@elytrasec/engine 0.4.3 → 0.4.5

package/dist/index.js

@@ -3028,12 +3028,48 @@ var securityRules = [
     title: "Potential command injection",
     description: "Shell command built with string concatenation or template literals. Attacker-controlled input may escape the intended command.",
     suggestion: "Use execFile() with an argument array or a library like execa that avoids shell interpretation.",
-    pattern: /(?:exec|execSync|spawn|spawnSync|system)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/,
+    // Catches:
+    //   JS:  exec(`ls ${dir}`), execSync("cmd " + x), spawn("...", ...)
+    //   Py:  os.system(f"ping {host}"), os.popen("cmd " + x), subprocess.call("..." + x, shell=True)
+    pattern: /(?:exec|execSync|spawn|spawnSync|system|popen|run|call|check_output|getoutput)\s*\(\s*(?:`[^`]*\$\{|[fF]"(?:[^"\\]|\\.)*\{|[fF]'(?:[^'\\]|\\.)*\{|"(?:[^"\\]|\\.)*"\s*\+|'(?:[^'\\]|\\.)*'\s*\+)/,
     severity: "critical",
     category: "security",
     confidence: "medium",
     languages: [...JS_TS, ...PY]
   },
+  {
+    id: "cp-sec-python-eval",
+    title: "Python eval() / exec() with dynamic input",
+    description: "Python `eval()` or `exec()` executes arbitrary code from a string. Reachable via `request.args`, `request.form`, or any user-controlled variable, this is direct RCE.",
+    suggestion: "Avoid eval/exec entirely. For arithmetic, use `ast.literal_eval`. For dispatch, use an explicit allow-list dict.",
+    pattern: /\b(?:eval|exec)\s*\(\s*(?:request\.|input\s*\(|sys\.argv|os\.environ|[\w.]+\.(?:args|form|query|params|json|body))/,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: PY
+  },
+  {
+    id: "cp-sec-python-eval-loose",
+    title: "Python eval() / exec() call",
+    description: "Python's `eval()` and `exec()` evaluate arbitrary code. Even when input looks trusted, these are common code-injection vectors.",
+    suggestion: "Replace with `ast.literal_eval` (for data literals) or an explicit allow-list. If you must use eval, scope the globals/locals dict to empty.",
+    pattern: /\b(?:eval|exec)\s*\(\s*(?!{|\[|'\)|"\)|None|globals|locals)/,
+    severity: "high",
+    category: "security",
+    confidence: "low",
+    languages: PY
+  },
+  {
+    id: "cp-sec-go-path-traversal",
+    title: "Go file read with unsanitized user input (path traversal)",
+    description: "`ioutil.ReadFile` / `os.ReadFile` / `os.Open` constructed via concatenation with HTTP request data is path-traversal-vulnerable. Attackers pass `../../etc/passwd`.",
+    suggestion: "Use `filepath.Clean` and verify the resolved path starts with the expected base directory. Better: maintain an allow-list of accepted file IDs.",
+    pattern: /(?:ioutil\.ReadFile|os\.ReadFile|os\.Open(?:File)?)\s*\([^)]*(?:\+\s*\w+\s*\)|r\.URL\.Query|r\.FormValue|mux\.Vars)/,
+    severity: "high",
+    category: "security",
+    confidence: "medium",
+    languages: [".go"]
+  },
   {
     id: "cp-sec-open-redirect",
     title: "Potential open redirect",
@@ -5128,6 +5164,71 @@ var rugSurfaceRules = [
     languages: SOL
   }
 ];
+var modernDeFiRules = [
+  {
+    id: "cp-sol-erc4626-inflation",
+    title: "ERC-4626 vault: missing inflation-attack protection",
+    description: "ERC-4626 deposit/mint computes shares as `assets * totalSupply / totalAssets`. On an empty vault, an attacker who is the first depositor can deposit 1 wei, then DIRECTLY transfer a large amount of underlying to the vault \u2014 inflating the share/asset ratio. Subsequent depositors get rounded to ZERO shares for any deposit smaller than the inflated rate. Cream, Hundred, and many forks lost funds this way.",
+    suggestion: "Use OpenZeppelin's ERC4626 v5+ which adds 1e6 virtual shares/assets (decimal offset). OR: in deposit(), require msg.sender to mint to a dead address first (initial burn of N shares). OR: enforce a minimum total-supply invariant.",
+    multilinePattern: /function\s+(?:deposit|mint)\s*\([^)]*\)\s*(?:external|public)[^{;]*\{[\s\S]{0,1500}?(?:totalSupply|_totalSupply)\s*\([^)]*\)\s*[*/]\s*\w(?![\s\S]{0,800}?(?:_decimalsOffset|virtualShares|VIRTUAL_SHARES|MINIMUM_LIQUIDITY|10\s*\*\*\s*\d|DEAD_SHARES|_burnDead|dead\s*\(|initialBurn))/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-eip712-missing-chainid",
+    title: "EIP-712 domain separator computed without chainId",
+    description: "An EIP-712 typed-data signature scheme that omits `block.chainid` from the DOMAIN_SEPARATOR allows the same signature to be replayed on a fork or testnet. Several bridge and permit exploits have come from this exact gap.",
+    suggestion: "Always include `block.chainid` in the EIP-712 domain hash, OR inherit from OpenZeppelin's EIP712 which handles it. Recompute the separator when chainid changes (fork detection).",
+    // Catches the domain-separator computation. File-level FP filter in pattern-scanner.ts
+    // suppresses this rule entirely if the file has any chainid reference anywhere.
+    multilinePattern: /(?:DOMAIN_SEPARATOR|_domainSeparator|domainSeparator)\s*=\s*keccak256\s*\(\s*abi\.encode\s*\([\s\S]{20,500}?\)\s*\)/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-swap-zero-deadline",
+    title: "Swap call with zero or absent deadline (MEV vulnerable)",
+    description: "Calling a Uniswap V2/V3/V4 router swap with deadline = 0, deadline = block.timestamp (no protection), or deadline = type(uint256).max means the transaction can sit in the mempool indefinitely and be sandwiched whenever the price moves against you. Users lose money to MEV bots.",
+    suggestion: "Enforce a real deadline: `deadline = block.timestamp + 15 minutes` at minimum. Pass it from the user, not computed inside the function. Reject calls with deadline > block.timestamp + 1 hour.",
+    // Catches both named-arg (deadline: 0) and positional last-arg = 0 or block.timestamp or type(uint).max.
+    // Multiline + tolerant of nested parens (address(this), etc.). Catches positional last-arg
+    // = 0, block.timestamp, or type(uint).max as the deadline.
+    multilinePattern: /(?:swapExactTokensForTokens|swapTokensForExactTokens|exactInput|exactOutput|swap[A-Z]\w*)\s*\([\s\S]{0,400}?,\s*(?:0|block\.timestamp|type\s*\(\s*uint256\s*\)\s*\.\s*max)\s*\)\s*;/,
+    severity: "medium",
+    category: "solidity",
+    confidence: "low",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-bridge-missing-source-check",
+    title: "Cross-chain receive function: missing source-chain / trusted-remote check",
+    description: "LayerZero `lzReceive`, Axelar `_execute`, Hyperlane `handle`, Wormhole `receiveMessage` and similar cross-chain receivers MUST verify (a) the source chain ID and (b) the trusted-remote sender address. Without these checks ANY contract on any chain can forge a message and trigger the receive logic \u2014 leading to unauthorized mint/withdraw of bridged assets.",
+    suggestion: "Add explicit checks: `require(_srcChainId == trustedSrcChain)` and `require(keccak256(_srcAddress) == keccak256(trustedRemote))`. For LayerZero use `lzApp.setTrustedRemote`. For Axelar verify `sourceChain` + `sourceAddress`.",
+    // Bridge-specific function names; file-level filter in pattern-scanner.ts skips ERC-4337
+    // and similar accounts. Negative lookahead for trusted-remote / source-check in body.
+    multilinePattern: /function\s+(?:lzReceive|nonblockingLzReceive|_nonblockingLzReceive|_handleMessage|receiveMessage|handle)\s*\([^)]*\)\s*(?:external|internal|public)[^{;]*\{(?![\s\S]{0,1500}?(?:trustedRemote|_trustedRemoteLookup|sourceChain\s*==|_srcChainId\s*==|trustedSrcChain|trustedSender|_validateMessageSource|_authorizeSource|onlyEndpoint|onlyMailbox|onlyGateway|interchainSecurityModule))/,
+    severity: "critical",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-permit2-no-deadline-check",
+    title: "Permit signature accepted without deadline / expiry check",
+    description: "EIP-2612 permit() (and similar typed-data signature endpoints) must check that `deadline >= block.timestamp`. Without this, a leaked signature is valid forever. Several memecoin-launchpad bugs of 2024 leaked permits and lost early-mover allocations.",
+    suggestion: 'Add `require(deadline >= block.timestamp, "Permit expired")` at the top of permit-like functions. Reject if deadline is type(uint256).max (suggests caller forgot to set one).',
+    // Also accept assembly-style timestamp/deadline check (Solady pattern: gt(timestamp(), deadline))
+    multilinePattern: /function\s+(?:permit|permitWithSig|permitTransfer|permitTransferFrom)\s*\([^)]*deadline[^)]*\)[^{;]*\{(?![\s\S]{0,1500}?(?:deadline\s*[><]=?\s*block\.timestamp|block\.timestamp\s*[<>]=?\s*deadline|require\s*\([^)]*deadline|gt\s*\(\s*timestamp\s*\(\s*\)\s*,\s*deadline|PermitExpired|ExpiredSignature|EXPIRED))/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  }
+];
 var ALL_RULES2 = [
   ...securityRules,
   ...solidityRules2,
@@ -5143,7 +5244,8 @@ var ALL_RULES2 = [
   ...eip7702Rules,
   ...tstoreRules,
   ...uniswapV4Rules,
-  ...hackReplayRules
+  ...hackReplayRules,
+  ...modernDeFiRules
 ];
 
 // src/static/pattern-scanner.ts
@@ -5479,6 +5581,9 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (!rule.multilinePattern) continue;
     if (rule.id === "cp-clean-callback-hell" && isTestFile(relPath)) continue;
     if (rule.id === "cp-sec-command-injection" && isScriptDir(relPath)) continue;
+    if (rule.id === "cp-hack-wormhole-unchecked-signature-set" && /\b(?:EIP712|DOMAIN_SEPARATOR|_hashTypedDataV4|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|EIP712Upgradeable)\b/.test(content)) continue;
+    if (rule.id === "cp-sol-eip712-missing-chainid" && /\b(?:block\.chainid|chainId|chainid)\b/.test(content)) continue;
+    if (rule.id === "cp-sol-bridge-missing-source-check" && /\b(?:EntryPoint|UserOperation|PackedUserOperation|IERC7579|IERC4337|executionCalldata|onlyEntryPoint)\b/.test(content)) continue;
     rule.multilinePattern.lastIndex = 0;
     const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.3",
-  "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
+  "version": "0.4.5",
+  "description": "Core analysis engine for Elytra \u2014 181 detection rules including 12 famous-hack patterns, 11 rug-surface checks, 5 modern-DeFi detectors (ERC-4626 inflation, EIP-712 chainId, bridge source check, permit deadline, MEV swap), static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io",