pi-lens 2.2.9 → 3.0.0

package/rules/tree-sitter-queries/typescript/empty-catch.yml

@@ -0,0 +1,64 @@
+# Empty Catch Block
+# Detects catch blocks that silently swallow errors
+id: empty-catch
+name: Empty Catch Block
+severity: error
+category: reliability
+language: typescript
+
+message: "Empty catch block — properly handle or log the error"
+
+description: |
+  Silently swallowing errors makes debugging impossible.
+  
+  ✅ PROPER FIXES (choose one):
+  1. Log the error: console.error(`[context] Failed to X:`, err)
+  2. Rethrow if can't handle: throw err
+  3. Return a safe default: return null / return [] / return defaultValue
+  4. Handle specific errors: if (err.code === 'ENOENT') { ... }
+  5. Propagate to caller: callback(err) / reject(err)
+  
+  ❌ NOT ACCEPTABLE:
+  - void err; (just references variable, does nothing)
+  - /* ignored */ comments without action
+  - console.log without the error object
+
+query: |
+  (catch_clause
+    (identifier) @ERR
+    (statement_block) @BODY)
+
+# Post-filter: Check if body is effectively empty (ignoring comments)
+post_filter: empty_body
+
+# Capture metavariables
+metavars:
+  - ERR      # The error parameter name
+  - BODY     # The catch block body
+
+# Additional metadata
+tags:
+  - security
+  - debugging
+  - reliability
+  - best-practice
+
+# Examples for documentation
+examples:
+  bad: |
+    try {
+      await fetch('/api');
+    } catch (err) {
+      // Empty - BAD!
+    }
+  
+  good: |
+    try {
+      await fetch('/api');
+    } catch (err) {
+      console.error('[API] Fetch failed:', err);
+      throw err; // or return safe default
+    }
+
+# Auto-fix available
+has_fix: false

package/rules/tree-sitter-queries/typescript/eval.yml

@@ -0,0 +1,48 @@
+# Eval Usage
+# Detects eval() calls (security risk)
+id: no-eval
+name: Eval Usage
+severity: error
+category: security
+language: typescript
+
+message: "eval() detected — security risk, never use eval"
+
+description: |
+  eval() executes arbitrary code and is a major security vulnerability.
+  It allows code injection attacks.
+  
+  ✅ ALTERNATIVES:
+  - JSON.parse() for parsing JSON
+  - Function constructor for dynamic functions (still risky)
+  - Template literals for string interpolation
+  - Proper parsing libraries for complex needs
+
+query: |
+  (call_expression
+    function: (identifier) @FUNC
+    (#eq? @FUNC "eval")
+    arguments: (arguments) @ARGS)
+
+metavars:
+  - FUNC
+  - ARGS
+
+tags:
+  - security
+  - xss
+  - owasp
+
+examples:
+  bad: |
+    const userCode = "alert('hacked')";
+    eval(userCode);  // DON'T DO THIS
+  
+  good: |
+    // Use JSON.parse for JSON
+    const data = JSON.parse(jsonString);
+    
+    // Use template literals
+    const message = `Hello, ${name}`;
+
+has_fix: false

package/rules/tree-sitter-queries/typescript/hardcoded-secrets.yml

@@ -0,0 +1,78 @@
+# Hardcoded Secrets
+# Detects hardcoded API keys, passwords, tokens in code
+id: hardcoded-secrets
+name: Hardcoded Secret
+severity: error
+category: security
+language: typescript
+
+message: "Hardcoded {{VARNAME}} — use environment variables"
+
+description: |
+  Hardcoded secrets in source code are a serious security risk.
+  They can be exposed through:
+  - Git history (even if deleted)
+  - Decompiled code
+  - Public repositories
+  
+  ✅ FIX: Use environment variables
+  
+  ```typescript
+  const apiKey = process.env.API_KEY;
+  if (!apiKey) throw new Error('API_KEY not set');
+  ```
+  
+  Then add to .env file (which should be in .gitignore):
+  ```
+  API_KEY=your_secret_here
+  ```
+
+query: |
+  (lexical_declaration
+    (variable_declarator
+      name: (identifier) @VARNAME
+      value: (string) @SECRET))
+  (#match? @VARNAME "^(api_key|apikey|password|secret|token|auth|private_key|access_token)$")
+  (assignment_expression
+    left: (identifier) @VARNAME
+    right: (string) @SECRET)
+  (#match? @VARNAME "^(api_key|apikey|password|secret|token|auth|private_key|access_token)$")
+
+metavars:
+  - VARNAME
+  - SECRET
+
+tags:
+  - security
+  - secrets
+  - best-practice
+  - owasp
+
+examples:
+  bad: |
+    const api_key = "sk-live-abc123xyz789";
+    const password = "hunter2";
+    const SECRET = "my-secret-value";
+  
+  good: |
+    const api_key = process.env.API_KEY;
+    const password = process.env.DATABASE_PASSWORD;
+    const secret = process.env.SECRET_KEY;
+
+has_fix: false
+
+# Additional patterns to match
+patterns:
+  variable_names:
+    - api_key
+    - apikey
+    - apiKey
+    - API_KEY
+    - password
+    - secret
+    - token
+    - auth
+    - private_key
+    - access_token
+    - aws_secret
+    - github_token

package/rules/tree-sitter-queries/typescript/long-parameter-list.yml

@@ -0,0 +1,62 @@
+# Long Parameter List
+# Detects functions with 6+ parameters
+id: long-parameter-list
+name: Long Parameter List
+severity: warning
+category: complexity
+language: typescript
+
+message: "Function has {{PARAM_COUNT}} parameters — use object pattern"
+
+description: |
+  Functions with many parameters are hard to use and maintain.
+  Use an options object instead.
+  
+  ✅ FIX: Convert to options object pattern
+
+query: |
+  (function_declaration
+    name: (identifier) @NAME
+    parameters: (formal_parameters) @PARAMS
+    body: (statement_block) @BODY)
+
+metavars:
+  - NAME
+  - PARAMS
+  - BODY
+
+# Post-filter: count parameters
+post_filter: count_params
+post_filter_params:
+  min_params: 6
+
+tags:
+  - complexity
+  - refactoring
+  - maintainability
+
+examples:
+  bad: |
+    function createUser(
+      firstName, lastName, email, 
+      password, age, role, status
+    ) {
+      // ...
+    }
+  
+  good: |
+    interface CreateUserOptions {
+      firstName: string;
+      lastName: string;
+      email: string;
+      password: string;
+      age: number;
+      role: string;
+      status: string;
+    }
+    
+    function createUser(options: CreateUserOptions) {
+      // ...
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/typescript/mixed-async-styles.yml

@@ -0,0 +1,49 @@
+# Mixed Async Styles
+# Detects mixing async/await with promise chains in the same function
+id: mixed-async-styles
+name: Mixed Async/Await and Promise Chains
+severity: warning
+category: style
+language: typescript
+
+message: "Mixed async/await + promise chains — use consistent async style"
+
+description: |
+  Mixing async/await with .then()/.catch() chains in the same function
+  is confusing and inconsistent. Choose one style per function.
+  
+  ✅ FIXES:
+  1. Convert all to async/await (preferred)
+  2. Convert all to promise chains (if needed for specific control flow)
+
+query: |
+  (function_declaration
+    (async_modifier)
+    body: (statement_block) @BODY)
+
+# Post-filter: Check if body contains both await and .then()
+post_filter: has_mixed_async
+
+metavars:
+  - BODY
+
+tags:
+  - style
+  - async
+  - consistency
+
+examples:
+  bad: |
+    async function getUser() {
+      const response = await fetch('/api/user');
+      return response.json().then(data => data.name); // Mixed!
+    }
+  
+  good: |
+    async function getUser() {
+      const response = await fetch('/api/user');
+      const data = await response.json(); // Consistent async/await
+      return data.name;
+    }
+
+has_fix: false

package/rules/tree-sitter-queries/typescript/nested-ternary.yml

@@ -0,0 +1,45 @@
+# Nested Ternary
+# Detects deeply nested ternary operators (readability issue)
+id: nested-ternary
+name: Nested Ternary
+severity: warning
+category: readability
+language: typescript
+
+message: "Nested ternary — use if/else or early returns for clarity"
+
+description: |
+  Nested ternary operators are hard to read and understand.
+  Prefer if/else statements or early returns.
+  
+  ✅ FIX: Use if/else or switch statement
+
+query: |
+  (ternary_expression
+    consequence: (ternary_expression) @NESTED)
+  (ternary_expression
+    alternative: (ternary_expression) @NESTED)
+
+metavars:
+  - NESTED
+
+tags:
+  - readability
+  - code-quality
+
+examples:
+  bad: |
+    const value = condition1 
+      ? condition2 
+        ? condition3 ? "a" : "b"
+        : "c"
+      : "d";
+  
+  good: |
+    function getValue(c1, c2, c3) {
+      if (!c1) return "d";
+      if (!c2) return "c";
+      return c3 ? "a" : "b";
+    }
+
+has_fix: false

package/rules/ts-slop-rules/.sgconfig.yml

@@ -0,0 +1,4 @@
+# TypeScript/JavaScript slop detection configuration
+# Detects verbose patterns, defensive over-checking, and ceremony
+ruleDirs:
+  - ./rules

package/rules/ts-slop-rules/rules/in-correct-optional-input-type.yml

@@ -0,0 +1,10 @@
+---
+id: ts-incorrect-optional-input-type
+language: TypeScript
+severity: warning
+message: "This input is optional, but the type for it does not include undefined."
+metadata:
+  weight: 4
+  category: security
+rule:
+  pattern: "$FIELD"

package/rules/ts-slop-rules/rules/jwt-no-verify.yml

@@ -0,0 +1,13 @@
+---
+id: ts-jwt-no-verify
+language: TypeScript
+severity: warning
+message: "Unsafe JWT operation — verification is bypassed"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "jwt.decode($$$, { noVerify: true })"
+    - pattern: "jwt.verify($$$, { ignoreExpiration: true, $$$ })"
+    - pattern: "jwt.verify($$$, { ignoreNotBefore: true, $$$ })"

package/rules/ts-slop-rules/rules/no-architecture-violation.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-architecture-violation
+language: TypeScript
+severity: warning
+message: "Forbidden import — layer boundary violation: importing from database/model layer"
+metadata:
+  weight: 4
+  category: security
+rule:
+  pattern: "import { $$$ } from \"$PATH\""

package/rules/ts-slop-rules/rules/no-case-declarations.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-case-declarations
+language: TypeScript
+severity: warning
+message: "Unexpected lexical declaration in case block — wrap in braces to restrict scope"
+metadata:
+  weight: 4
+  category: security
+rule:
+  all:

package/rules/ts-slop-rules/rules/no-dangerously-set-inner-html.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-dangerously-set-inner-html
+language: TSX
+severity: warning
+message: "dangerouslySetInnerHTML can expose XSS vulnerabilities — sanitize with DOMPurify"
+metadata:
+  weight: 4
+  category: security
+rule:
+  kind: jsx_attribute

package/rules/ts-slop-rules/rules/no-debugger.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-debugger
+language: TypeScript
+severity: warning
+message: "Unexpected `debugger` statement."
+metadata:
+  weight: 4
+  category: security
+rule:
+  pattern: "debugger"

package/rules/ts-slop-rules/rules/no-dupe-args.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-dupe-args
+language: TypeScript
+severity: warning
+message: "Duplicate param '$NAME'."
+metadata:
+  weight: 4
+  category: security
+rule:
+  pattern: "$NAME"

package/rules/ts-slop-rules/rules/no-dupe-class-members.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-dupe-class-members
+language: TypeScript
+severity: warning
+message: "Duplicate class member '$NAME'."
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:

package/rules/ts-slop-rules/rules/no-dupe-keys.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-dupe-keys
+language: TypeScript
+severity: warning
+message: "Disallow duplicate keys in object literals"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:

package/rules/ts-slop-rules/rules/no-eval.yml

@@ -0,0 +1,13 @@
+---
+id: ts-no-eval
+language: typescript
+severity: warning
+message: Avoid eval() — it can execute arbitrary code and is a security risk
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "eval($$$ARGS)"
+    - pattern: "window.eval($$$ARGS)"
+    - pattern: "global.eval($$$ARGS)"

package/rules/ts-slop-rules/rules/no-hardcoded-secrets.yml

@@ -0,0 +1,12 @@
+---
+id: ts-no-hardcoded-secrets
+language: TypeScript
+severity: warning
+message: "Hardcoded secret detected — use process.env instead"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "const $VAR = \"$_\""
+    - pattern: "const $VAR = '$_'"

package/rules/ts-slop-rules/rules/no-implied-eval.yml

@@ -0,0 +1,12 @@
+---
+id: ts-no-implied-eval
+language: TypeScript
+severity: warning
+message: "Avoid implied eval via setTimeout/setInterval with string arguments"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "setTimeout($$$ARGS)"
+    - pattern: "setInterval($$$ARGS)"

package/rules/ts-slop-rules/rules/no-inner-html.yml

@@ -0,0 +1,13 @@
+---
+id: ts-no-inner-html
+language: TypeScript
+severity: warning
+message: "Avoid innerHTML/outerHTML — use textContent or a sanitizer to prevent XSS"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "$EL.innerHTML = $$$"
+    - pattern: "$EL.outerHTML = $$$"
+    - pattern: "$EL.insertAdjacentHTML($$$)"

package/rules/ts-slop-rules/rules/no-javascript-url.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-javascript-url
+language: TypeScript
+severity: warning
+message: "Avoid javascript: URLs — they can execute arbitrary code"
+metadata:
+  weight: 4
+  category: security
+rule:
+  all:

package/rules/ts-slop-rules/rules/no-mutable-default.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-mutable-default
+language: Python
+severity: warning
+message: "Mutable default argument detected — use None and initialize inside function"
+metadata:
+  weight: 4
+  category: security
+rule:
+  kind: default_parameter

package/rules/ts-slop-rules/rules/no-nested-links.yml

@@ -0,0 +1,12 @@
+---
+id: ts-no-nested-links
+language: TSX
+severity: warning
+message: "Nested <a> tags are invalid HTML and cause unexpected behavior"
+metadata:
+  weight: 4
+  category: security
+rule:
+  all:
+    - has:
+        kind: jsx_element

package/rules/ts-slop-rules/rules/no-new-symbol.yml

@@ -0,0 +1,10 @@
+---
+id: ts-no-new-symbol
+language: TypeScript
+severity: warning
+message: "Symbol cannot be called as a constructor."
+metadata:
+  weight: 4
+  category: security
+rule:
+  pattern: "new Symbol($$$)"

package/rules/ts-slop-rules/rules/no-new-wrappers.yml

@@ -0,0 +1,13 @@
+---
+id: ts-no-new-wrappers
+language: TypeScript
+severity: warning
+message: "Do not use 'new' with wrapper objects — use literal primitives instead"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "new Boolean($$$ARGS)"
+    - pattern: "new Number($$$ARGS)"
+    - pattern: "new String($$$ARGS)"

package/rules/ts-slop-rules/rules/no-open-redirect.yml

@@ -0,0 +1,16 @@
+---
+id: ts-no-open-redirect
+language: TypeScript
+severity: warning
+message: "Potential open redirect vulnerability — validate redirect URLs"
+metadata:
+  weight: 4
+  category: security
+rule:
+  any:
+    - pattern: "window.location = $URL"
+    - pattern: "window.location.href = $URL"
+    - pattern: "window.open($URL, $$$)"
+    - pattern: "location.href = $URL"
+    - pattern: "res.redirect($URL)"
+    - pattern: "response.redirect($URL)"