@snovon/solast 0.2.0

package/dist/detectors/erc1155-batch-missing-per-id-approval.js

@@ -0,0 +1,343 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Erc1155BatchMissingPerIdApprovalDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'erc1155-batch-missing-per-id-approval';
+const PATTERN = `${RULE_ID}/missing-per-id-approval`;
+const ASSIGNMENT_OPERATORS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=']);
+class Erc1155BatchMissingPerIdApprovalDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'ERC-1155 safeBatchTransferFrom mutates batch balances without blanket approval, admin authorization, or a per-ID approval check scoped to each loop iteration.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Check safeBatchTransferFrom implementations for isApprovedForAll, recognised access-control guards, or require predicates inside the batch loop that authorize the current ids[i] value rather than a constant first ID.',
+    };
+    currentFile = '';
+    currentContract = '<unknown>';
+    currentContractKind = 'contract';
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '<unknown>';
+        this.currentContractKind = 'contract';
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'ContractDefinition'))
+            return;
+        this.currentContract = node.name || '<anonymous>';
+        this.currentContractKind = String(node.kind || 'contract').toLowerCase();
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '<unknown>';
+        this.currentContractKind = 'contract';
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionDefinition'))
+            return;
+        if (this.currentContractKind === 'interface' || this.currentContractKind === 'library')
+            return;
+        if (!node.body)
+            return;
+        if (!isStandardSafeBatchTransferFrom(node))
+            return;
+        const visibility = String(node.visibility || '').toLowerCase();
+        if (visibility !== 'public' && visibility !== 'external')
+            return;
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node))
+            return;
+        if (bodyCallsSuperSafeBatchTransferFrom(node.body))
+            return;
+        const fromParamName = getFromParamName(node);
+        const analysis = analyzeSafeBatchBody(node.body, fromParamName);
+        if (!analysis.hasBatchMutation)
+            return;
+        if (analysis.hasBlanketApproval)
+            return;
+        if (analysis.hasInlineAccessControl)
+            return;
+        if (analysis.hasPerIdApproval)
+            return;
+        const loc = (0, ast_1.assertLoc)(node, node);
+        this.findings.push({
+            file: this.currentFile,
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'high',
+            confidence: 'medium',
+            category: 'access-control',
+            contract: this.currentContract,
+            contractName: this.currentContract,
+            function: 'safeBatchTransferFrom',
+            functionName: 'safeBatchTransferFrom',
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+            message: 'ERC-1155 safeBatchTransferFrom mutates batch balances without a blanket operator check, admin guard, or per-ID approval check scoped to each ids[i] element.',
+        });
+    }
+}
+exports.Erc1155BatchMissingPerIdApprovalDetector = Erc1155BatchMissingPerIdApprovalDetector;
+function isStandardSafeBatchTransferFrom(fn) {
+    if (String(fn?.name || '') !== 'safeBatchTransferFrom')
+        return false;
+    const params = fn.parameters || [];
+    if (!Array.isArray(params) || params.length !== 5)
+        return false;
+    return isElementary(params[0]?.typeName, 'address')
+        && isElementary(params[1]?.typeName, 'address')
+        && isUint256Array(params[2]?.typeName)
+        && isUint256Array(params[3]?.typeName)
+        && isElementary(params[4]?.typeName, 'bytes');
+}
+function isElementary(typeName, name) {
+    return (0, ast_1.isNode)(typeName, 'ElementaryTypeName') && String(typeName.name || '').toLowerCase() === name;
+}
+function isUint256Array(typeName) {
+    return (0, ast_1.isNode)(typeName, 'ArrayTypeName')
+        && typeName.length == null
+        && isElementary(typeName.baseTypeName, 'uint256');
+}
+function getFromParamName(fn) {
+    const params = fn.parameters || [];
+    if (Array.isArray(params) && params.length > 0) {
+        return String(params[0].name || 'from');
+    }
+    return 'from';
+}
+function analyzeSafeBatchBody(body, fromParamName) {
+    const loops = findIdsLoops(body);
+    let hasBatchMutation = false;
+    let hasPerIdApproval = false;
+    for (const loop of loops) {
+        if (loopMutatesCurrentId(loop))
+            hasBatchMutation = true;
+        if (loopHasPerIdApproval(loop))
+            hasPerIdApproval = true;
+    }
+    return {
+        hasBatchMutation,
+        hasBlanketApproval: bodyHasBlanketApproval(body, fromParamName),
+        hasInlineAccessControl: bodyHasInlineAccessControl(body),
+        hasPerIdApproval,
+    };
+}
+function bodyHasBlanketApproval(body, fromParamName) {
+    let found = false;
+    walk(body, node => {
+        if (found)
+            return;
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        const name = callName(node).toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return;
+        const condition = Array.isArray(node.arguments) ? node.arguments[0] : undefined;
+        if (!condition)
+            return;
+        walk(condition, child => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(child, 'FunctionCall'))
+                return;
+            if (callName(child).toLowerCase() !== 'isapprovedforall')
+                return;
+            const args = child.arguments || [];
+            if (!Array.isArray(args) || args.length !== 2)
+                return;
+            if (!isFromParam(args[0], fromParamName))
+                return;
+            if (!(0, access_control_1.isCallerIdentityExpression)(args[1]))
+                return;
+            found = true;
+        });
+    });
+    return found;
+}
+function isFromParam(node, fromParamName) {
+    return (0, ast_1.isNode)(node, 'Identifier') && node.name === fromParamName;
+}
+function bodyHasInlineAccessControl(body) {
+    let found = false;
+    walk(body, node => {
+        if (found || !(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        const name = callName(node).toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return;
+        const condition = Array.isArray(node.arguments) ? node.arguments[0] : undefined;
+        if ((0, access_control_1.requireExpressesAccessControl)(condition, name => (0, access_control_1.isPrivilegedIdentifier)(name)))
+            found = true;
+    });
+    return found;
+}
+function bodyCallsSuperSafeBatchTransferFrom(body) {
+    let found = false;
+    walk(body, node => {
+        if (found || !(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        const expr = node.expression;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess') || expr.memberName !== 'safeBatchTransferFrom')
+            return;
+        const base = expr.expression;
+        if ((0, ast_1.isNode)(base, 'Identifier') && base.name === 'super')
+            found = true;
+    });
+    return found;
+}
+function findIdsLoops(body) {
+    const loops = [];
+    walk(body, node => {
+        if (!(0, ast_1.isNode)(node, 'ForStatement'))
+            return;
+        const indexName = forLoopIndexOverIds(node);
+        if (indexName)
+            loops.push({ node, indexName });
+    });
+    return loops;
+}
+function forLoopIndexOverIds(node) {
+    const condition = node.conditionExpression;
+    if (!(0, ast_1.isNode)(condition, 'BinaryOperation'))
+        return '';
+    const left = condition.left;
+    const right = condition.right;
+    if (isIdentifier(left) && isIdsLength(right))
+        return left.name;
+    if (isIdentifier(right) && isIdsLength(left))
+        return right.name;
+    return '';
+}
+function loopMutatesCurrentId(loop) {
+    let found = false;
+    walk(loopBody(loop.node), node => {
+        if (found)
+            return;
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && ASSIGNMENT_OPERATORS.has(String(node.operator || ''))) {
+            if (containsCurrentId(node.left, loop.indexName, new Set()))
+                found = true;
+        }
+        if ((0, ast_1.isNode)(node, 'UnaryOperation') && ['++', '--', 'delete'].includes(String(node.operator || ''))) {
+            if (containsCurrentId(node.subExpression, loop.indexName, new Set()))
+                found = true;
+        }
+    });
+    return found;
+}
+function loopHasPerIdApproval(loop) {
+    const aliases = collectLoopIdAliases(loop);
+    let found = false;
+    walk(loopBody(loop.node), node => {
+        if (found || !(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        const name = callName(node).toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return;
+        const condition = Array.isArray(node.arguments) ? node.arguments[0] : undefined;
+        if (!conditionMentionsCaller(condition))
+            return;
+        if (containsCurrentId(condition, loop.indexName, aliases))
+            found = true;
+    });
+    return found;
+}
+function collectLoopIdAliases(loop) {
+    const aliases = new Set();
+    walk(loopBody(loop.node), node => {
+        if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+            return;
+        const vars = node.variables || [];
+        if (!Array.isArray(vars) || vars.length !== 1)
+            return;
+        const variable = vars[0];
+        if (!variable?.name || aliases.has(variable.name))
+            return;
+        const value = node.initialValue;
+        if (isIdsAtLoopIndex(value, loop.indexName) || (isIdentifier(value) && aliases.has(value.name))) {
+            aliases.add(variable.name);
+        }
+    });
+    return aliases;
+}
+function containsCurrentId(node, loopIndex, aliases) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if (isIdsAtLoopIndex(child, loopIndex))
+            found = true;
+        if (isIdentifier(child) && aliases.has(child.name))
+            found = true;
+    });
+    return found;
+}
+function conditionMentionsCaller(node) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if ((0, access_control_1.isCallerIdentityExpression)(child))
+            found = true;
+    });
+    return found;
+}
+function isIdsAtLoopIndex(node, loopIndex) {
+    if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+        return false;
+    return isIdentifier(node.base, 'ids') && isIdentifier(node.index, loopIndex);
+}
+function isIdsLength(node) {
+    return (0, ast_1.isNode)(node, 'MemberAccess')
+        && String(node.memberName || '') === 'length'
+        && isIdentifier(node.expression, 'ids');
+}
+function loopBody(loop) {
+    return loop?.body || loop?.trueBody || loop;
+}
+function isIdentifier(node, name) {
+    if (!(0, ast_1.isNode)(node, 'Identifier'))
+        return false;
+    if (name === undefined)
+        return typeof node.name === 'string' && node.name.length > 0;
+    return node.name === name;
+}
+function callName(call) {
+    const expr = call?.expression;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return expr.name || '';
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return expr.memberName || '';
+    return '';
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const child of value)
+                walk(child, visit);
+        }
+        else if (value && typeof value === 'object') {
+            walk(value, visit);
+        }
+    }
+}
+//# sourceMappingURL=erc1155-batch-missing-per-id-approval.js.map

package/dist/detectors/erc1155-reentrancy.d.ts

@@ -0,0 +1,31 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class Erc1155ReentrancyDetector {
+    readonly id = "erc1155-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+        help: string;
+    };
+    private findings;
+    private currentContractName;
+    private currentFile;
+    private stateVariableTypes;
+    private localVariableTypes;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any, ctx?: DetectorContext): void;
+    FunctionDefinition(node: any, ctx?: DetectorContext): void;
+    private hasReentrancyGuard;
+    private bodyContainsExternalCall;
+    private isExternalCallExpression;
+    private collectStateVariableTypes;
+    private collectLocalVariableTypes;
+    private recordVariableType;
+    private typeNameToString;
+    private isExternallyTypedIdentifier;
+    private walk;
+}

package/dist/detectors/erc1155-reentrancy.js

@@ -0,0 +1,217 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Erc1155ReentrancyDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'erc1155-reentrancy';
+class Erc1155ReentrancyDetector {
+    id = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Unguarded ERC-1155 receiver hook may allow reentrancy.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+        help: 'ERC-1155 receiver hooks (`onERC1155Received`, `onERC1155BatchReceived`) are invoked during `safeTransferFrom` and `safeBatchTransferFrom` calls before the token transfer is completely finalized in some implementations. If the receiver hook makes external calls without a reentrancy guard, it creates a reentrancy vector.',
+    };
+    findings = [];
+    currentContractName = null;
+    currentFile = '';
+    stateVariableTypes = new Map();
+    localVariableTypes = new Map();
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node, ctx) {
+        if (node.kind === 'interface' || node.kind === 'library') {
+            this.currentContractName = null;
+            this.stateVariableTypes.clear();
+        }
+        else {
+            this.currentContractName = node.name;
+            this.stateVariableTypes = this.collectStateVariableTypes(node);
+        }
+    }
+    FunctionDefinition(node, ctx) {
+        if (!this.currentContractName)
+            return;
+        if (!node.body)
+            return; // Ignore bodyless declarations (interfaces/abstracts)
+        const name = node.name;
+        if (name !== 'onERC1155Received' && name !== 'onERC1155BatchReceived')
+            return;
+        const params = Array.isArray(node.parameters) ? node.parameters : (node.parameters?.parameters || []);
+        if (params.length !== 5)
+            return;
+        if (this.hasReentrancyGuard(node))
+            return;
+        const hasAccessControl = (0, access_control_1.hasRecognisedAccessControlModifier)(node);
+        this.localVariableTypes = this.collectLocalVariableTypes(node);
+        if (this.bodyContainsExternalCall(node.body)) {
+            const message = hasAccessControl
+                ? `Unguarded ERC-1155 receiver hook: '${this.currentContractName}.${name}' performs an external interaction without a reentrancy guard. Access control modifiers do not prevent same-actor reentrancy in callbacks.`
+                : `Unguarded ERC-1155 receiver hook: '${this.currentContractName}.${name}' performs an external interaction without a reentrancy guard.`;
+            this.findings.push({
+                ruleId: RULE_ID,
+                severity: 'medium',
+                message,
+                file: this.currentFile,
+                line: (0, ast_1.assertLoc)(node).line,
+                column: (0, ast_1.assertLoc)(node).column,
+                contract: this.currentContractName,
+                function: name,
+            });
+        }
+        this.localVariableTypes.clear();
+    }
+    hasReentrancyGuard(fn) {
+        const modifiers = fn?.modifiers || [];
+        for (const mod of modifiers) {
+            const name = String(mod?.name || '');
+            const lower = name.toLowerCase();
+            if (lower.includes('reentran') || lower.includes('mutex') || lower.includes('lock')) {
+                return true;
+            }
+        }
+        return false;
+    }
+    bodyContainsExternalCall(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'FunctionCall' && this.isExternalCallExpression(node)) {
+            return true;
+        }
+        if (Array.isArray(node)) {
+            for (const child of node) {
+                if (this.bodyContainsExternalCall(child))
+                    return true;
+            }
+        }
+        else {
+            for (const key of Object.keys(node)) {
+                if (key === 'loc' || key === 'type' || key === 'range')
+                    continue;
+                if (this.bodyContainsExternalCall(node[key]))
+                    return true;
+            }
+        }
+        return false;
+    }
+    isExternalCallExpression(call) {
+        let callee = call?.expression;
+        if (callee?.type === 'NameValueExpression')
+            callee = callee.expression;
+        if (callee?.type === 'MemberAccess') {
+            const member = String(callee.memberName || '').toLowerCase();
+            if (['call', 'delegatecall', 'staticcall', 'send', 'transfer'].includes(member)) {
+                return true;
+            }
+            const baseExpr = callee.expression;
+            if (baseExpr?.type === 'Identifier') {
+                const baseName = baseExpr.name;
+                const safeBuiltins = new Set(['this', 'super', 'abi', 'block', 'tx', 'msg', 'type', 'require', 'assert', 'revert', 'gasleft']);
+                if (safeBuiltins.has(baseName))
+                    return false;
+                return this.isExternallyTypedIdentifier(baseName);
+            }
+            if (baseExpr?.type === 'FunctionCall') {
+                // e.g., IHook(target).notify(...)
+                return true;
+            }
+            if (baseExpr?.type === 'MemberAccess') {
+                // e.g., msg.sender.call(...)
+                return true;
+            }
+            if (baseExpr?.type === 'IndexAccess') {
+                // e.g., targets[i].notify(...)
+                return true;
+            }
+        }
+        return false;
+    }
+    collectStateVariableTypes(contractNode) {
+        const types = new Map();
+        const subNodes = Array.isArray(contractNode?.subNodes) ? contractNode.subNodes : [];
+        for (const subNode of subNodes) {
+            if (subNode?.type !== 'StateVariableDeclaration')
+                continue;
+            const variables = Array.isArray(subNode.variables) ? subNode.variables : [];
+            for (const variable of variables) {
+                this.recordVariableType(types, variable);
+            }
+        }
+        return types;
+    }
+    collectLocalVariableTypes(node) {
+        const types = new Map();
+        this.walk(node?.body, (child) => {
+            if (child?.type === 'VariableDeclaration')
+                this.recordVariableType(types, child);
+            if (child?.type === 'VariableDeclarationStatement') {
+                const variables = Array.isArray(child.variables) ? child.variables : [];
+                for (const variable of variables)
+                    this.recordVariableType(types, variable);
+            }
+        });
+        return types;
+    }
+    recordVariableType(types, variable) {
+        const name = String(variable?.name || '');
+        if (!name)
+            return;
+        const typeName = this.typeNameToString(variable?.typeName);
+        if (typeName)
+            types.set(name, typeName);
+    }
+    typeNameToString(typeName) {
+        if (!typeName || typeof typeName !== 'object')
+            return '';
+        if (typeof typeName.name === 'string')
+            return typeName.name;
+        if (typeof typeName.namePath === 'string')
+            return typeName.namePath;
+        if (typeof typeName.typeDescriptions?.typeString === 'string')
+            return typeName.typeDescriptions.typeString;
+        if (typeName.type === 'ArrayTypeName')
+            return 'array';
+        if (typeName.type === 'Mapping')
+            return 'mapping';
+        if (typeName.baseTypeName)
+            return this.typeNameToString(typeName.baseTypeName);
+        if (typeName.keyType || typeName.valueType)
+            return 'mapping';
+        return '';
+    }
+    isExternallyTypedIdentifier(name) {
+        const typeName = this.localVariableTypes.get(name) || this.stateVariableTypes.get(name) || '';
+        if (!typeName)
+            return false;
+        const lower = typeName.toLowerCase();
+        if (lower === 'address' || lower.startsWith('address '))
+            return true;
+        if (lower === 'address payable' || lower.includes('contract ') || lower.includes('interface '))
+            return true;
+        return /^[A-Z]/.test(typeName);
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        if (Array.isArray(node)) {
+            for (const child of node)
+                this.walk(child, visit);
+            return;
+        }
+        for (const key of Object.keys(node)) {
+            if (key === 'loc' || key === 'type' || key === 'range')
+                continue;
+            this.walk(node[key], visit);
+        }
+    }
+}
+exports.Erc1155ReentrancyDetector = Erc1155ReentrancyDetector;
+//# sourceMappingURL=erc1155-reentrancy.js.map

package/dist/detectors/erc1271-stub-implementation.d.ts

@@ -0,0 +1,21 @@
+import type { ScanResult } from '../index';
+export declare class Erc1271StubImplementationDetector {
+    readonly id = "erc1271-stub-implementation";
+    readonly patternKey = "erc1271-stub-implementation";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private matchesEip1271;
+    private elementaryTypeName;
+    private bodyCallsSignaturePrimitive;
+    private bodyReturnsMagicValue;
+    private bodyReturnsZeroSelector;
+    private expressionContainsMagicValue;
+    private isMagicNumberLiteral;
+    private expressionIsBytes4Zero;
+    private isBytes4Cast;
+    private isZeroLiteral;
+    private findDescendant;
+    private childNodes;
+    private makeFinding;
+    private locOf;
+}