Rules registry
The registry is generated from @critiq/rules metadata so rule counts, filters, and detail pages stay tied to the OSS catalog.
#Summary
112rules
39categories
4presets
4severities
The OSS catalog is built for deterministic code review. These rules aim to catch the kinds of issues that slip through normal review and turn into production incidents: security flaws, correctness bugs, performance regressions, and maintainability problems with real operational cost.
Critiq keeps the catalog intentionally high-signal. The rules are explicit, explainable, and fixture-backed, and they report findings with concrete evidence instead of vague heuristics or style-only noise.
#Registry
Showing 112 of 112 generated rules.
Add a JWT revocation hookExpress JWT middleware should check revocation state when bearer tokens can be invalidated early. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Always-true or always-false conditionFlow-control conditions should not resolve to a constant boolean value. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Apply Helmet to Express appsExpress apps should use Helmet or equivalent header hardening middleware. | SECURITY | medium | javascript, typescript | security, strict |
Authorization enforced only on frontendBackend routes should enforce authorization directly instead of relying on frontend gating alone. | SECURITY | high | javascript, typescript | experimental |
Avoid `Math.random()` in core codeCore code should not depend on nondeterministic random generation. | MAINTAINABILITY | medium | typescript | strict |
Avoid ad hoc HTML sanitizationHand-rolled HTML escaping and sanitization should be replaced with vetted sanitizers or safe rendering paths. | SECURITY | medium | javascript, typescript | security, strict |
Avoid attacker-controlled filesystem read pathsDirect filesystem read APIs should not consume request- or upload-controlled filenames. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid binding to all interfacesNetwork-facing services should not explicitly bind to every interface unless public exposure is intentional and protected. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Avoid browser token storageAccess and session tokens should not be stored in long-lived browser storage. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Avoid cascaded fetches inside React effectsReact effects should not serialize independent fetches that can run in parallel or move server-side. | PERFORMANCE | medium | javascript, typescript | strict |
Avoid console.errorRoute error logs through the project logger. | MAINTAINABILITY | medium | typescript | recommended, strict |
Avoid console.logUse the project logger instead of console.log. | MAINTAINABILITY | low | typescript | recommended, strict |
Avoid direct `process.env` access outside configKeep environment variable access inside config modules. | MAINTAINABILITY | medium | typescript | strict |
Avoid exposed directory listingsDirectory listing middleware should not be enabled on public paths without a deliberate review. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Avoid hardcoded auth secretsJWT, session, and strategy secrets should not be embedded directly in source code. | SECURITY | critical | javascript, typescript | recommended, security, strict |
Avoid leaking sensitive or diagnostic stateLogs, stdout or stderr, and direct response sinks should not expose sensitive fields or internal diagnostic detail. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid legacy Argon2 password hash modesPassword hashing should not use `argon2i` or `argon2d` when safer modern modes are available. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid permissive Express session cookie scopeExpress session cookies should not explicitly opt into cross-site or wildcard-style scope. | SECURITY | medium | javascript, typescript | security, strict |
Avoid permissive file modesFiles that can carry user or security data should not be created with world-accessible modes. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid predictable token generationTokens, reset links, and session secrets should be generated from cryptographically strong randomness. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid raw HTML with request inputRequest-derived values should not be interpolated into raw HTML strings. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid raw or interpolated SQLDatabase query sinks must not receive request-driven or dynamically interpolated SQL text. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Avoid request-controlled format stringsLogging and formatting helpers should not take request input as the format string itself. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid request-driven DynamoDB queriesDynamoDB query and scan inputs should not be built directly from request input. | SECURITY | critical | javascript, typescript | recommended, security, strict |
Avoid request-driven model queriesExpress handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines. | SECURITY | critical | javascript, typescript | recommended, security, strict |
Avoid sensitive data in logs and telemetrySensitive fields should not be sent to logging, tracing, or analytics sinks. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | security, strict |
Avoid sensitive data in thrown errorsExceptions and rejection payloads should not include raw secrets or personal data. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid server/client boundary leaks in Next.jsServer components should not use browser-only APIs or client-only hooks without an explicit client boundary. | CORRECTNESS | high | javascript, typescript | strict |
Avoid unsafe `dangerouslySetInnerHTML`React `dangerouslySetInnerHTML` should only render fixed or explicitly sanitized HTML. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid unsafe `innerHTML` assignment`innerHTML` assignments should only use fixed or explicitly sanitized HTML. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid unsafe DOM HTML insertion sinks`outerHTML`, `document.write*`, and `insertAdjacentHTML` should only receive fixed or explicitly sanitized HTML. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid unsafe raw HTTP response outputRaw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid weak cipher algorithms and modesCryptographic ciphers should use modern authenticated modes and approved algorithms. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid weak hash algorithmsCryptographic hashing should use modern, collision-resistant algorithms. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Avoid weak key-generation strengthKey-generation helpers should use current minimum strengths for RSA, AES, and HMAC keys. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid wildcard `postMessage` targets`postMessage` calls should not use `*` as the target origin when they carry application data. | SECURITY | high | javascript, typescript | recommended, security, strict |
Avoid writing sensitive data to filesData exports and local file writes should not persist raw secrets or personal fields. | SECURITY | high | javascript, typescript | recommended, security, strict |
Blocking call inside async flowAsync functions should not call synchronous blocking APIs on the hot path. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Command execution using untrusted inputProcess execution helpers must not receive request-controlled executables or shell-interpreted arguments. | SECURITY | critical | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Constrain `res.render()` trust boundariesExpress view names should not cross into server-side rendering from untrusted input. | SECURITY | medium | javascript, typescript | security, strict |
Constrain `res.sendFile` to a trusted root`res.sendFile()` should not resolve filenames or options from request input without a trusted root. | SECURITY | high | javascript, typescript | recommended, security, strict |
Constrain local file generation pathsLocal file writes should not derive their destination path from request or upload input. | SECURITY | high | javascript, typescript | recommended, security, strict |
Constrain module-loading trust boundaries`require()` and dynamic `import()` should not resolve modules from untrusted input. | SECURITY | high | javascript, typescript | recommended, security, strict |
Deep nesting reducing readabilityDeeply nested control flow should be flattened where practical. | QUALITY | low | javascript, typescript | strict |
Do not allow every origin in CORS policyCORS should not fall back to wildcard or implicit allow-all origin settings. | SECURITY | high | javascript, typescript | recommended, security, strict |
Do not derive anti-framing headers from request inputFraming and CSP headers should not be set from request-controlled values. | SECURITY | high | javascript, typescript | recommended, security, strict |
Do not expose debug routes or middleware in productionDebug handlers, stack-showing middleware, and diagnostic endpoints should stay behind explicit development-only guards. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Do not persist upload filenames directlyUpload handlers should not store attacker-controlled filenames without generating or validating a safe local name. | SECURITY | high | javascript, typescript | recommended, security, strict |
Do not reflect request origin into CORS policy`Access-Control-Allow-Origin` should not be set from request-controlled input. | SECURITY | high | javascript, typescript | recommended, security, strict |
Duplicate code blockLarge duplicated function bodies across files make behavior harder to maintain safely. | QUALITY | low | javascript, typescript | strict |
Errors swallowed silentlyCatch blocks must log, reject, or rethrow failures instead of dropping them silently. | QUALITY | medium | javascript, typescript | recommended, strict |
Eval or dynamic code executionEval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code. | SECURITY | high | javascript, typescript | recommended, security, strict |
Function too large or too complexOversized or overly complex functions should be split into smaller units. | QUALITY | low | javascript, typescript | strict |
Hardcoded API keys or credentialsSource files should not embed credential-like string literals. | SECURITY | critical | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Hardcoded configuration valuesConfig-like values should usually come from configuration sources rather than source literals. | QUALITY | low | javascript, typescript | recommended, strict |
Harden auth-bearing cookiesAuth and session cookies should set HttpOnly, Secure, and SameSite. | SECURITY | high | javascript, typescript | recommended, security, strict |
Implicit undefined return in functionFunctions that return a value on some paths must not fall through implicitly. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Incorrect boolean logic (AND/OR misuse)Comparison chains on the same value must use the boolean operator that matches the intended logic. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Inefficient data structure usageLinear membership checks or key projections should be reviewed for more suitable lookup structures. | PERFORMANCE | medium | javascript, typescript | recommended, strict |
Insecure HTTP transportOutbound transport should not use plain HTTP for sensitive requests. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Keep Handlebars escaping enabled at template trust boundariesServer-side Handlebars compilation should not disable HTML escaping with `noEscape: true`. | SECURITY | high | javascript, typescript | recommended, security, strict |
Large payload processing without streamingWhole-payload reads of likely large content should be reviewed for streaming alternatives. | PERFORMANCE | medium | javascript, typescript | strict |
Logic change without corresponding test updatesDiffs that change critical logic should usually update the matching tests in the same change. | QUALITY | medium | javascript, typescript | strict |
Magic numbers or magic stringsNon-trivial literals in logic should be named to explain their meaning. | QUALITY | low | javascript, typescript | strict |
Missing authorization before sensitive actionSensitive backend actions should be guarded by an authorization or permission check. | SECURITY | high | javascript, typescript | security, strict |
Missing await on async callAsync functions should not drop direct async calls without awaiting them. | CORRECTNESS | high | javascript, typescript | recommended, strict |
Missing batching of operationsRepeated one-by-one operations inside loops should prefer available batch-style helpers. | PERFORMANCE | medium | javascript, typescript | strict |
Missing default case in switch or conditional dispatchDispatch constructs should include an explicit default or final else path. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Missing error context or loggingCatch blocks should include the caught error when they log or rethrow. | QUALITY | low | javascript, typescript | strict |
Missing ownership validationResource identifiers from request input should be checked against the caller before sensitive actions run. | SECURITY | high | javascript, typescript | security, strict |
Missing request timeout or retry protectionExternal calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows. | SECURITY | medium | javascript, typescript | security, strict |
Missing tests for critical logicCritical auth, payment, or similar business logic should have a matching test file. | QUALITY | medium | javascript, typescript | strict |
Missing timeout on external callExternal HTTP calls should declare timeout or cancellation behavior. | CORRECTNESS | high | javascript, typescript | recommended, security, strict |
Nested loops in hot path (O(n²) risk)Nested loops in the same function should be reviewed for quadratic work on larger inputs. | PERFORMANCE | medium | javascript, typescript | strict |
Nested property access without existence checkDeep property chains derived from external input should verify intermediate values before access. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Off-by-one error in loop boundariesIndex-based loops should not skip the first element or iterate one step past the collection boundary. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Open redirect via request-controlled targetRedirect and navigation sinks should not use request-controlled destinations without validation. | SECURITY | high | javascript, typescript | recommended, security, strict |
Optional value used without fallbackOptional values should be normalized before arithmetic, concatenation, or other direct use. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Override Express cookie defaultsExpress session cookie settings should not omit explicit lifetime, scope, and transport attributes. | SECURITY | medium | javascript, typescript | security, strict |
Override Express session defaultsExpress session middleware should not rely on default session naming and configuration. | SECURITY | medium | javascript, typescript | security, strict |
Path traversal via user inputFile access calls must not use request-controlled paths directly. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Possible null or undefined dereferenceNullable values should be guarded before property access or invocation. | CORRECTNESS | high | javascript, typescript | recommended, strict |
Potential memory leak from unbounded growthShared collections that only grow should be reviewed for eviction or lifecycle boundaries. | PERFORMANCE | high | javascript, typescript | strict |
Protect deserialization trust boundariesDeserializers should not consume untrusted payloads directly across a trust boundary. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Race condition on shared stateAsync functions that mutate shared state after an await boundary should be reviewed for races. | CORRECTNESS | high | javascript, typescript | experimental |
Reduce Express fingerprintingExpress apps should disable `x-powered-by` or equivalent fingerprinting headers. | SECURITY | medium | javascript, typescript | security, strict |
Remove `debugger;`Remove debugger statements before committing source files. | MAINTAINABILITY | medium | typescript | recommended, strict |
Remove sensitive claims from JWT payloadsJWT payloads should avoid embedding PII or secrets unless absolutely required. | SECURITY | high | javascript, typescript | recommended, security, strict |
Repeated expensive computationRepeating the same expensive computation in one block should usually be cached. | PERFORMANCE | medium | javascript, typescript | recommended, strict |
Repeated IO call inside loopDatabase or network calls inside loops can multiply latency and load. | PERFORMANCE | high | javascript, typescript | recommended, strict |
Require modern TLS minimum versionsTransport clients should not explicitly allow SSLv3, TLS 1.0, or TLS 1.1. | SECURITY | high | javascript, typescript | recommended, security, strict |
Review Datadog RUM user interaction captureDatadog Browser RUM should not enable broad user interaction capture without a privacy review. | SECURITY | medium | javascript, typescript | security, strict |
Sensitive data egress to third-party processorsSensitive values should not be sent to external processors or outbound SDKs without minimization or redaction. | SECURITY | high | javascript, typescript | security, strict |
Sequential async calls that could run in parallelIndependent awaited calls in the same block should not serialize unnecessarily. | PERFORMANCE | medium | javascript, typescript | recommended, strict |
Serve static assets before session middlewareStatic assets should be mounted before session middleware when they do not need session state. | SECURITY | medium | javascript, typescript | security, strict |
Server-side request forgeryOutbound requests should not use attacker-controlled targets or private hosts. | SECURITY | high | javascript, typescript | recommended, security, strict |
Set `HttpOnly` on Express session cookiesExpress session and cookie-session configs should not disable the `HttpOnly` flag. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Set `Secure` on Express session cookiesExpress session and cookie-session configs should not disable the `Secure` flag. | SECURITY | medium | javascript, typescript | recommended, security, strict |
Tight coupling between modulesDirect import cycles between modules increase coupling and make change boundaries harder to maintain. | QUALITY | medium | javascript, typescript | strict |
TLS verification disabledTransport clients should not disable certificate verification. | SECURITY | high | go, java, javascript, php, python, ruby, rust, typescript | recommended, security, strict |
Token or session not validatedSession and token values from external input should be verified before authentication or identity use. | SECURITY | high | javascript, typescript | recommended, security, strict |
Unchecked map or dictionary key accessLookups should verify key presence before reading from maps or keyed objects. | CORRECTNESS | medium | javascript, typescript | recommended, strict |
Unhandled promise rejection or async errorPromise chains started in a function should terminate with explicit rejection handling. | CORRECTNESS | high | javascript, typescript | recommended, security, strict |
Unnecessarily retained large objectLarge payloads assigned into shared state should be reviewed for shorter lifetimes. | PERFORMANCE | medium | javascript, typescript | experimental |
Unnecessary re-renders from state misuseReact state setters invoked directly during render should be reviewed for rerender loops. | PERFORMANCE | medium | javascript, typescript | experimental |
Unreachable code after return or throwStatements after terminal exits should be removed or moved before the exit. | CORRECTNESS | low | javascript, typescript | recommended, strict |
Use authenticated encryption for secrets and tokensSession, cookie, and token encryption should provide integrity protection in the same helper. | SECURITY | high | javascript, typescript | recommended, security, strict |
Use constant-time secret comparisonSecrets and tokens should not be compared with ordinary equality operators. | SECURITY | high | javascript, typescript | recommended, security, strict |
Use enough entropy for secrets and tokensSecret-bearing tokens and secrets should use at least 16 bytes of cryptographic entropy. | SECURITY | high | javascript, typescript | recommended, security, strict |
Use secure WebSocket transportWebSocket clients should not connect over cleartext `ws://` when sensitive application data is involved. | SECURITY | high | javascript, typescript | recommended, security, strict |
Validate untrusted input before parser constructionUntrusted input should be validated before it is used to construct sensitive parsers or runtime objects. | SECURITY | medium | javascript, typescript | security, strict |
Verify `message` event origins`message` handlers should validate `event.origin` before trusting cross-window data. | SECURITY | high | javascript, typescript | recommended, security, strict |