@snovon/solast 0.2.0

package/dist/detectors/_common/source-text.js

@@ -0,0 +1,82 @@
+"use strict";
+/**
+ * Source-text helpers for detectors that need to look at raw Solidity text.
+ *
+ * Several detectors fall back to source-text inspection when the AST shape
+ * varies between parsers or when a structural predicate would be too
+ * expensive. The risk of source-text matching is well-known: regexes that
+ * see commented-out code or string literals will match content that would
+ * never execute. `stripCommentsAndStrings` neutralizes both. New detectors
+ * should prefer AST predicates; this helper exists for the legacy paths.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stripCommentsAndStrings = stripCommentsAndStrings;
+// Replace line comments, block comments, and string literals (both
+// double- and single-quoted) with whitespace-equivalent placeholders.
+// Newlines and overall length are preserved so byte offsets and line
+// numbers stay aligned with the original source.
+//
+// Implementation note: the regex variants used by detectors before this
+// helper existed sometimes stripped comments only, leaving string
+// literals (`"transferFrom("`, `"msg.sender"`) free to fool the
+// matcher. This version scans linearly, tracking comment/string state,
+// so quote-escapes and embedded slashes inside strings are handled.
+function stripCommentsAndStrings(input) {
+    if (!input)
+        return input;
+    const out = [];
+    let i = 0;
+    const n = input.length;
+    while (i < n) {
+        const ch = input[i];
+        const next = i + 1 < n ? input[i + 1] : '';
+        if (ch === '/' && next === '/') {
+            // Line comment — replace until newline (preserve the newline so
+            // line numbers in downstream byte-offset math stay correct).
+            while (i < n && input[i] !== '\n') {
+                out.push(input[i] === '\n' ? '\n' : ' ');
+                i++;
+            }
+            continue;
+        }
+        if (ch === '/' && next === '*') {
+            out.push('  ');
+            i += 2;
+            while (i < n) {
+                if (input[i] === '*' && i + 1 < n && input[i + 1] === '/') {
+                    out.push('  ');
+                    i += 2;
+                    break;
+                }
+                out.push(input[i] === '\n' ? '\n' : ' ');
+                i++;
+            }
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            const quote = ch;
+            out.push(quote);
+            i++;
+            while (i < n && input[i] !== quote) {
+                if (input[i] === '\\' && i + 1 < n) {
+                    out.push(input[i] === '\n' ? '\n' : ' ');
+                    i++;
+                    out.push(input[i] === '\n' ? '\n' : ' ');
+                    i++;
+                    continue;
+                }
+                out.push(input[i] === '\n' ? '\n' : ' ');
+                i++;
+            }
+            if (i < n) {
+                out.push(quote);
+                i++;
+            }
+            continue;
+        }
+        out.push(ch);
+        i++;
+    }
+    return out.join('');
+}
+//# sourceMappingURL=source-text.js.map

package/dist/detectors/_common/weighted-pool-invariant.d.ts

@@ -0,0 +1,21 @@
+export type WeightedPoolInvariantDialect = 'balancer-v1' | 'balancer-v2' | 'beethoven-x' | 'raw-weighted-arithmetic';
+export type WeightedPoolInvariantSignal = {
+    dialect: WeightedPoolInvariantDialect;
+    operation: string;
+};
+/**
+ * Recognize Balancer-style weighted-pool invariant math call vocabulary across
+ * the common V1 BNum, V2 FixedPoint, and Beethoven X LogExpMath dialects.
+ * This helper intentionally identifies math shape only; callers must still
+ * require their own exploit context such as a same-function flash loan and
+ * pool operation before emitting a finding.
+ */
+export declare function weightedPoolInvariantSignalFromCall(node: any): WeightedPoolInvariantSignal | null;
+export declare function hasWeightedPoolInvariantShape(signals: Iterable<WeightedPoolInvariantSignal>): boolean;
+/**
+ * Best-effort raw weighted arithmetic recognizer for `balance * weight / 1e18`
+ * style code. It is only meant to be consulted when the compiler profile says
+ * arithmetic can wrap (pre-0.8 or an `unchecked` block), preventing ordinary
+ * checked 0.8 math from becoming a stronger signal by itself.
+ */
+export declare function rawWeightedArithmeticSignal(node: any): WeightedPoolInvariantSignal | null;

package/dist/detectors/_common/weighted-pool-invariant.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.weightedPoolInvariantSignalFromCall = weightedPoolInvariantSignalFromCall;
+exports.hasWeightedPoolInvariantShape = hasWeightedPoolInvariantShape;
+exports.rawWeightedArithmeticSignal = rawWeightedArithmeticSignal;
+const ast_1 = require("./ast");
+const BALANCER_V1_METHODS = new Set(['bmul', 'bdiv', 'bpow']);
+const BALANCER_V2_METHODS = new Set(['muldown', 'divdown', 'powdown']);
+/**
+ * Recognize Balancer-style weighted-pool invariant math call vocabulary across
+ * the common V1 BNum, V2 FixedPoint, and Beethoven X LogExpMath dialects.
+ * This helper intentionally identifies math shape only; callers must still
+ * require their own exploit context such as a same-function flash loan and
+ * pool operation before emitting a finding.
+ */
+function weightedPoolInvariantSignalFromCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return null;
+    const callee = unwrapCallOptions(node.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return null;
+    const memberName = String(callee.memberName || '').toLowerCase();
+    if (BALANCER_V1_METHODS.has(memberName)) {
+        return { dialect: 'balancer-v1', operation: memberName };
+    }
+    if (BALANCER_V2_METHODS.has(memberName)) {
+        return { dialect: 'balancer-v2', operation: memberName };
+    }
+    if (memberName === 'pow' && baseExpressionName(callee).toLowerCase() === 'logexpmath') {
+        return { dialect: 'beethoven-x', operation: 'logexpmath.pow' };
+    }
+    return null;
+}
+function hasWeightedPoolInvariantShape(signals) {
+    const operations = new Set();
+    const dialects = new Set();
+    for (const signal of signals) {
+        operations.add(signal.operation);
+        dialects.add(signal.dialect);
+    }
+    if (operations.has('bpow') || operations.has('bdiv'))
+        return true;
+    if (operations.has('powdown'))
+        return true;
+    if (operations.has('logexpmath.pow') && (operations.has('muldown') || operations.has('bmul')))
+        return true;
+    if (dialects.has('raw-weighted-arithmetic'))
+        return true;
+    return false;
+}
+/**
+ * Best-effort raw weighted arithmetic recognizer for `balance * weight / 1e18`
+ * style code. It is only meant to be consulted when the compiler profile says
+ * arithmetic can wrap (pre-0.8 or an `unchecked` block), preventing ordinary
+ * checked 0.8 math from becoming a stronger signal by itself.
+ */
+function rawWeightedArithmeticSignal(node) {
+    if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+        return null;
+    const op = String(node.operator || '');
+    if (op !== '*' && op !== '/')
+        return null;
+    const text = expressionText(node).toLowerCase();
+    if (!/\b(b\d*|balances?|balance|amount|reserve|token)\b/.test(text))
+        return null;
+    if (!/\b(w\d*|weights?|weight)\b/.test(text))
+        return null;
+    return { dialect: 'raw-weighted-arithmetic', operation: op };
+}
+function unwrapCallOptions(expr) {
+    if (!expr)
+        return expr;
+    if ((0, ast_1.isNode)(expr, 'FunctionCallOptions') || (0, ast_1.isNode)(expr, 'NameValueExpression')) {
+        return unwrapCallOptions(expr.expression ?? expr);
+    }
+    return expr;
+}
+function baseExpressionName(memberAccess) {
+    const expr = memberAccess?.expression;
+    if (!expr)
+        return '';
+    if (typeof expr.name === 'string')
+        return expr.name;
+    if ((0, ast_1.isNode)(expr, 'Identifier') && typeof expr.name === 'string')
+        return expr.name;
+    return '';
+}
+function expressionText(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    if (typeof node.memberName === 'string')
+        return `${expressionText(node.expression)}.${node.memberName}`;
+    if (typeof node.number === 'string')
+        return node.number;
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return `${expressionText(node.base)}[${expressionText(node.index)}]`;
+    if ((0, ast_1.isNode)(node, 'BinaryOperation'))
+        return `${expressionText(node.left)} ${node.operator || ''} ${expressionText(node.right)}`;
+    if ((0, ast_1.isNode)(node, 'TupleExpression'))
+        return (node.components || []).map(expressionText).join(',');
+    return '';
+}
+//# sourceMappingURL=weighted-pool-invariant.js.map

package/dist/detectors/aave-v2-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class AaveV2ReentrancyDetector {
+    readonly id = "aave-v2-reentrancy";
+    readonly patternKey = "aave-v2-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}

package/dist/detectors/aave-v2-reentrancy.js

@@ -0,0 +1,286 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AaveV2ReentrancyDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'aave-v2-reentrancy';
+const PATTERN = `${RULE_ID}/missing-reentrancy-guard`;
+const FLASHLOAN_ENTRYPOINTS = new Set(['flashloan', 'flashloansimple']);
+const FLASHLOAN_CALLBACKS = new Set(['executeoperation']);
+const FLASHLOAN_BASES = new Set(['iflashloanreceiver', 'flashloanreceiverbase']);
+const GUARD_MODIFIERS = new Set(['nonreentrant', 'noreentrancy', 'lock']);
+const ASSIGN_OPS = new Set([
+    '=', '+=', '-=', '*=', '/=', '%=',
+    '&=', '|=', '^=', '<<=', '>>=', '>>>=',
+]);
+const UNARY_MUTATORS = new Set(['++', '--', 'delete']);
+function isNode(node, type) {
+    return node?.type === type;
+}
+function collectContracts(ast) {
+    const contracts = [];
+    for (const child of ast?.children || []) {
+        if (isNode(child, 'ContractDefinition'))
+            contracts.push(child);
+    }
+    return contracts;
+}
+function contractMembers(contract) {
+    return Array.isArray(contract?.subNodes) ? contract.subNodes : [];
+}
+function contractFunctions(contract) {
+    return contractMembers(contract).filter(node => isNode(node, 'FunctionDefinition'));
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function functionName(fn) {
+    return String(fn?.name || '');
+}
+function lowerFunctionName(fn) {
+    return functionName(fn).toLowerCase();
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public';
+}
+function isSkippedFunction(fn) {
+    if (!fn || !fn.body)
+        return true;
+    if (fn.isConstructor === true || fn.kind === 'constructor')
+        return true;
+    const mutability = String(fn.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function modifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (typeof modifier.modifierName?.name === 'string')
+        return modifier.modifierName.name;
+    if (typeof modifier.modifierName?.namePath === 'string')
+        return modifier.modifierName.namePath.split('.').pop() || '';
+    return '';
+}
+function hasReentrancyGuard(fn) {
+    for (const modifier of fn?.modifiers || []) {
+        const name = modifierName(modifier).toLowerCase();
+        if (GUARD_MODIFIERS.has(name))
+            return true;
+    }
+    return false;
+}
+function baseContractName(base) {
+    const raw = String(base?.baseName?.namePath || base?.baseName?.name || '');
+    return raw.split('.').pop() || '';
+}
+function inheritsFlashloanBase(contract) {
+    for (const base of contract?.baseContracts || []) {
+        if (FLASHLOAN_BASES.has(baseContractName(base).toLowerCase()))
+            return true;
+    }
+    return false;
+}
+function hasFlashloanSurface(contract) {
+    if (inheritsFlashloanBase(contract))
+        return true;
+    for (const fn of contractFunctions(contract)) {
+        const name = lowerFunctionName(fn);
+        if (FLASHLOAN_ENTRYPOINTS.has(name) || FLASHLOAN_CALLBACKS.has(name))
+            return true;
+    }
+    return false;
+}
+function collectStateVariables(contract) {
+    const stateVars = new Set();
+    for (const member of contractMembers(contract)) {
+        if (!isNode(member, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of member.variables || []) {
+            if (variable?.name)
+                stateVars.add(String(variable.name));
+        }
+    }
+    return stateVars;
+}
+function collectLocals(fn) {
+    const locals = new Set();
+    for (const param of fn?.parameters || []) {
+        if (param?.name)
+            locals.add(String(param.name));
+    }
+    for (const param of fn?.returnParameters || []) {
+        if (param?.name)
+            locals.add(String(param.name));
+    }
+    harvestLocalDeclarations(fn?.body, locals);
+    return locals;
+}
+function harvestLocalDeclarations(node, locals) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'VariableDeclarationStatement')) {
+        for (const variable of node.variables || []) {
+            if (variable?.name)
+                locals.add(String(variable.name));
+        }
+    }
+    for (const child of childNodes(node))
+        harvestLocalDeclarations(child, locals);
+}
+function refersToState(expr, stateVars, locals, aliases) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        if (aliases.has(name))
+            return true;
+        return stateVars.has(name) && !locals.has(name);
+    }
+    if (isNode(expr, 'IndexAccess'))
+        return refersToState(expr.base, stateVars, locals, aliases);
+    if (isNode(expr, 'MemberAccess'))
+        return refersToState(expr.expression, stateVars, locals, aliases);
+    if (isNode(expr, 'TupleExpression')) {
+        return (expr.components || []).some((component) => refersToState(component, stateVars, locals, aliases));
+    }
+    return false;
+}
+function harvestStorageAliasCandidates(node, candidates) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'VariableDeclarationStatement')) {
+        for (const variable of node.variables || []) {
+            if (!variable?.name)
+                continue;
+            const location = String(variable.storageLocation || '').toLowerCase();
+            if (location !== 'storage')
+                continue;
+            candidates.push({ name: String(variable.name), init: node.initialValue });
+        }
+    }
+    for (const child of childNodes(node))
+        harvestStorageAliasCandidates(child, candidates);
+}
+function collectStorageAliases(fn, stateVars, locals) {
+    const aliases = new Set();
+    const candidates = [];
+    harvestStorageAliasCandidates(fn?.body, candidates);
+    if (candidates.length === 0)
+        return aliases;
+    let changed = true;
+    while (changed) {
+        changed = false;
+        for (const candidate of candidates) {
+            if (aliases.has(candidate.name))
+                continue;
+            if (!candidate.init)
+                continue;
+            if (refersToState(candidate.init, stateVars, locals, aliases)) {
+                aliases.add(candidate.name);
+                changed = true;
+            }
+        }
+    }
+    return aliases;
+}
+function findStateMutation(node, stateVars, locals, aliases) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (isNode(node, 'BinaryOperation') && ASSIGN_OPS.has(String(node.operator))) {
+        if (refersToState(node.left, stateVars, locals, aliases))
+            return node;
+    }
+    if (isNode(node, 'UnaryOperation') && UNARY_MUTATORS.has(String(node.operator))) {
+        if (refersToState(node.subExpression, stateVars, locals, aliases))
+            return node;
+    }
+    for (const child of childNodes(node)) {
+        const mutation = findStateMutation(child, stateVars, locals, aliases);
+        if (mutation)
+            return mutation;
+    }
+    return null;
+}
+function childNodes(node) {
+    const out = [];
+    for (const [key, value] of Object.entries(node || {})) {
+        if (key === 'loc' || key === 'range' || key === 'typeName')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function locOf(node) {
+    const { line, column } = (0, ast_1.assertLoc)(node);
+    return { line, column };
+}
+class AaveV2ReentrancyDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            if (!hasFlashloanSurface(contract))
+                continue;
+            const stateVars = collectStateVariables(contract);
+            if (stateVars.size === 0)
+                continue;
+            const contractName = String(contract.name || '');
+            for (const fn of contractFunctions(contract)) {
+                if (!isExternallyCallable(fn))
+                    continue;
+                if (isSkippedFunction(fn))
+                    continue;
+                if (hasReentrancyGuard(fn))
+                    continue;
+                const locals = collectLocals(fn);
+                const aliases = collectStorageAliases(fn, stateVars, locals);
+                const mutation = findStateMutation(fn.body, stateVars, locals, aliases);
+                if (!mutation)
+                    continue;
+                const name = functionName(fn);
+                const loc = locOf(fn);
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': name,
+                    line: loc.line,
+                    column: loc.column,
+                    pattern: PATTERN,
+                    confidence: 'high',
+                    category: 'vulnerability',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Aave V2-style reentrancy exposure in '${contractName}.${name}': externally callable state mutation on a flash-loan-shaped contract lacks a recognized reentrancy guard.`,
+                    rationale: 'The contract exposes a flashLoan/flashLoanSimple entrypoint, an executeOperation callback, or a recognized flashloan receiver base, and this public/external function mutates protocol or accounting state without nonReentrant, noReentrancy, or lock.',
+                    suggestedFix: 'Wrap the externally callable mutator or callback with a recognized reentrancy guard and keep accounting updates ordered before callback-driven external interactions where possible.',
+                    contractName,
+                    functionName: name,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.AaveV2ReentrancyDetector = AaveV2ReentrancyDetector;
+//# sourceMappingURL=aave-v2-reentrancy.js.map

package/dist/detectors/access-control.d.ts

@@ -0,0 +1,103 @@
+/**
+ * Access-control detector (rule id `access-control`). Extracted from
+ * `src/index.ts` per roadmap item 1.1 slice 5/N. Public API surface
+ * is unchanged — `src/index.ts` re-exports `AccessControlDetector`
+ * so `createDefaultDetectorRegistry` and downstream consumers
+ * continue to see it at the same path.
+ *
+ * The detector flags externally callable privileged operations that
+ * lack a recognised access-control guard (modifier, msg.sender owner
+ * check, role-based check, etc.). See
+ * `docs/detectors/access-control.md` for the user-facing contract.
+ *
+ * Privileged-name recognition currently uses an inline regex
+ * (`/owner|admin|role|.../i`) — roadmap item 1.2 will centralise this
+ * predicate in `_common/access-control.ts:isPrivilegedIdentifier`.
+ * That refactor is intentionally a separate slice; this slice is
+ * mechanical extraction only.
+ */
+import type { ScanResult } from '../index';
+import type { SemanticModel } from '../semantic/model';
+export declare class AccessControlDetector {
+    readonly id = "access-control";
+    readonly patternKey = "access-control";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    findings: ScanResult[];
+    currentFile: string;
+    private currentContract;
+    private currentContractNode;
+    private currentFunction;
+    private currentFunctionNode;
+    private currentFunctionExternal;
+    private currentFunctionGuarded;
+    private guardSeenBeforeFirstPrivilegedOp;
+    private guardSeenBeforeFirstPrivilegedOpStack;
+    private currentPrivilegedOperation;
+    private currentPrivilegedOperationHadPriorInlineGuard;
+    private stateVariablesByContract;
+    private functionNodesByContract;
+    private privilegedFunctionSummaryCache;
+    private activePrivilegedFunctionSummaries;
+    private localVariables;
+    private semantic;
+    setFile(file: string): void;
+    setSemanticModel(model: SemanticModel | undefined): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    private walkInheritedFunctions;
+    private emitInheritedFinding;
+    private emitCurrentFinding;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    private resetFunctionState;
+    enterNestedStatementBody(): void;
+    exitNestedStatementBody(): void;
+    private analyzeNestedParserNode;
+    private analyzeParserNode;
+    private getCurrentStateVariables;
+    private registerContractFunctions;
+    private getContractMembers;
+    private mergeInheritedStateVariables;
+    private getBaseContractNames;
+    private isExternallyCallable;
+    private getFunctionKind;
+    private hasRecognizedGuardModifier;
+    private isRecognizedGuardName;
+    private containsRecognizedInlineGuard;
+    private isRecognizedInlineGuard;
+    private isAuthPredicate;
+    private isMsgSenderEqualityLeaf;
+    private isAuthorizationTarget;
+    private isHasRoleCallLeaf;
+    private isRenounceRoleSelfCheckLeaf;
+    private isAccountReference;
+    private isMsgSender;
+    private recordPrivilegedOperation;
+    private describePrivilegedOperation;
+    private findPrivilegedCall;
+    private findPrivilegedAssignmentRoot;
+    private containsPrivilegedOperation;
+    private isPrivilegedOperation;
+    private isSameContractPrivilegedHelperCall;
+    private isAuthorityHelperPropagationCandidate;
+    private isAuthoritySetupOrManagementName;
+    private functionMutatesPrivilegedState;
+    private containsPrivilegedOperationInSubtree;
+    private collectFunctionLocalVariables;
+    private collectLocalVariableDeclarations;
+    private isAssignmentOperator;
+    private isPrivilegedStateReference;
+    private getReferenceRoot;
+    private isPrivilegedName;
+    private isPrivilegedFundTransferFunction;
+    private isValueTransfer;
+    private nameValueExpressionHasValue;
+    private memberName;
+    private getCallName;
+    private getNodeName;
+    private childNodes;
+}