@elytrasec/engine 0.4.2 → 0.4.4

package/dist/index.js

@@ -3028,12 +3028,48 @@ var securityRules = [
     title: "Potential command injection",
     description: "Shell command built with string concatenation or template literals. Attacker-controlled input may escape the intended command.",
     suggestion: "Use execFile() with an argument array or a library like execa that avoids shell interpretation.",
-    pattern: /(?:exec|execSync|spawn|spawnSync|system)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/,
+    // Catches:
+    //   JS:  exec(`ls ${dir}`), execSync("cmd " + x), spawn("...", ...)
+    //   Py:  os.system(f"ping {host}"), os.popen("cmd " + x), subprocess.call("..." + x, shell=True)
+    pattern: /(?:exec|execSync|spawn|spawnSync|system|popen|run|call|check_output|getoutput)\s*\(\s*(?:`[^`]*\$\{|[fF]"(?:[^"\\]|\\.)*\{|[fF]'(?:[^'\\]|\\.)*\{|"(?:[^"\\]|\\.)*"\s*\+|'(?:[^'\\]|\\.)*'\s*\+)/,
     severity: "critical",
     category: "security",
     confidence: "medium",
     languages: [...JS_TS, ...PY]
   },
+  {
+    id: "cp-sec-python-eval",
+    title: "Python eval() / exec() with dynamic input",
+    description: "Python `eval()` or `exec()` executes arbitrary code from a string. Reachable via `request.args`, `request.form`, or any user-controlled variable, this is direct RCE.",
+    suggestion: "Avoid eval/exec entirely. For arithmetic, use `ast.literal_eval`. For dispatch, use an explicit allow-list dict.",
+    pattern: /\b(?:eval|exec)\s*\(\s*(?:request\.|input\s*\(|sys\.argv|os\.environ|[\w.]+\.(?:args|form|query|params|json|body))/,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: PY
+  },
+  {
+    id: "cp-sec-python-eval-loose",
+    title: "Python eval() / exec() call",
+    description: "Python's `eval()` and `exec()` evaluate arbitrary code. Even when input looks trusted, these are common code-injection vectors.",
+    suggestion: "Replace with `ast.literal_eval` (for data literals) or an explicit allow-list. If you must use eval, scope the globals/locals dict to empty.",
+    pattern: /\b(?:eval|exec)\s*\(\s*(?!{|\[|'\)|"\)|None|globals|locals)/,
+    severity: "high",
+    category: "security",
+    confidence: "low",
+    languages: PY
+  },
+  {
+    id: "cp-sec-go-path-traversal",
+    title: "Go file read with unsanitized user input (path traversal)",
+    description: "`ioutil.ReadFile` / `os.ReadFile` / `os.Open` constructed via concatenation with HTTP request data is path-traversal-vulnerable. Attackers pass `../../etc/passwd`.",
+    suggestion: "Use `filepath.Clean` and verify the resolved path starts with the expected base directory. Better: maintain an allow-list of accepted file IDs.",
+    pattern: /(?:ioutil\.ReadFile|os\.ReadFile|os\.Open(?:File)?)\s*\([^)]*(?:\+\s*\w+\s*\)|r\.URL\.Query|r\.FormValue|mux\.Vars)/,
+    severity: "high",
+    category: "security",
+    confidence: "medium",
+    languages: [".go"]
+  },
   {
     id: "cp-sec-open-redirect",
     title: "Potential open redirect",
@@ -3477,8 +3513,11 @@ var solidityRules2 = [
     title: "Chainlink latestRoundData without staleness check",
     description: "Using latestRoundData() without checking updatedAt for staleness can return outdated prices.",
     suggestion: "Check that `updatedAt` is recent: `require(block.timestamp - updatedAt < STALENESS_THRESHOLD)`.",
-    pattern: /latestRoundData\s*\(/,
-    multilinePattern: /latestRoundData\s*\([\s\S]{0,500}(?!updatedAt)/g,
+    // Removed single-line pattern: it fired on EVERY interface declaration of latestRoundData().
+    // Only the multilinePattern below should fire — it scopes to actual usage with no staleness check.
+    // Match real usage (destructured assignment), suppress when staleness/sequencer/heartbeat
+    // checks are visible in the next ~1500 chars. Skip pure interface declarations.
+    multilinePattern: /\(\s*[^)]*\)\s*=\s*[^;]*\.latestRoundData\s*\(\s*\)(?![\s\S]{0,1500}?(?:updatedAt|staleness|MAX_DELAY|STALENESS|grace|GRACE|timestamp\s*-\s*updatedAt|block\.timestamp\s*-\s*\w+|sequencer|isSequencerUp|MAX_HEARTBEAT|HEARTBEAT|maxAge))/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -4666,7 +4705,11 @@ var eip7702Rules = [
     // initializer modifier, ERC1967/UUPS proxy patterns, or 'once' guard.
     // Broader suppression: ERC-4337/7579 accounts use _setOwner pattern, OZ uses initializer modifier,
     // proxies use ERC1967, V4 PoolManager.initialize is permissionless-by-design with noDelegateCall.
-    multilinePattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,800}?(?:initializer|reinitializer|_disableInitializers|require\s*\([^)]*!\s*initialized|require\s*\([^)]*owner\s*==\s*address\s*\(\s*0|noDelegateCall|onlyOwner|onlyEntryPoint|onlyProxy|ERC1967|UUPS|_setOwner|_initialize|EntryPoint|UserOperation|getStorage|StorageSlot))/,
+    // Suppress when function declaration line itself contains a guard modifier
+    // (initializer, onlyOwner, onlyProxy, noDelegateCall, payable initializer, etc.) — these
+    // come BEFORE the opening { so the prior lookahead-after-brace missed them.
+    // Then suppress when proxy/4337/UUPS/admin patterns appear in body.
+    multilinePattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)\s+(?!.*(?:initializer|reinitializer|onlyOwner|onlyProxy|onlyEntryPoint|noDelegateCall|onlyRole))[^{;]*\{(?![\s\S]{0,800}?(?:initializer|reinitializer|_disableInitializers|require\s*\([^)]*!\s*initialized|require\s*\([^)]*owner\s*==\s*address\s*\(\s*0|noDelegateCall|onlyOwner|onlyEntryPoint|onlyProxy|ERC1967|UUPS|_setOwner|_initialize|_setImplementation|_changeAdmin|EntryPoint|UserOperation|getStorage|StorageSlot|IMPLEMENTATION_SLOT|ADMIN_SLOT|require\s*\([^)]*==\s*address\s*\(\s*0\s*\)|_logic\s*\.\s*delegatecall))/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4836,8 +4879,12 @@ var hackReplayRules = [
     title: "zkSync hack pattern \u2014 admin-only sweep/drain/rescue function",
     description: "An admin-gated function with a name like sweep*, drain*, rescue*, emergencyWithdraw*, forceMint*, adminMint* is the exact category of function the zkSync airdrop attacker exploited (April 2025, $5M loss). Even with a timelock check inside, these functions are high-value targets \u2014 a compromised admin key bypasses everything. The pattern is reviewed manually because a same-line regex cannot verify whether a timelock guard is enforced.",
     suggestion: "Audit this function carefully: (a) is it gated by a TimelockController contract address check, not just an onlyOwner modifier? (b) is the action bounded (max amount per call, per epoch)? (c) is there an N-of-M multisig requirement at the modifier level? If any answer is no, add it before mainnet.",
-    pattern: /function\s+(?:sweep[A-Za-z]*|drain[A-Za-z]*|rescue[A-Za-z]*|emergencyWithdraw[A-Za-z]*|forceMint[A-Za-z]*|adminMint[A-Za-z]*)\s*\([^)]*\)\s*(?:external|public)/,
-    severity: "high",
+    // Suppress when function has a multi-element lock (onlyRescuer with named slot),
+    // onlyPoolAdmin pattern (Aave), or other named-role modifiers that imply auditing-already-done.
+    // Real catch is "onlyOwner" plain — anonymous single-role drain.
+    multilinePattern: /function\s+(?:sweep[A-Za-z]*|drain[A-Za-z]*|rescue[A-Za-z]*|emergencyWithdraw[A-Za-z]*|forceMint[A-Za-z]*|adminMint[A-Za-z]*)\s*\([^)]*\)\s*(?:external|public)(?!.*(?:onlyRescuer|onlyPoolAdmin|onlyEmergencyAdmin|onlyRiskAdmin|onlyAclAdmin|onlyRoleAdmin|onlyConfigurator|hasRole))[^{;]*\{/,
+    // Downgraded from high to medium: this is a "review needed" finding, not "definitely vulnerable"
+    severity: "medium",
     category: "hack-replay",
     confidence: "medium",
     languages: SOL
@@ -4873,9 +4920,8 @@ var hackReplayRules = [
     // patterns that use proper auth/delay even if "timelock" keyword isn't right next to execute().
     // Suppress: ERC-4337/7579 account abstraction execute(mode, data), OZ Governor, AccessManager,
     // anything with auth modifiers. Real Beanstalk-shape is execute(proposalId) on a governance contract.
-    // Suppress: interface signatures (ending in ;), OZ Governor/IGovernor, AccessManager, account
-    // abstraction execute() patterns, anything with proper auth. Requires actual function BODY.
-    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{;]*\{(?![\s\S]{0,1500}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+|onlyRole|onlyGovernance|onlyEntryPoint|onlyEntryPointOrSelf|_checkAuthorized|_authorizeUpgrade|AccessControl|AccessManager|Governor|IGovernor|hasRole|getMinDelay|delay\s*\(|_executeOperations|hashOperation|isOperationReady|EntryPoint|ERC7579|ERC4337|ERC7821|IAccount|_validateUserOp|UserOperation|state\s*\(\s*proposalId|_castVote|votingDelay))/,
+    // Expanded suppression: ERC-2771 meta-tx forwarders, ERC-6551 token-bound accounts.
+    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{;]*\{(?![\s\S]{0,1500}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+|onlyRole|onlyGovernance|onlyEntryPoint|onlyEntryPointOrSelf|_checkAuthorized|_authorizeUpgrade|AccessControl|AccessManager|Governor|IGovernor|hasRole|getMinDelay|delay\s*\(|_executeOperations|hashOperation|isOperationReady|EntryPoint|ERC7579|ERC4337|ERC7821|ERC2771|ERC6551|Forwarder|ForwardRequest|MetaTx|TokenBoundAccount|_verify|IAccount|_validateUserOp|UserOperation|state\s*\(\s*proposalId|_castVote|votingDelay))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "low",
@@ -4946,7 +4992,11 @@ var hackReplayRules = [
     // Suppress legitimate EIP-712 / Permit / typed-data signature flows (OZ ECDSA, EIP-2612 permits,
     // ERC-4337 user-op validation) which use ecrecover correctly. Only fire on bridge/oracle-shaped
     // contexts where signer-set verification matters.
-    multilinePattern: /(?:ecrecover|ECDSA\.recover|\.recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,800}?(?:guardianSet|validatorSet|currentSetHash|setHash|_hashTypedDataV4|EIP712|DOMAIN_SEPARATOR|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|isValidSignature|nonces\s*\[|require\s*\([^)]*==\s*expected))/,
+    // EIP-712 / permit / typed-data patterns can appear BEFORE or AFTER ecrecover. Use a
+    // wrapping check: require the recover call to be in a CONTEXT that contains typed-data
+    // keywords within ~1000 chars on either side. We approximate by lookahead-only with a
+    // bigger window AND lookbehind-by-context (check if file declares typed-data structures).
+    multilinePattern: /(?:ecrecover|ECDSA\.recover|\w+\.recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,1500}?(?:guardianSet|validatorSet|currentSetHash|setHash|_hashTypedDataV4|EIP712|EIP_712|DOMAIN_SEPARATOR|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|isValidSignature|_?nonces\s*\[|_approve|_approveDelegation|_useCheckedNonce|_useNonce|require\s*\([^)]*==\s*expected))/,
     severity: "high",
     category: "hack-replay",
     confidence: "low",
@@ -5465,6 +5515,7 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (!rule.multilinePattern) continue;
     if (rule.id === "cp-clean-callback-hell" && isTestFile(relPath)) continue;
     if (rule.id === "cp-sec-command-injection" && isScriptDir(relPath)) continue;
+    if (rule.id === "cp-hack-wormhole-unchecked-signature-set" && /\b(?:EIP712|DOMAIN_SEPARATOR|_hashTypedDataV4|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|EIP712Upgradeable)\b/.test(content)) continue;
     rule.multilinePattern.lastIndex = 0;
     const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.2",
+  "version": "0.4.4",
   "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",