@snovon/solast 0.2.0

package/dist/detectors/erc6909-operator-scope.d.ts

@@ -0,0 +1,49 @@
+import type { ScanResult } from '../index';
+export declare class Erc6909OperatorScopeDetector {
+    readonly id = "erc6909-operator-scope";
+    readonly patternKey = "erc6909-operator-scope";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+        help: string;
+    };
+    private currentFile;
+    private findings;
+    private sourceHasErc6909Signal;
+    private contractContexts;
+    private currentContractName;
+    private currentContract;
+    private currentFunction;
+    private currentFunctionName;
+    private externalSourceArrays;
+    private emptyOnlyGuards;
+    private nonEmptyGuards;
+    private upperBoundGuards;
+    private ifEmptyBranches;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    SourceUnit(node: any): void;
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    IfStatement(node: any): void;
+    IfStatement_post(_node: any): void;
+    ['IfStatement:exit'](node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    FunctionCall(node: any): void;
+    private collectSourceSignals;
+    private isErc6909Context;
+    private scopeIssue;
+    private recordLengthGuard;
+    private recordTerminatingBranchLengthGuard;
+    private hasBoundedGuard;
+    private isInsideEmptyBranch;
+    private makeFinding;
+    private resetFunctionState;
+}

package/dist/detectors/erc6909-operator-scope.js

@@ -0,0 +1,494 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Erc6909OperatorScopeDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'erc6909-operator-scope';
+const PATTERN_EMPTY = `${RULE_ID}/empty-token-id-scope`;
+const PATTERN_UNBOUNDED = `${RULE_ID}/unbounded-token-id-scope`;
+const ERC6909_INTERFACE_ID = '0xe68c0d87';
+class Erc6909OperatorScopeDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'ERC-6909 batch approvals should bound operator token-id scope.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+        help: 'Pass a non-empty, intentionally bounded uint256[] token-id scope to ERC-6909 batch approve calls; avoid empty scopes, all-token sentinels, and unconstrained external scope sources.',
+    };
+    currentFile = '';
+    findings = [];
+    sourceHasErc6909Signal = false;
+    contractContexts = new Map();
+    currentContractName = '';
+    currentContract = null;
+    currentFunction = null;
+    currentFunctionName = '';
+    externalSourceArrays = new Set();
+    emptyOnlyGuards = new Set();
+    nonEmptyGuards = new Set();
+    upperBoundGuards = new Set();
+    ifEmptyBranches = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.sourceHasErc6909Signal = false;
+        this.contractContexts = new Map();
+        this.currentContractName = '';
+        this.currentContract = null;
+        this.currentFunction = null;
+        this.currentFunctionName = '';
+        this.resetFunctionState();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    SourceUnit(node) {
+        this.collectSourceSignals(node);
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.currentContractName = '';
+            this.currentContract = null;
+            return;
+        }
+        this.currentContractName = String(node?.name || '<anonymous>');
+        this.currentContract = node;
+    }
+    ContractDefinition_post(_node) {
+        this.currentContractName = '';
+        this.currentContract = null;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = node?.body ? node : null;
+        this.currentFunctionName = node?.body ? String(node.name || (node.isConstructor ? '<constructor>' : '<anonymous>')) : '';
+        this.resetFunctionState();
+    }
+    FunctionDefinition_post(_node) {
+        this.currentFunction = null;
+        this.currentFunctionName = '';
+        this.resetFunctionState();
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    IfStatement(node) {
+        this.recordTerminatingBranchLengthGuard(node);
+        const variable = lengthComparedToZero(node?.condition, '==');
+        if (!variable)
+            return;
+        this.ifEmptyBranches.push({
+            variable,
+            trueRange: nodeRange(node?.trueBody),
+        });
+    }
+    IfStatement_post(_node) {
+        this.ifEmptyBranches.pop();
+    }
+    ['IfStatement:exit'](node) {
+        this.IfStatement_post(node);
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.currentFunction)
+            return;
+        const variable = firstDeclaredVariable(node);
+        const name = declarationName(variable);
+        if (!name)
+            return;
+        if (isUintArrayType(variable?.typeName)) {
+            if (isExternalCallReturn(node.initialValue))
+                this.externalSourceArrays.add(name);
+        }
+    }
+    FunctionCall(node) {
+        if (!this.currentFunction || !this.currentContract)
+            return;
+        if (isRequireCall(node)) {
+            this.recordLengthGuard(node.arguments?.[0]);
+        }
+        if (!isApproveCall(node))
+            return;
+        const tokenIdsArg = tokenIdsArgument(node);
+        if (!tokenIdsArg)
+            return;
+        if (!this.isErc6909Context(node))
+            return;
+        const issue = this.scopeIssue(tokenIdsArg, node);
+        if (!issue)
+            return;
+        this.findings.push(this.makeFinding(node, issue));
+    }
+    collectSourceSignals(sourceUnit) {
+        const batchInterfaces = new Set();
+        for (const child of sourceUnit?.children || []) {
+            if (!(0, ast_1.isNode)(child, 'ContractDefinition'))
+                continue;
+            if (String(child.name || '').toLowerCase().includes('6909')) {
+                batchInterfaces.add(String(child.name));
+                this.sourceHasErc6909Signal = true;
+            }
+            if (hasBatchApproveSurface(child)) {
+                if (child.kind === 'interface') {
+                    batchInterfaces.add(String(child.name || ''));
+                    this.sourceHasErc6909Signal = true;
+                }
+                else {
+                    this.sourceHasErc6909Signal = true;
+                }
+            }
+        }
+        for (const child of sourceUnit?.children || []) {
+            if (!(0, ast_1.isNode)(child, 'ContractDefinition'))
+                continue;
+            const ctx = {
+                supportsErc6909: declaresErc6909InterfaceId(child),
+                hasBatchApproveSurface: hasBatchApproveSurface(child),
+                erc6909Variables: new Set(),
+                arrayVariables: new Set(),
+                allTokensSentinels: new Set(),
+            };
+            if (ctx.supportsErc6909)
+                this.sourceHasErc6909Signal = true;
+            for (const sub of child.subNodes || []) {
+                if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+                    continue;
+                for (const variable of sub.variables || []) {
+                    const name = declarationName(variable);
+                    if (!name)
+                        continue;
+                    if (isUintArrayType(variable.typeName)) {
+                        ctx.arrayVariables.add(name);
+                        if (isAllTokensName(name))
+                            ctx.allTokensSentinels.add(name);
+                    }
+                    const typeName = userDefinedTypeName(variable.typeName);
+                    if (typeName && (batchInterfaces.has(typeName) || typeName.toLowerCase().includes('6909'))) {
+                        ctx.erc6909Variables.add(name);
+                        this.sourceHasErc6909Signal = true;
+                    }
+                }
+            }
+            this.contractContexts.set(String(child.name || '<anonymous>'), ctx);
+        }
+    }
+    isErc6909Context(call) {
+        if (!this.sourceHasErc6909Signal)
+            return false;
+        const ctx = this.contractContexts.get(this.currentContractName);
+        if (!ctx)
+            return false;
+        if (ctx.supportsErc6909 || ctx.hasBatchApproveSurface)
+            return true;
+        const target = memberTargetName(call.expression);
+        return Boolean(target && ctx.erc6909Variables.has(target));
+    }
+    scopeIssue(arg, call) {
+        if (isEmptyArrayLiteral(arg)) {
+            return {
+                pattern: PATTERN_EMPTY,
+                message: 'ERC-6909 batch approve uses an empty token-id scope, granting the operator without an explicit bounded token-type set.',
+            };
+        }
+        if (isTypeUint256Max(arg)) {
+            return {
+                pattern: PATTERN_UNBOUNDED,
+                message: 'ERC-6909 batch approve uses type(uint256).max as a token-id scope sentinel; pass a bounded non-empty token-id array instead.',
+            };
+        }
+        const identifier = identifierName(arg);
+        if (!identifier)
+            return null;
+        const ctx = this.contractContexts.get(this.currentContractName);
+        if (isAllTokensName(identifier) || ctx?.allTokensSentinels.has(identifier)) {
+            return {
+                pattern: PATTERN_UNBOUNDED,
+                message: `ERC-6909 batch approve forwards '${identifier}' as an all-token scope sentinel; pass only the intended token-type IDs.`,
+            };
+        }
+        if (this.emptyOnlyGuards.has(identifier) || this.isInsideEmptyBranch(identifier, call)) {
+            return {
+                pattern: PATTERN_EMPTY,
+                message: `ERC-6909 batch approve is dominated by a ${identifier}.length == 0 condition, so the operator receives an empty token-id scope.`,
+            };
+        }
+        if (this.externalSourceArrays.has(identifier) && !this.hasBoundedGuard(identifier)) {
+            return {
+                pattern: PATTERN_UNBOUNDED,
+                message: `ERC-6909 batch approve forwards token IDs from unconstrained external call result '${identifier}'. Bound the array before approval.`,
+            };
+        }
+        return null;
+    }
+    recordLengthGuard(expr) {
+        const emptyOnly = lengthComparedToZero(expr, '==');
+        if (emptyOnly)
+            this.emptyOnlyGuards.add(emptyOnly);
+        const nonEmpty = nonEmptyLengthGuard(expr);
+        if (nonEmpty)
+            this.nonEmptyGuards.add(nonEmpty);
+        const upperBound = upperBoundLengthGuard(expr);
+        if (upperBound)
+            this.upperBoundGuards.add(upperBound);
+    }
+    recordTerminatingBranchLengthGuard(node) {
+        if (branchTerminates(node?.trueBody)) {
+            const nonEmpty = nonEmptyLengthRevertGuard(node.condition);
+            if (nonEmpty)
+                this.nonEmptyGuards.add(nonEmpty);
+            const upperBound = upperBoundLengthRevertGuard(node.condition);
+            if (upperBound)
+                this.upperBoundGuards.add(upperBound);
+        }
+        if (branchTerminates(node?.falseBody)) {
+            const nonEmpty = nonEmptyLengthGuard(node.condition);
+            if (nonEmpty)
+                this.nonEmptyGuards.add(nonEmpty);
+            const upperBound = upperBoundLengthGuard(node.condition);
+            if (upperBound)
+                this.upperBoundGuards.add(upperBound);
+        }
+    }
+    hasBoundedGuard(variable) {
+        return this.nonEmptyGuards.has(variable) && this.upperBoundGuards.has(variable);
+    }
+    isInsideEmptyBranch(variable, node) {
+        const range = nodeRange(node);
+        if (!range)
+            return false;
+        return this.ifEmptyBranches.some(branch => branch.variable === variable &&
+            branch.trueRange !== null &&
+            range[0] >= branch.trueRange[0] &&
+            range[1] <= branch.trueRange[1]);
+    }
+    makeFinding(node, issue) {
+        const loc = (0, ast_1.assertLoc)(node, this.currentFunction);
+        return {
+            file: this.currentFile,
+            contract: this.currentContractName || '<anonymous>',
+            'function': this.currentFunctionName || '<anonymous>',
+            line: loc.line,
+            column: loc.column,
+            ruleId: RULE_ID,
+            pattern: issue.pattern,
+            severity: 'medium',
+            confidence: 'medium',
+            category: 'vulnerability',
+            message: issue.message,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    resetFunctionState() {
+        this.externalSourceArrays = new Set();
+        this.emptyOnlyGuards = new Set();
+        this.nonEmptyGuards = new Set();
+        this.upperBoundGuards = new Set();
+        this.ifEmptyBranches = [];
+    }
+}
+exports.Erc6909OperatorScopeDetector = Erc6909OperatorScopeDetector;
+function hasBatchApproveSurface(contract) {
+    return (contract?.subNodes || []).some((sub) => (0, ast_1.isNode)(sub, 'FunctionDefinition') &&
+        sub.name === 'approve' &&
+        isApproveParameters(sub.parameters));
+}
+function isApproveParameters(params) {
+    if (!Array.isArray(params) || params.length !== 2)
+        return false;
+    return isAddressType(params[0]?.typeName) && isUintArrayType(params[1]?.typeName);
+}
+function declaresErc6909InterfaceId(contract) {
+    for (const sub of contract?.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'FunctionDefinition') || sub.name !== 'supportsInterface')
+            continue;
+        if (containsHexLiteral(sub.body, ERC6909_INTERFACE_ID))
+            return true;
+    }
+    return false;
+}
+function containsHexLiteral(node, value) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'NumberLiteral') && String(node.number || '').toLowerCase() === value)
+        return true;
+    for (const key of Object.keys(node)) {
+        const child = node[key];
+        if (Array.isArray(child)) {
+            if (child.some(item => containsHexLiteral(item, value)))
+                return true;
+        }
+        else if (child && typeof child === 'object' && containsHexLiteral(child, value)) {
+            return true;
+        }
+    }
+    return false;
+}
+function isApproveCall(node) {
+    const expr = node?.expression;
+    return ((0, ast_1.isNode)(expr, 'MemberAccess') && expr.memberName === 'approve') ||
+        ((0, ast_1.isNode)(expr, 'Identifier') && expr.name === 'approve');
+}
+function tokenIdsArgument(node) {
+    const names = Array.isArray(node?.names) ? node.names : [];
+    const namedIndex = names.findIndex((name) => name === 'tokenIds' || name === '_tokenIds');
+    if (namedIndex >= 0)
+        return node.arguments?.[namedIndex] || null;
+    if ((node?.arguments || []).length !== 2)
+        return null;
+    return node.arguments[1] || null;
+}
+function isRequireCall(node) {
+    const expr = node?.expression;
+    return (0, ast_1.isNode)(expr, 'Identifier') && expr.name === 'require';
+}
+function firstDeclaredVariable(node) {
+    const vars = node?.variables;
+    return Array.isArray(vars) && vars.length > 0 ? vars[0] : null;
+}
+function declarationName(node) {
+    return String(node?.name || node?.identifier?.name || '');
+}
+function isUintArrayType(typeName) {
+    if (!(0, ast_1.isNode)(typeName, 'ArrayTypeName'))
+        return false;
+    return isUintType(typeName.baseTypeName);
+}
+function isUintType(typeName) {
+    if (!(0, ast_1.isNode)(typeName, 'ElementaryTypeName'))
+        return false;
+    const name = String(typeName.name || '').toLowerCase();
+    return name === 'uint' || name === 'uint256';
+}
+function isAddressType(typeName) {
+    return (0, ast_1.isNode)(typeName, 'ElementaryTypeName') && String(typeName.name || '').toLowerCase() === 'address';
+}
+function userDefinedTypeName(typeName) {
+    if (!(0, ast_1.isNode)(typeName, 'UserDefinedTypeName'))
+        return '';
+    return String(typeName.namePath || typeName.name || '');
+}
+function isEmptyArrayLiteral(node) {
+    return (0, ast_1.isNode)(node, 'TupleExpression') && node.isArray === true && (node.components || []).length === 0;
+}
+function identifierName(node) {
+    return (0, ast_1.isNode)(node, 'Identifier') ? String(node.name || '') : '';
+}
+function isAllTokensName(name) {
+    return name === 'ALL_TOKENS' || name === '_ALL_TOKENS';
+}
+function memberTargetName(expr) {
+    if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+        return '';
+    return identifierName(expr.expression);
+}
+function isExternalCallReturn(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const expr = node.expression;
+    if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+        return false;
+    const target = identifierName(expr.expression);
+    return target !== '' && target !== 'this' && target !== 'super';
+}
+function lengthComparedToZero(expr, operator) {
+    if (!(0, ast_1.isNode)(expr, 'BinaryOperation') || expr.operator !== operator)
+        return '';
+    const leftLen = lengthMemberName(expr.left);
+    if (leftLen && isZeroLiteral(expr.right))
+        return leftLen;
+    const rightLen = lengthMemberName(expr.right);
+    if (rightLen && isZeroLiteral(expr.left))
+        return rightLen;
+    return '';
+}
+function nonEmptyLengthGuard(expr) {
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        const leftLen = lengthMemberName(expr.left);
+        if (leftLen && isZeroLiteral(expr.right) && (expr.operator === '!=' || expr.operator === '>' || expr.operator === '>=')) {
+            return leftLen;
+        }
+        const rightLen = lengthMemberName(expr.right);
+        if (rightLen && isZeroLiteral(expr.left) && (expr.operator === '!=' || expr.operator === '<' || expr.operator === '<=')) {
+            return rightLen;
+        }
+    }
+    return '';
+}
+function upperBoundLengthGuard(expr) {
+    if (!(0, ast_1.isNode)(expr, 'BinaryOperation'))
+        return '';
+    const leftLen = lengthMemberName(expr.left);
+    if (leftLen && isPositiveIntegerLiteral(expr.right) && (expr.operator === '<=' || expr.operator === '<'))
+        return leftLen;
+    const rightLen = lengthMemberName(expr.right);
+    if (rightLen && isPositiveIntegerLiteral(expr.left) && (expr.operator === '>=' || expr.operator === '>'))
+        return rightLen;
+    return '';
+}
+function nonEmptyLengthRevertGuard(expr) {
+    return lengthComparedToZero(expr, '==');
+}
+function upperBoundLengthRevertGuard(expr) {
+    if (!(0, ast_1.isNode)(expr, 'BinaryOperation'))
+        return '';
+    const leftLen = lengthMemberName(expr.left);
+    if (leftLen && isPositiveIntegerLiteral(expr.right) && (expr.operator === '>' || expr.operator === '>='))
+        return leftLen;
+    const rightLen = lengthMemberName(expr.right);
+    if (rightLen && isPositiveIntegerLiteral(expr.left) && (expr.operator === '<' || expr.operator === '<='))
+        return rightLen;
+    return '';
+}
+function branchTerminates(node) {
+    if (!node)
+        return false;
+    if ((0, ast_1.isNode)(node, 'RevertStatement') || (0, ast_1.isNode)(node, 'ThrowStatement') || (0, ast_1.isNode)(node, 'ReturnStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        const statements = node.statements || [];
+        return statements.length > 0 && branchTerminates(statements[statements.length - 1]);
+    }
+    return false;
+}
+function lengthMemberName(node) {
+    if (!(0, ast_1.isNode)(node, 'MemberAccess') || node.memberName !== 'length')
+        return '';
+    return identifierName(node.expression);
+}
+function isZeroLiteral(node) {
+    return numericLiteralValue(node) === 0;
+}
+function isPositiveIntegerLiteral(node) {
+    const value = numericLiteralValue(node);
+    return value !== null && value > 0;
+}
+function numericLiteralValue(node) {
+    if (!(0, ast_1.isNode)(node, 'NumberLiteral'))
+        return null;
+    const text = String(node.number || '');
+    if (!/^\d+$/.test(text))
+        return null;
+    return Number(text);
+}
+function isTypeUint256Max(node) {
+    if (!(0, ast_1.isNode)(node, 'MemberAccess') || node.memberName !== 'max')
+        return false;
+    const call = node.expression;
+    if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+        return false;
+    if (!(0, ast_1.isNode)(call.expression, 'Identifier') || call.expression.name !== 'type')
+        return false;
+    const arg = call.arguments?.[0];
+    return isUintType(arg);
+}
+function nodeRange(node) {
+    const range = node?.range;
+    return Array.isArray(range) && range.length >= 2 && typeof range[0] === 'number' && typeof range[1] === 'number'
+        ? [range[0], range[1]]
+        : null;
+}
+//# sourceMappingURL=erc6909-operator-scope.js.map

package/dist/detectors/erc721-unchecked-transfer.d.ts

@@ -0,0 +1,38 @@
+import type { ScanResult } from '../index';
+export declare class Erc721UncheckedTransferDetector {
+    readonly id = "erc721-unchecked-transfer";
+    readonly patternKey = "erc721-unchecked-transfer";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private contractTypes;
+    private interfaces;
+    private fn;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    FunctionCall(node: any): void;
+    IfStatement(node: any): void;
+    ReturnStatement(node: any): void;
+    private collectInterface;
+    private asUncheckedDirectCall;
+    private asErc721LowLevelCall;
+    private receiverInterfaceName;
+    private interfaceMethodReturnsBool;
+    private makeFinding;
+}