getdoorman 1.0.0

package/src/rules/security/rust.js

@@ -0,0 +1,693 @@
+/**
+ * Rust Security Rules (SEC-RS-001 through SEC-RS-040)
+ *
+ * Each rule scans Rust source files for security vulnerabilities.
+ */
+
+const isRust = (f) => f.endsWith('.rs');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build|target)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+function checkRust(rule, files, ...patterns) {
+  const findings = [];
+  for (const [path, content] of files) {
+    if (SKIP_PATH.test(path)) continue;
+    if (isRust(path)) {
+      for (const p of patterns) {
+        findings.push(...scanLines(content, p, path, rule));
+      }
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-RS-001: Unsafe block usage
+  {
+    id: 'SEC-RS-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe Block Without Safety Comment',
+    description: 'Unsafe blocks bypass Rust memory safety guarantees and require careful justification.',
+    fix: { suggestion: 'Document safety invariants with a // SAFETY: comment. Minimize unsafe scope.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /unsafe\s*\{/,
+      );
+    },
+  },
+
+  // SEC-RS-002: Unsafe function declaration
+  {
+    id: 'SEC-RS-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe Function Declaration',
+    description: 'Unsafe functions require callers to uphold safety invariants that the compiler cannot verify.',
+    fix: { suggestion: 'Document safety requirements with # Safety in doc comments. Consider a safe wrapper.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /unsafe\s+fn\s+/,
+      );
+    },
+  },
+
+  // SEC-RS-003: unwrap() on user input
+  {
+    id: 'SEC-RS-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'unwrap() Can Panic in Production',
+    description: 'Calling unwrap() on Result/Option from user input can cause panics and denial of service.',
+    fix: { suggestion: 'Use match, if let, unwrap_or, unwrap_or_else, or the ? operator instead of unwrap().' },
+    check({ files }) {
+      return checkRust(this, files,
+        /\.unwrap\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-004: expect() on user input
+  {
+    id: 'SEC-RS-004',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'expect() Can Panic in Production',
+    description: 'Calling expect() on Result/Option from external input can cause panics.',
+    fix: { suggestion: 'Use proper error handling with match or the ? operator instead of expect().' },
+    check({ files }) {
+      return checkRust(this, files,
+        /\.expect\s*\(\s*["']/,
+      );
+    },
+  },
+
+  // SEC-RS-005: SQL injection with format!
+  {
+    id: 'SEC-RS-005',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via format! in Query',
+    description: 'Using format! to build SQL queries allows injection attacks.',
+    fix: { suggestion: 'Use parameterized queries with $1 placeholders or the query builder API.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:query|execute)\s*\(\s*&?format!\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-006: SQL injection with string concatenation
+  {
+    id: 'SEC-RS-006',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Concatenation',
+    description: 'Building SQL queries with string concatenation allows injection.',
+    fix: { suggestion: 'Use parameterized queries provided by your database driver.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:query|execute)\s*\(\s*&?\s*\(?\s*(?:["']SELECT|["']INSERT|["']UPDATE|["']DELETE).*\+/i,
+      );
+    },
+  },
+
+  // SEC-RS-007: Command injection via Command::new
+  {
+    id: 'SEC-RS-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Command::new',
+    description: 'Passing user-controlled input to Command::new or .arg() can lead to command injection.',
+    fix: { suggestion: 'Validate and sanitize user input. Avoid passing user input directly to system commands.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Command::new\s*\(\s*&?\s*(?:input|user|req|param|query|body|arg)/,
+      );
+    },
+  },
+
+  // SEC-RS-008: Command injection via shell
+  {
+    id: 'SEC-RS-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Shell Execution',
+    description: 'Using Command::new("sh") or Command::new("bash") with -c flag and user input enables injection.',
+    fix: { suggestion: 'Use Command::new with the program directly and pass arguments via .arg().' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Command::new\s*\(\s*["'](?:sh|bash|\/bin\/(?:ba)?sh)["']\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-009: Path traversal with unchecked paths
+  {
+    id: 'SEC-RS-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal: Unchecked User Path',
+    description: 'Using user-supplied paths without validation may allow directory traversal.',
+    fix: { suggestion: 'Canonicalize paths and verify they start with the expected base directory.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:Path::new|PathBuf::from)\s*\(\s*&?\s*(?:input|user|req|param|query|body)/,
+      );
+    },
+  },
+
+  // SEC-RS-010: Path traversal via std::fs with user input
+  {
+    id: 'SEC-RS-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via File Operations',
+    description: 'File operations with user-controlled paths can read or write arbitrary files.',
+    fix: { suggestion: 'Validate paths with canonicalize() and check the prefix matches expected directory.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:fs::read|fs::write|fs::remove|File::open|File::create)\s*\(\s*&?\s*(?:input|user|req|param|query|body)/,
+      );
+    },
+  },
+
+  // SEC-RS-011: Hardcoded secret
+  {
+    id: 'SEC-RS-011',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Secret',
+    description: 'Secrets hardcoded in source code can be extracted from binaries.',
+    fix: { suggestion: 'Use environment variables or a secrets manager for credentials.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:password|secret|api_key|token|credential)\s*(?:=|:)\s*["'][^"']{4,}["']/i,
+      );
+    },
+  },
+
+  // SEC-RS-012: Hardcoded connection string
+  {
+    id: 'SEC-RS-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hardcoded Database Connection String',
+    description: 'Database connection strings with credentials hardcoded in source code.',
+    fix: { suggestion: 'Use environment variables for database connection strings.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /["'](?:postgres|mysql|mongodb|redis):\/\/\w+:\w+@/,
+      );
+    },
+  },
+
+  // SEC-RS-013: Insecure random - rand::thread_rng for crypto
+  {
+    id: 'SEC-RS-013',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Random Number Generator',
+    description: 'Using rand::thread_rng or rand::random for security-sensitive operations is insecure.',
+    fix: { suggestion: 'Use rand::rngs::OsRng or ring::rand::SystemRandom for cryptographic operations.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /rand::(?:thread_rng|random)\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-014: Insecure random - SmallRng
+  {
+    id: 'SEC-RS-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SmallRng Not Suitable for Security',
+    description: 'SmallRng is designed for performance, not cryptographic security.',
+    fix: { suggestion: 'Use OsRng for security-sensitive random number generation.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /SmallRng::from_entropy|SmallRng::seed_from/,
+      );
+    },
+  },
+
+  // SEC-RS-015: Missing TLS certificate validation
+  {
+    id: 'SEC-RS-015',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'TLS Certificate Validation Disabled',
+    description: 'Disabling TLS certificate validation allows man-in-the-middle attacks.',
+    fix: { suggestion: 'Enable certificate validation. Use proper CA certificates.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /danger_accept_invalid_certs\s*\(\s*true\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-016: Missing hostname validation
+  {
+    id: 'SEC-RS-016',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'TLS Hostname Validation Disabled',
+    description: 'Disabling hostname validation in TLS allows certificate substitution attacks.',
+    fix: { suggestion: 'Enable hostname verification for TLS connections.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /danger_accept_invalid_hostnames\s*\(\s*true\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-017: Regex DoS
+  {
+    id: 'SEC-RS-017',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Regex DoS: Potentially Catastrophic Backtracking',
+    description: 'Complex regex patterns with nested quantifiers can cause catastrophic backtracking on crafted input.',
+    fix: { suggestion: 'Use the regex crate (RE2-based, linear time) instead of regex with backtracking. Avoid nested quantifiers.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Regex::new\s*\(\s*["'].*(?:\.\*){2,}/,
+        /Regex::new\s*\(\s*["'].*(?:\+\+|\*\*|\?\?)/,
+      );
+    },
+  },
+
+  // SEC-RS-018: transmute usage
+  {
+    id: 'SEC-RS-018',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe transmute Usage',
+    description: 'std::mem::transmute can cause undefined behavior if types are not layout-compatible.',
+    fix: { suggestion: 'Use safe alternatives like From/Into traits, TryFrom, or bytemuck.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:mem::)?transmute\s*[:<(]/,
+      );
+    },
+  },
+
+  // SEC-RS-019: transmute_copy usage
+  {
+    id: 'SEC-RS-019',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe transmute_copy Usage',
+    description: 'transmute_copy can read uninitialized memory and cause undefined behavior.',
+    fix: { suggestion: 'Use safe conversion methods instead of transmute_copy.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /transmute_copy\s*[:<(]/,
+      );
+    },
+  },
+
+  // SEC-RS-020: Raw pointer dereference
+  {
+    id: 'SEC-RS-020',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Raw Pointer Dereference',
+    description: 'Dereferencing raw pointers (*const T, *mut T) is unsafe and can cause undefined behavior.',
+    fix: { suggestion: 'Use references (&T, &mut T) instead of raw pointers when possible.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /\*(?:const|mut)\s+\w+/,
+      );
+    },
+  },
+
+  // SEC-RS-021: from_raw_parts without bounds checking
+  {
+    id: 'SEC-RS-021',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'from_raw_parts Without Bounds Checking',
+    description: 'slice::from_raw_parts creates a slice from a raw pointer without verifying bounds, risking buffer overflows.',
+    fix: { suggestion: 'Verify that the pointer is valid and the length does not exceed the allocated memory.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /from_raw_parts(?:_mut)?\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-022: Missing CSRF in Actix
+  {
+    id: 'SEC-RS-022',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing CSRF Protection in Actix Web',
+    description: 'POST/PUT/DELETE routes without CSRF protection are vulnerable to cross-site request forgery.',
+    fix: { suggestion: 'Add CSRF middleware or token validation for state-changing routes.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /\.route\s*\(\s*["'][^"']+["']\s*,\s*web::(?:post|put|delete|patch)\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-023: Missing CSRF in Axum
+  {
+    id: 'SEC-RS-023',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing CSRF Protection in Axum',
+    description: 'POST/PUT/DELETE routes in Axum without CSRF middleware are vulnerable.',
+    fix: { suggestion: 'Add CSRF protection middleware for state-changing endpoints.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /\.(?:post|put|delete|patch)\s*\(\s*["'][^"']+["']/,
+      );
+    },
+  },
+
+  // SEC-RS-024: Insecure deserialization with serde
+  {
+    id: 'SEC-RS-024',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Potentially Insecure Deserialization',
+    description: 'Deserializing untrusted data without validation can lead to logic bugs or resource exhaustion.',
+    fix: { suggestion: 'Validate deserialized data. Use #[serde(deny_unknown_fields)] and size limits.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /serde_json::from_str\s*\(\s*&?\s*(?:input|body|request|payload|data)/,
+      );
+    },
+  },
+
+  // SEC-RS-025: Insecure deserialization with bincode
+  {
+    id: 'SEC-RS-025',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Deserialization with bincode',
+    description: 'Deserializing untrusted binary data with bincode can cause resource exhaustion or crashes.',
+    fix: { suggestion: 'Use bincode::Options with size limits. Validate input before deserialization.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /bincode::deserialize\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-026: Missing rate limiting
+  {
+    id: 'SEC-RS-026',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Rate Limiting on HTTP Endpoint',
+    description: 'HTTP endpoints without rate limiting are vulnerable to brute force and DoS attacks.',
+    fix: { suggestion: 'Add rate limiting middleware using actix-limitation, tower::limit, or governor.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /async\s+fn\s+\w+\s*\([^)]*(?:HttpRequest|Request|Json|Path|Query)/,
+      );
+    },
+  },
+
+  // SEC-RS-027: Panic in async context
+  {
+    id: 'SEC-RS-027',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Panic in Async Context',
+    description: 'Panicking in async code can abort the entire runtime, causing denial of service.',
+    fix: { suggestion: 'Use Result types and proper error handling instead of panic! in async functions.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /async\s+fn\s+[\s\S]*panic!\s*\(/,
+        /async\s+fn[\s\S]*todo!\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-028: Missing input validation in Actix handler
+  {
+    id: 'SEC-RS-028',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation in Actix Handler',
+    description: 'Actix web handlers accepting user input without validation may process malformed data.',
+    fix: { suggestion: 'Use actix-web-validator or implement the Validate trait on input structs.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /web::(?:Json|Path|Query)<[^>]+>\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-029: Missing input validation in Axum handler
+  {
+    id: 'SEC-RS-029',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation in Axum Handler',
+    description: 'Axum handlers accepting extractors without validation may process malformed data.',
+    fix: { suggestion: 'Use axum-extra validated extractors or implement custom validation.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:Json|Path|Query)<[^>]+>\s*\)\s*->/,
+      );
+    },
+  },
+
+  // SEC-RS-030: CORS wildcard
+  {
+    id: 'SEC-RS-030',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'CORS Wildcard Origin',
+    description: 'Allowing all origins for CORS enables any website to make cross-origin requests.',
+    fix: { suggestion: 'Specify allowed origins explicitly instead of using permissive().' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Cors::(?:permissive|default)\s*\(\s*\)/,
+        /\.allow_any_origin\s*\(\s*\)/,
+      );
+    },
+  },
+
+  // SEC-RS-031: SSRF via reqwest
+  {
+    id: 'SEC-RS-031',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SSRF via User-Controlled URL in reqwest',
+    description: 'Passing user-controlled URLs to reqwest enables Server-Side Request Forgery.',
+    fix: { suggestion: 'Validate and whitelist allowed URLs/hosts before making HTTP requests.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:reqwest|Client)::(?:get|post|put|delete)\s*\(\s*&?\s*(?:input|user|url|param|query|body)/,
+      );
+    },
+  },
+
+  // SEC-RS-032: Hardcoded private key
+  {
+    id: 'SEC-RS-032',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Hardcoded Private Key',
+    description: 'Private keys embedded in source code can be extracted and used to impersonate the service.',
+    fix: { suggestion: 'Load private keys from files or environment variables at runtime.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/,
+      );
+    },
+  },
+
+  // SEC-RS-033: Log sensitive data
+  {
+    id: 'SEC-RS-033',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Sensitive Data in Log Output',
+    description: 'Logging passwords, tokens, or keys can expose sensitive data.',
+    fix: { suggestion: 'Redact sensitive fields before logging.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:log::(?:info|debug|warn|error|trace)|(?:info|debug|warn|error|trace)!)\s*\(.*(?:password|token|secret|key|credential)/i,
+      );
+    },
+  },
+
+  // SEC-RS-034: Unvalidated redirect
+  {
+    id: 'SEC-RS-034',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Open Redirect',
+    description: 'Redirecting to user-supplied URLs without validation enables phishing.',
+    fix: { suggestion: 'Validate redirect URLs against an allowlist of trusted domains.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:Redirect|redirect)\s*::\s*(?:to|temporary|permanent)\s*\(\s*&?\s*(?:input|user|url|param|query)/,
+      );
+    },
+  },
+
+  // SEC-RS-035: Memory leak via Box::into_raw
+  {
+    id: 'SEC-RS-035',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Potential Memory Leak via Box::into_raw',
+    description: 'Box::into_raw transfers ownership to a raw pointer. Failing to reconstruct the Box leaks memory.',
+    fix: { suggestion: 'Ensure Box::from_raw is called to reclaim the memory.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Box::into_raw\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-036: Weak crypto - MD5
+  {
+    id: 'SEC-RS-036',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Cryptographic Hash: MD5',
+    description: 'MD5 is cryptographically broken and must not be used for security purposes.',
+    fix: { suggestion: 'Use SHA-256 or SHA-3 via the sha2 or sha3 crate.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:Md5|md5)::(?:new|digest|compute)\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-037: Weak crypto - SHA1
+  {
+    id: 'SEC-RS-037',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Weak Cryptographic Hash: SHA1',
+    description: 'SHA1 has known collision attacks and should not be used for security.',
+    fix: { suggestion: 'Use SHA-256 or SHA-3 instead of SHA1.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /(?:Sha1|sha1)::(?:new|digest|compute)\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RS-038: Cookie without secure flag
+  {
+    id: 'SEC-RS-038',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Cookie Without Secure Flag',
+    description: 'Cookies without the Secure flag may be sent over unencrypted HTTP.',
+    fix: { suggestion: 'Set .secure(true) on cookies.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Cookie::build\s*\([^)]*\)(?:(?!\.secure\s*\(\s*true)[\s\S])*\.finish/,
+      );
+    },
+  },
+
+  // SEC-RS-039: Integer overflow in release mode
+  {
+    id: 'SEC-RS-039',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Potential Integer Overflow',
+    description: 'Integer overflow wraps in release mode. Use checked arithmetic for security-critical calculations.',
+    fix: { suggestion: 'Use checked_add, checked_mul, saturating_add, or wrapping_add for explicit overflow handling.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /as\s+(?:u8|u16|i8|i16|u32|i32)\s*[;)]/,
+      );
+    },
+  },
+
+  // SEC-RS-040: Unprotected shared state
+  {
+    id: 'SEC-RS-040',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Shared Mutable State Without Synchronization',
+    description: 'Using Rc<RefCell<>> in multi-threaded context causes undefined behavior. Use Arc<Mutex<>>.',
+    fix: { suggestion: 'Use Arc<Mutex<T>> or Arc<RwLock<T>> for shared state in concurrent code.' },
+    check({ files }) {
+      return checkRust(this, files,
+        /Rc\s*<\s*RefCell\s*</,
+      );
+    },
+  },
+];
+
+export default rules;