pi-lens 2.2.9 → 3.0.0

package/rules/tree-sitter-queries/python/eval-exec.yml

@@ -0,0 +1,50 @@
+# Eval/Exec Usage
+# Detects eval() and exec() which are security risks
+id: eval-exec
+name: Eval/Exec Usage
+severity: error
+category: security
+language: python
+
+message: "{{FUNC}}() detected — security risk, code injection vulnerability"
+
+description: |
+  eval() and exec() execute arbitrary Python code and are major
+  security vulnerabilities when used with untrusted input.
+  
+  ✅ ALTERNATIVES:
+  - ast.literal_eval() for parsing literals
+  - json.loads() for JSON
+  - Proper parsing libraries for complex needs
+
+query: |
+  (call
+    function: (identifier) @FUNC
+    (#match? @FUNC "^(eval|exec)$")
+    arguments: (argument_list) @ARGS)
+
+metavars:
+  - FUNC
+  - ARGS
+
+tags:
+  - security
+  - xss
+  - injection
+
+examples:
+  bad: |
+    user_input = "os.system('rm -rf /')"
+    eval(user_input)  # DANGEROUS!
+  
+  good: |
+    import ast
+    import json
+    
+    # For literals: use ast.literal_eval
+    data = ast.literal_eval("[1, 2, 3]")
+    
+    # For JSON: use json.loads
+    data = json.loads(json_string)
+
+has_fix: false

package/rules/tree-sitter-queries/python/is-vs-equals.yml

@@ -0,0 +1,60 @@
+# Is vs Equals for Literals
+# Detects 'is' used with string/int literals (should use '==')
+id: is-vs-equals
+name: Is vs Equals for Literals
+severity: warning
+category: reliability
+language: python
+
+message: "Using 'is' with literal — use '==' for value comparison"
+
+description: |
+  'is' checks identity (same object in memory), not equality.
+  For strings and small ints, Python may intern them, making
+  'is' appear to work, but it's unreliable and wrong.
+  
+  ✅ FIX: Use '==' for value comparison
+  
+  ```python
+  if name == "admin":  # GOOD - value comparison
+  if count == 0:  # GOOD - value comparison
+  ```
+
+query: |
+  (comparison_operator
+    (identifier)
+    ("is")
+    (string) @LITERAL)
+  (comparison_operator
+    (identifier)
+    ("is not")
+    (string) @LITERAL)
+  (comparison_operator
+    (identifier)
+    ("is")
+    (integer) @LITERAL)
+  (comparison_operator
+    (identifier)
+    ("is not")
+    (integer) @LITERAL)
+
+metavars:
+  - LITERAL
+
+tags:
+  - reliability
+  - common-mistake
+  - python-specific
+
+examples:
+  bad: |
+    if name is "admin":  # BAD - identity check
+    if count is 0:  # BAD - may work by accident
+  
+  good: |
+    if name == "admin":  # GOOD
+    if count == 0:  # GOOD
+    if obj is None:  # OK - None is a singleton
+
+has_fix: true
+fix_action: replace_is_with_equals

package/rules/tree-sitter-queries/python/mutable-default-arg.yml

@@ -0,0 +1,57 @@
+# Mutable Default Argument
+# Detects mutable defaults in function arguments (common Python pitfall)
+id: mutable-default-arg
+name: Mutable Default Argument
+severity: error
+category: reliability
+language: python
+
+message: "Mutable default argument — list/dict/set as default value"
+
+description: |
+  Mutable default arguments are evaluated once at function definition time,
+  not each call. This causes unexpected shared state between calls.
+  
+  ✅ FIX: Use None as default, create mutable inside function
+  
+  ```python
+  def process(items=None):  # GOOD
+      if items is None:
+          items = []
+      items.append(item)
+  ```
+
+query: |
+  (function_definition
+    (parameters
+      (default_parameter
+        (identifier) @PARAM
+        [(list) (dictionary) (set)] @MUTABLE)))
+
+metavars:
+  - PARAM
+  - MUTABLE
+
+tags:
+  - reliability
+  - common-mistake
+  - python-specific
+
+examples:
+  bad: |
+    def add_item(item, items=[]):  # BAD - shared list!
+        items.append(item)
+        return items
+    
+    print(add_item(1))  # [1]
+    print(add_item(2))  # [1, 2] - unexpected!
+  
+  good: |
+    def add_item(item, items=None):  # GOOD
+        if items is None:
+            items = []
+        items.append(item)
+        return items
+
+has_fix: true
+fix_action: convert_to_none_default

package/rules/tree-sitter-queries/python/unreachable-except.yml

@@ -0,0 +1,60 @@
+# Unreachable Except Clause
+# Detects except clauses that can never be reached
+id: unreachable-except
+name: Unreachable Except Clause
+severity: error
+category: reliability
+language: python
+
+message: "Unreachable except clause — earlier except catches all"
+
+description: |
+  When a bare 'except' or 'except Exception' comes before specific
+  exception handlers, those specific handlers are never reached.
+  
+  ✅ FIX: Order from specific to general
+  
+  ```python
+  try:
+      process()
+  except ValueError:  # Specific first
+      handle_value_error()
+  except Exception:  # General last
+      handle_general()
+  ```
+
+query: |
+  (try_statement
+    (except_clause
+      "except") @GENERAL
+    (except_clause
+      "except"
+      (identifier) @SPECIFIC))
+
+metavars:
+  - GENERAL
+  - SPECIFIC
+
+tags:
+  - reliability
+  - dead-code
+  - exceptions
+
+examples:
+  bad: |
+    try:
+        process()
+    except:  # BAD - catches everything
+        handle_all()
+    except ValueError:  # UNREACHABLE!
+        handle_value()
+  
+  good: |
+    try:
+        process()
+    except ValueError:  # GOOD - specific first
+        handle_value()
+    except Exception:  # GOOD - general last
+        handle_general()
+
+has_fix: false

package/rules/tree-sitter-queries/python/wildcard-import.yml

@@ -0,0 +1,46 @@
+# Wildcard Import
+# Detects 'from module import *' which pollutes namespace
+id: wildcard-import
+name: Wildcard Import
+severity: warning
+category: readability
+language: python
+
+message: "Wildcard import — pollutes namespace, hard to track origin"
+
+description: |
+  'from module import *' makes it unclear where names come from
+  and can cause name collisions. Explicit is better than implicit.
+  
+  ✅ FIX: Import specific names or use module prefix
+  
+  ```python
+  from os import path, getenv  # GOOD - explicit
+  import os  # GOOD - namespace preserved
+  os.path.join(...)  # Clear where this comes from
+  ```
+
+query: |
+  (import_from_statement
+    module_name: (dotted_name) @MODULE
+    (wildcard_import) @WILDCARD)
+
+metavars:
+  - MODULE
+  - WILDCARD
+
+tags:
+  - readability
+  - best-practice
+  - imports
+
+examples:
+  bad: |
+    from os import *  # BAD - where does path come from?
+    from numpy import *  # BAD - pollutes namespace
+  
+  good: |
+    from os import path, getenv  # GOOD - explicit
+    import numpy as np  # GOOD - namespace preserved
+
+has_fix: false

package/rules/tree-sitter-queries/tsx/dangerously-set-inner-html.yml

@@ -0,0 +1,63 @@
+# Dangerously Set Inner HTML
+# Detects dangerouslySetInnerHTML usage (XSS risk)
+id: dangerously-set-inner-html
+name: Dangerously Set Inner HTML
+severity: error
+category: security
+language: tsx
+
+message: "dangerouslySetInnerHTML — XSS risk, sanitize user input"
+
+description: |
+  dangerouslySetInnerHTML allows arbitrary HTML injection.
+  This is a major XSS vulnerability if user input is used.
+  
+  ✅ FIX: Sanitize HTML with a library like DOMPurify
+  
+  ```tsx
+  import DOMPurify from 'dompurify';
+  
+  <div dangerouslySetInnerHTML={{ 
+    __html: DOMPurify.sanitize(userInput) 
+  }} />
+  ```
+  
+  Or better, avoid using HTML altogether and use JSX.
+
+query: |
+  (jsx_attribute
+    (property_identifier) @ATTR
+    (#match? @ATTR "dangerouslySetInnerHTML"))
+
+metavars:
+  - ATTR
+
+tags:
+  - security
+  - xss
+  - react
+  - jsx
+
+examples:
+  bad: |
+    function Component({ userInput }) {
+      return <div dangerouslySetInnerHTML={{ __html: userInput }} />;
+    }
+  
+  good: |
+    import DOMPurify from 'dompurify';
+    
+    function Component({ userInput }) {
+      return (
+        <div dangerouslySetInnerHTML={{ 
+          __html: DOMPurify.sanitize(userInput) 
+        }} />
+      );
+    }
+    
+    // Or better:
+    function Component({ content }) {
+      return <div>{content}</div>;  // Just use JSX
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/typescript/await-in-loop.yml

@@ -0,0 +1,56 @@
+# Await in Loop
+# Detects sequential await calls inside loops (performance anti-pattern)
+id: await-in-loop
+name: Await in Loop
+severity: warning
+category: performance
+language: typescript
+
+message: "Await in loop — sequential execution is slow, use Promise.all()"
+
+description: |
+  Using await inside a loop forces sequential execution, making it O(n) time.
+  With Promise.all(), operations run in parallel, making it O(1) time.
+  
+  ✅ FIX: Use Promise.all() for parallel execution
+  
+  ⚠️ EXCEPTION: If order matters or you need to throttle requests, sequential 
+  may be intentional. In that case, add a comment explaining why.
+
+query: |
+  (for_in_statement
+    body: (statement_block
+      (expression_statement
+        (await_expression) @AWAIT)))
+  (for_statement
+    body: (statement_block
+      (expression_statement
+        (await_expression) @AWAIT)))
+  (while_statement
+    body: (statement_block
+      (expression_statement
+        (await_expression) @AWAIT)))
+
+metavars:
+  - AWAIT
+
+tags:
+  - performance
+  - async
+  - optimization
+
+examples:
+  bad: |
+    // Slow: sequential execution
+    for (const id of ids) {
+      await fetchUser(id);  // Wait, wait, wait...
+    }
+  
+  good: |
+    // Fast: parallel execution
+    await Promise.all(
+      ids.map(id => fetchUser(id))  // All at once!
+    )
+
+has_fix: true
+fix_action: convert_to_promise_all

package/rules/tree-sitter-queries/typescript/console-statement.yml

@@ -0,0 +1,47 @@
+# Console Statement
+# Detects console.log and friends (debug leftovers)
+id: console-statement
+name: Console Statement
+severity: warning
+category: debugging
+language: typescript
+
+message: "{{METHOD}} — remove debug statements before committing"
+
+description: |
+  Console statements are for debugging and should not be in production code.
+  
+  ✅ FIX: Remove or use a proper logging library.
+
+query: |
+  (call_expression
+    function: (member_expression
+      object: (identifier) @OBJ (#eq? @OBJ "console")
+      property: (property_identifier) @METHOD)
+    arguments: (arguments) @ARGS)
+
+# Post-filter: Exclude debug function names like "dbg"
+post_filter: not_dbg_method
+
+metavars:
+  - OBJ
+  - METHOD
+  - ARGS
+
+tags:
+  - debugging
+  - code-quality
+
+examples:
+  bad: |
+    console.log("debug info");
+    console.error("error");
+  
+  good: |
+    // Use a logging library
+    import { logger } from './logger';
+    logger.info("info");
+    logger.error("error");
+
+has_fix: true
+fix_action: remove

package/rules/tree-sitter-queries/typescript/debugger.yml

@@ -0,0 +1,47 @@
+# Debugger Statement
+# Detects debugger statements left in code
+id: debugger-statement
+name: Debugger Statement
+severity: warning
+category: debugging
+language: typescript
+
+message: "Debugger statement — remove before committing"
+
+description: |
+  Debugger statements pause execution and should never be committed to production.
+  
+  ✅ FIX: Remove the debugger statement before committing.
+  
+  If you need to debug, use:
+  - console.log() for quick checks
+  - IDE debugger for stepping through
+  - Add breakpoints in dev tools
+
+query: |
+  (debugger_statement) @DEBUGGER
+
+metavars:
+  - DEBUGGER
+
+tags:
+  - debugging
+  - code-quality
+
+examples:
+  bad: |
+    function process() {
+      const x = calculate();
+      debugger;  // ← Remove this!
+      return x;
+    }
+  
+  good: |
+    function process() {
+      const x = calculate();
+      console.log('Debug:', x);  // Or just remove
+      return x;
+    }
+
+has_fix: true
+fix_action: remove

package/rules/tree-sitter-queries/typescript/deep-nesting.yml

@@ -0,0 +1,117 @@
+# Deep Nesting
+# Detects functions with 3+ levels of control structure nesting (if/for/while/try)
+id: deep-nesting
+name: Deep Nesting
+severity: warning
+category: complexity
+language: typescript
+
+message: "Deep nesting (3+ levels) — consider early returns or extract functions"
+
+description: |
+  Deeply nested code (if/for/while/try blocks 3+ levels deep) is hard to read and test.
+  Flatten by using early returns (guard clauses) or extracting nested logic.
+
+query: |
+  [
+    ;; Pattern 1: if inside if inside if
+    (statement_block
+      (if_statement
+        consequence: (statement_block
+          (if_statement
+            consequence: (statement_block
+              (if_statement) @IF_NESTED)))))
+    
+    ;; Pattern 2: for inside if inside if
+    (statement_block
+      (if_statement
+        consequence: (statement_block
+          (if_statement
+            consequence: (statement_block
+              (for_statement) @FOR_NESTED)))))
+    
+    ;; Pattern 3: while inside if inside if
+    (statement_block
+      (if_statement
+        consequence: (statement_block
+          (if_statement
+            consequence: (statement_block
+              (while_statement) @WHILE_NESTED)))))
+    
+    ;; Pattern 4: try inside if inside if
+    (statement_block
+      (if_statement
+        consequence: (statement_block
+          (if_statement
+            consequence: (statement_block
+              (try_statement) @TRY_NESTED)))))
+    
+    ;; Pattern 5: if inside for inside if
+    (statement_block
+      (if_statement
+        consequence: (statement_block
+          (for_statement
+            body: (statement_block
+              (if_statement) @IF_IN_FOR)))))
+    
+    ;; Pattern 6: if inside while inside if
+    (statement_block
+      (if_statement
+        consequence: (statement_block
+          (while_statement
+            body: (statement_block
+              (if_statement) @IF_IN_WHILE)))))
+    
+    ;; Pattern 7: for inside for inside for
+    (statement_block
+      (for_statement
+        body: (statement_block
+          (for_statement
+            body: (statement_block
+              (for_statement) @FOR_NESTED)))))
+  ]
+
+metavars:
+  - IF_NESTED
+  - FOR_NESTED
+  - WHILE_NESTED
+  - TRY_NESTED
+  - IF_IN_FOR
+  - IF_IN_WHILE
+
+tags:
+  - complexity
+  - readability
+  - best-practice
+
+examples:
+  bad: |
+    function process(user) {
+      if (user) {
+        if (user.active) {
+          if (user.permissions) {  // 3 levels deep!
+            return doSomething();
+          }
+        }
+      }
+    }
+    
+    function loop(items) {
+      for (const item of items) {
+        if (item.active) {
+          for (const sub of item.subs) {  // 3 levels
+            process(sub);
+          }
+        }
+      }
+    }
+  
+  good: |
+    function process(user) {
+      if (!user) return null;
+      if (!user.active) return null;
+      if (!user.permissions) return null;
+      return doSomething();
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/typescript/deep-promise-chain.yml

@@ -0,0 +1,73 @@
+# Deep Promise Chain
+# Detects promise chains 4+ levels deep
+id: deep-promise-chain
+name: Deep Promise Chain (4+ levels)
+severity: warning
+category: complexity
+language: typescript
+
+message: "Promise chain {{M1}} → {{M2}} → {{M3}} → {{M4}} — consider async/await"
+
+description: |
+  Deep promise chains (4+ levels) are hard to read and debug.
+  Async/await provides clearer control flow.
+  
+  ✅ FIX: Convert to async/await
+
+query: |
+  (call_expression
+    function: (member_expression
+      object: (call_expression
+        function: (member_expression
+          object: (call_expression
+            function: (member_expression
+              object: (call_expression
+                function: (member_expression
+                  property: (property_identifier) @M1)
+                arguments: (arguments))
+              property: (property_identifier) @M2)
+            arguments: (arguments))
+          property: (property_identifier) @M3)
+        arguments: (arguments))
+      property: (property_identifier) @M4)
+    arguments: (arguments))
+  (#match? @M1 "^(then|catch|finally)$")
+  (#match? @M2 "^(then|catch|finally)$")
+  (#match? @M3 "^(then|catch|finally)$")
+  (#match? @M4 "^(then|catch|finally)$")
+
+metavars:
+  - M1
+  - M2
+  - M3
+  - M4
+
+tags:
+  - complexity
+  - async
+  - readability
+
+examples:
+  bad: |
+    fetch('/api')
+      .then(r => r.json())
+      .catch(e => console.log(e))
+      .then(data => data.items)
+      .then(items => items[0])
+      .then(first => process(first));
+  
+  good: |
+    async function fetchFirstItem() {
+      try {
+        const response = await fetch('/api');
+        const data = await response.json();
+        const items = data.items;
+        const first = items[0];
+        return process(first);
+      } catch (e) {
+        console.log(e);
+      }
+    }
+
+has_fix: true
+fix_action: convert_to_async_await