+    - kind: url
+      title: CWE-1333
+      url: https://cwe.mitre.org/data/definitions/1333.html
+  tags:
+    - security
+    - rust
+    - denial-of-service
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1015
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.potentially-vulnerable-regex
+    bind: issue
+emit:
+  finding:
+    category: security.denial-of-service
+    severity: high
+    confidence: 0.70
+    tags:
+      - security
+      - rust
+      - denial-of-service
+  message:
+    title: Potentially vulnerable regex pattern in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` may use a regex with nested quantifiers or a vulnerable crate version."
+  remediation:
+    summary: >-
+      Avoid nested quantifiers like `(a+)+` in regex patterns. Update the `regex` crate
+      to the latest version to mitigate known vulnerabilities. Consider using `regex::RegexSet`
+      or simpler patterns to reduce backtracking risk.

package/rules/rust/rust.security.raw-slice-to-ptr.rule.yaml

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.raw-slice-to-ptr
+  title: Raw pointer obtained from slice reference
+  summary: >-
+    Creating a raw pointer from a slice reference using `as *const` or `as *mut`
+    can lead to dangling pointers if the slice reference lifetime is not respected.
+  rationale: >-
+    Converting a slice reference `&[..]` to a raw pointer bypasses Rust's
+    reference lifetime tracking. The resulting pointer may dangle if the
+    original slice is dropped before the pointer is used.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-119
+      title: Improper Restriction of Operations within the Bounds of a Memory Buffer
+    - kind: url
+      title: CWE-119
+      url: https://cwe.mitre.org/data/definitions/119.html
+  tags:
+    - security
+    - rust
+    - unsafe-code
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1012
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.raw-slice-to-ptr
+    bind: issue
+emit:
+  finding:
+    category: security.unsafe-code
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - rust
+      - unsafe-code
+  message:
+    title: Raw pointer from slice reference in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` obtains a raw pointer from a slice reference."
+  remediation:
+    summary: >-
+      Use `.as_ptr()` or `.as_mut_ptr()` on the slice instead of casting
+      `&slice[..]` with `as`. Ensure the original slice outlives the pointer.

package/rules/rust/rust.security.unsafe-remove-dir-all.rule.yaml

@@ -0,0 +1,62 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.unsafe-remove-dir-all
+  title: Avoid `std::fs::remove_dir_all` without TOCTOU mitigations
+  summary: >-
+    `remove_dir_all` is vulnerable to TOCTOU (time-of-check-time-of-use) races
+    when the directory tree contains symbolic links.
+  rationale: >-
+    `std::fs::remove_dir_all` follows symlinks, enabling arbitrary file deletion
+    via directory traversal during removal (CWE-367).
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-367
+      title: Time-of-check Time-of-use (TOCTOU) Race Condition
+    - kind: url
+      title: CWE-367 TOCTOU
+      url: https://cwe.mitre.org/data/definitions/367.html
+  tags:
+    - security
+    - rust
+    - filesystem
+    - race-condition
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1002
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.unsafe-remove-dir-all
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.80
+    tags:
+      - security
+      - rust
+      - filesystem
+      - race-condition
+  message:
+    title: Guard `remove_dir_all` against symlink races near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` removes a directory tree without TOCTOU protection."
+  remediation:
+    summary: >-
+      Prefer `std::fs::remove_dir_all` only on trusted paths, or use an
+      alternative that handles symlinks explicitly (e.g. the `remove_dir_all`
+      crate with `#[cfg(not(target_os = "linux"))]` guards).

package/rules/rust/rust.security.weak-crypto-import.rule.yaml

@@ -23,6 +23,8 @@ metadata:
     - rules-catalog
   stability: experimental
   appliesTo: block
+  aliases:
+    - RS-S1004
 scope:
   languages:
     - rust

package/rules/rust/rust.security.weak-rsa-key-size.rule.yaml

@@ -24,6 +24,8 @@ metadata:
     - rules-catalog
   stability: experimental
   appliesTo: block
+  aliases:
+    - RS-S1005
 scope:
   languages:
     - rust

package/rules/rust/rust.testing.ignore-without-ticket-reference.rule.yaml

@@ -2,9 +2,12 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: rust.testing.ignore-without-ticket-reference
-  title: "Rust #[ignore] tests should cite a ticket"
-  summary: Ignored tests without a nearby tracker comment are easy to lose.
-  rationale: Ignored tests should carry reviewable intent like skips in other ecosystems.
+  title: "Add a ticket reference to ignored Rust tests"
+  summary: "`#[ignore]` without a nearby ticket reference or reason makes the test easy to forget."
+  rationale: >
+    Ignored tests accumulate when their ignore reason is undocumented. A ticket
+    reference or suppression comment tells future maintainers why the test is
+    skipped and when it should be re-enabled.
   tags:
     - testing
     - rust
@@ -14,6 +17,11 @@ metadata:
 scope:
   languages:
     - rust
+  paths:
+    exclude:
+      - "**/compiler/*/tests/**"
+      - "**/src/tools/*/tests/**"
+      - "**/tests/ui/**"
 match:
   fact:
     kind: rust.testing.ignore-without-ticket-reference
@@ -27,7 +35,5 @@ emit:
       - testing
       - rust
   message:
-    title: Add a ticket comment near `${captures.issue.text}`
-    summary: "`#[ignore]` is present without a nearby issue key or accepted suppression comment."
-  remediation:
-    summary: Document the ignore with a tracker id or remove the attribute when the test is ready.
+    title: "Ignored test lacks a ticket reference"
+    summary: "`#[ignore]` was found without a nearby issue tracker id (e.g., `#123`, `JIRA-77`), suppression comment (`TODO(expires: YYYY-MM-DD)`), or same-line reason comment."