@snovon/solast 0.2.0

package/dist/detectors/finance-access-control-price-oracle-man.js

@@ -0,0 +1,640 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FinanceAccessControlPriceOracleManDetector = void 0;
+const RULE_ID = 'finance-access-control-price-oracle-man';
+const PROVENANCE = 'x-20220415-rikkei-finance-access-control-price-oracle-man';
+const ASSIGNMENT_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=']);
+const ACCESS_CONTROL_MODIFIERS = [
+    'onlyowner',
+    'onlyadmin',
+    'onlyrole',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlyoperator',
+    'onlymanager',
+    'onlyauthorized',
+    'requiresauth',
+    'auth',
+];
+const ROLE_CHECKS = new Set([
+    'hasrole',
+    'onlyrole',
+    'checkrole',
+    '_checkrole',
+    'requirerole',
+    'isauthorized',
+    'requireauth',
+    'authorize',
+]);
+const PRICE_TERMS = /(price|oracle|reserve|exchangerate|rate|ratio|factor|valuation|quote|index|collateralfactor)/i;
+const FINANCE_TERMS = /(borrow|redeem|liquidat|collateral|liquidity|amountout|swap|quote|value|valuation|maxborrow|account|mint|withdraw|repay|debt)/i;
+const PRICE_GETTER_PATTERNS = /^(getunderlyingprice|getprice|getassetprice|getoracleprice|assetprice|oracleprice|price|peek|latestrounddata|latestanswer|latestprice|read|consult|quote|getquote)$/i;
+class FinanceAccessControlPriceOracleManDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const findings = [];
+        for (const contract of getContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const ctx = {
+                name: getName(contract) || '<anonymous>',
+                node: contract,
+                stateVars: collectStateVariables(contract),
+                functions: collectFunctions(contract),
+                modifierBodies: collectModifierBodies(contract),
+                financeStateRoots: new Set(),
+                priceGetterStateRoots: new Set(),
+                helperWriteCache: new Map(),
+            };
+            ctx.financeStateRoots = collectFinanceStateRoots(ctx);
+            ctx.priceGetterStateRoots = collectPriceGetterStateRoots(ctx);
+            if (ctx.financeStateRoots.size === 0 && ctx.priceGetterStateRoots.size === 0)
+                continue;
+            for (const fn of ctx.functions.values()) {
+                if (!isExternallyCallable(fn.node))
+                    continue;
+                const writes = this.collectReachablePriceWrites(fn, ctx, new Set());
+                const exploitableWrites = writes.filter(write => (ctx.financeStateRoots.has(write.stateRoot) || ctx.priceGetterStateRoots.has(write.stateRoot)) &&
+                    hasPriceMutationSurface(fn, write));
+                if (exploitableWrites.length === 0)
+                    continue;
+                if (hasAccessControlGuard(fn.node, ctx, exploitableWrites))
+                    continue;
+                const loc = getLoc(exploitableWrites[0].node, lineOffsets) || getLoc(fn.node, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: ctx.name,
+                    'function': fn.name,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    category: 'vulnerability',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Finance access-control oracle manipulation in '${ctx.name}.${fn.name}': externally reachable ` +
+                        `price-affecting state mutation feeds downstream finance valuation without a recognized owner or role guard.`,
+                    rationale: 'Mirrors the 2022-04-15 Rikkei Finance pattern: an unprivileged caller can update price, reserve, ' +
+                        'exchange-rate, ratio, or collateral-factor state that is later consumed by borrow, redeem, swap, ' +
+                        'liquidation, collateral, or accounting math.',
+                    suggestedFix: 'Restrict oracle and price-affecting mutators with onlyOwner/onlyRole or an equivalent inline ' +
+                        'msg.sender/role authorization check before the state write or internal helper call.',
+                    contractName: ctx.name,
+                    functionName: fn.name,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    stateMutationNode: exploitableWrites[0].node,
+                    affectedVariables: [...new Set(exploitableWrites.map(write => write.pricePath))].join(', '),
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+    collectReachablePriceWrites(fn, ctx, stack) {
+        if (stack.has(fn.name))
+            return [];
+        stack.add(fn.name);
+        const writes = [];
+        walkNode(fn.body, node => {
+            const write = getPriceStateWrite(node, ctx.stateVars);
+            if (write) {
+                writes.push(write);
+                return;
+            }
+            const callee = getDirectCallName(node);
+            if (!callee)
+                return;
+            const helper = ctx.functions.get(callee);
+            if (!helper || isExternallyCallable(helper.node))
+                return;
+            for (const helperWrite of this.collectInternalHelperWrites(helper, ctx, stack)) {
+                writes.push({ ...helperWrite, node });
+            }
+        });
+        stack.delete(fn.name);
+        return dedupeWrites(writes);
+    }
+    collectInternalHelperWrites(fn, ctx, stack) {
+        const cached = ctx.helperWriteCache.get(fn.name);
+        if (cached)
+            return cached;
+        const writes = this.collectReachablePriceWrites(fn, ctx, stack);
+        ctx.helperWriteCache.set(fn.name, writes);
+        return writes;
+    }
+}
+exports.FinanceAccessControlPriceOracleManDetector = FinanceAccessControlPriceOracleManDetector;
+function collectFinanceStateRoots(ctx) {
+    const roots = new Set();
+    for (const fn of ctx.functions.values()) {
+        if (!fn.body)
+            continue;
+        const fnName = fn.name.toLowerCase();
+        let functionLooksFinancial = FINANCE_TERMS.test(fnName);
+        walkNode(fn.body, node => {
+            if (functionLooksFinancial)
+                return;
+            if (kindOf(node) === 'FunctionCall') {
+                const call = getCallName(callExpression(node)).toLowerCase();
+                if (FINANCE_TERMS.test(call))
+                    functionLooksFinancial = true;
+            }
+        });
+        if (!functionLooksFinancial)
+            continue;
+        walkNode(fn.body, node => {
+            if (!isArithmeticOrComparison(node))
+                return;
+            const refs = collectStateRefs(node, ctx.stateVars).filter(ref => PRICE_TERMS.test(ref.path));
+            for (const ref of refs)
+                roots.add(ref.root);
+        });
+    }
+    return roots;
+}
+function collectPriceGetterStateRoots(ctx) {
+    const roots = new Set();
+    for (const fn of ctx.functions.values()) {
+        if (!fn.body || !isPriceGetterFunction(fn))
+            continue;
+        const refs = collectStateRefs(fn.body, ctx.stateVars).filter(ref => PRICE_TERMS.test(ref.path));
+        for (const ref of refs)
+            roots.add(ref.root);
+    }
+    return roots;
+}
+function isPriceGetterFunction(fn) {
+    if (!isExternallyCallable(fn.node))
+        return false;
+    const name = normalizeName(fn.name);
+    return PRICE_GETTER_PATTERNS.test(name) ||
+        /^get.*(?:price|quote|oracle|rate)$/.test(name) ||
+        /^(?:latest|current).*(?:price|answer|rounddata|rate)$/.test(name);
+}
+function getPriceStateWrite(node, stateVars) {
+    if (!isAssignment(node))
+        return null;
+    const left = assignmentLeft(node);
+    const ref = getStateRef(left, stateVars);
+    if (!ref || !PRICE_TERMS.test(ref.path))
+        return null;
+    return { stateRoot: ref.root, pricePath: ref.path, node };
+}
+function hasAccessControlGuard(fn, ctx, writes) {
+    for (const mod of getModifiers(fn)) {
+        const name = normalizeName(getModifierName(mod));
+        if (ACCESS_CONTROL_MODIFIERS.some(guard => name === guard || name.includes(guard)))
+            return true;
+        const body = ctx.modifierBodies.get(getModifierName(mod));
+        if (body && containsAuthCheck(body))
+            return true;
+    }
+    const firstWrite = writes[0]?.node;
+    if (!firstWrite)
+        return false;
+    return hasInlineGuardBeforeNode(getBody(fn), firstWrite);
+}
+function hasPriceMutationSurface(fn, write) {
+    const fnName = fn.name.toLowerCase();
+    if (/(set|update|poke|post|push|sync|refresh|change|configure|config)/.test(fnName) && PRICE_TERMS.test(fnName)) {
+        return true;
+    }
+    if (PRICE_TERMS.test(fnName) && /(set|update|poke|post|push|sync|refresh|change|configure|config)/.test(fnName)) {
+        return true;
+    }
+    if (collectParameterNames(fn.node).some(name => PRICE_TERMS.test(name)))
+        return true;
+    return /(set|update)/.test(fnName) && PRICE_TERMS.test(write.pricePath);
+}
+function hasInlineGuardBeforeNode(body, targetNode) {
+    let guarded = false;
+    let reachedTarget = false;
+    const visitStatement = (stmt) => {
+        if (!stmt || reachedTarget)
+            return;
+        if (containsSameNode(stmt, targetNode)) {
+            reachedTarget = true;
+            return;
+        }
+        if (isAuthGuardStatement(stmt)) {
+            guarded = true;
+        }
+    };
+    for (const stmt of getStatements(body)) {
+        visitStatement(stmt);
+        if (reachedTarget)
+            break;
+    }
+    return reachedTarget && guarded;
+}
+function isAuthGuardStatement(stmt) {
+    const kind = kindOf(stmt);
+    if (kind === 'ExpressionStatement') {
+        const expr = expressionOf(stmt);
+        if (isRequireOrAssertWithAuth(expr))
+            return true;
+    }
+    if (kind === 'IfStatement') {
+        const condition = getField(stmt, 'condition');
+        if (condition && expressionHasAuth(condition) && containsRevert(getField(stmt, 'trueBody')))
+            return true;
+    }
+    return false;
+}
+function isRequireOrAssertWithAuth(expr) {
+    if (kindOf(expr) !== 'FunctionCall')
+        return false;
+    const callee = getCallName(callExpression(expr)).toLowerCase();
+    if (callee !== 'require' && callee !== 'assert')
+        return false;
+    return callArguments(expr).some(expressionHasAuth);
+}
+function expressionHasAuth(expr) {
+    let found = false;
+    walkNode(expr, node => {
+        if (found)
+            return;
+        if (isMsgSenderAuthorityEquality(node)) {
+            found = true;
+            return;
+        }
+        if (kindOf(node) === 'FunctionCall') {
+            const callee = normalizeName(getCallName(callExpression(node)));
+            if (ROLE_CHECKS.has(callee) || [...ROLE_CHECKS].some(name => callee.endsWith(`.${name}`))) {
+                found = true;
+            }
+        }
+    });
+    return found;
+}
+function isMsgSenderAuthorityEquality(node) {
+    if (kindOf(node) !== 'BinaryOperation')
+        return false;
+    const op = getOperator(node);
+    if (op !== '==' && op !== '===')
+        return false;
+    const left = binaryLeft(node);
+    const right = binaryRight(node);
+    if (isMsgSender(left))
+        return isAuthorityLike(right);
+    if (isMsgSender(right))
+        return isAuthorityLike(left);
+    return false;
+}
+function isAuthorityLike(node) {
+    const path = expressionPath(node).toLowerCase();
+    return /(owner|admin|govern|guardian|operator|manager|authority|authorized|role)/.test(path);
+}
+function containsAuthCheck(node) {
+    let found = false;
+    walkNode(node, child => {
+        if (!found && (isRequireOrAssertWithAuth(child) || expressionHasAuth(child)))
+            found = true;
+    });
+    return found;
+}
+function containsRevert(node) {
+    let found = false;
+    walkNode(node, child => {
+        if (kindOf(child) === 'FunctionCall' && getCallName(callExpression(child)).toLowerCase() === 'revert') {
+            found = true;
+        }
+    });
+    return found;
+}
+function collectStateVariables(contract) {
+    const vars = new Set();
+    for (const member of getContractMembers(contract)) {
+        if (kindOf(member) === 'StateVariableDeclaration') {
+            for (const variable of getField(member, 'variables') || []) {
+                if (getName(variable))
+                    vars.add(getName(variable));
+            }
+        }
+        else if (kindOf(member) === 'VariableDeclaration' && member.stateVariable) {
+            if (getName(member))
+                vars.add(getName(member));
+        }
+    }
+    return vars;
+}
+function collectFunctions(contract) {
+    const functions = new Map();
+    for (const member of getContractMembers(contract)) {
+        if (kindOf(member) !== 'FunctionDefinition')
+            continue;
+        const name = getName(member);
+        const body = getBody(member);
+        if (!name || !body)
+            continue;
+        functions.set(name, {
+            name,
+            node: member,
+            body,
+            visibility: String(getField(member, 'visibility') || '').toLowerCase(),
+        });
+    }
+    return functions;
+}
+function collectModifierBodies(contract) {
+    const bodies = new Map();
+    for (const member of getContractMembers(contract)) {
+        if (kindOf(member) !== 'ModifierDefinition')
+            continue;
+        const name = getName(member);
+        if (name && getBody(member))
+            bodies.set(name, getBody(member));
+    }
+    return bodies;
+}
+function collectParameterNames(fn) {
+    const names = [];
+    const parserParams = getField(fn, 'parameters');
+    if (Array.isArray(parserParams)) {
+        for (const param of parserParams) {
+            const name = getName(param);
+            if (name)
+                names.push(name);
+        }
+    }
+    else if (parserParams && Array.isArray(parserParams.parameters)) {
+        for (const param of parserParams.parameters) {
+            const name = getName(param);
+            if (name)
+                names.push(name);
+        }
+    }
+    return names;
+}
+function collectStateRefs(node, stateVars) {
+    const refs = [];
+    walkNode(node, child => {
+        const ref = getStateRef(child, stateVars);
+        if (ref)
+            refs.push(ref);
+    });
+    return refs;
+}
+function getStateRef(expr, stateVars) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    const kind = kindOf(expr);
+    if (kind === 'Identifier') {
+        const name = getName(expr);
+        return stateVars.has(name) ? { root: name, path: name } : null;
+    }
+    if (kind === 'IndexAccess') {
+        return getStateRef(indexBase(expr), stateVars);
+    }
+    if (kind === 'MemberAccess') {
+        const base = getStateRef(memberExpression(expr), stateVars);
+        if (!base)
+            return null;
+        return { root: base.root, path: `${base.path}.${String(getField(expr, 'memberName') || '')}` };
+    }
+    return null;
+}
+function isExternallyCallable(fn) {
+    const visibility = String(getField(fn, 'visibility') || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public' || visibility === '';
+}
+function isInterfaceLike(contract) {
+    const kind = String(getField(contract, 'kind') || getField(contract, 'contractKind') || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function isAssignment(node) {
+    const kind = kindOf(node);
+    if (kind === 'Assignment')
+        return true;
+    return kind === 'BinaryOperation' && ASSIGNMENT_OPS.has(getOperator(node));
+}
+function isArithmeticOrComparison(node) {
+    if (kindOf(node) !== 'BinaryOperation')
+        return false;
+    return /^(?:[+\-*/%]|[<>]=?|==|!=)$/.test(getOperator(node));
+}
+function getDirectCallName(node) {
+    if (kindOf(node) !== 'FunctionCall')
+        return '';
+    const expr = callExpression(node);
+    return kindOf(expr) === 'Identifier' ? getName(expr) : '';
+}
+function getCallName(expr) {
+    if (!expr)
+        return '';
+    const kind = kindOf(expr);
+    if (kind === 'Identifier')
+        return getName(expr);
+    if (kind === 'MemberAccess') {
+        const prefix = getCallName(memberExpression(expr));
+        const member = String(getField(expr, 'memberName') || '');
+        return prefix ? `${prefix}.${member}` : member;
+    }
+    if (kind === 'FunctionCallOptions')
+        return getCallName(getField(expr, 'expression'));
+    if (kind === 'NameValueExpression')
+        return getCallName(getField(expr, 'expression'));
+    return getName(expr);
+}
+function expressionPath(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    const kind = kindOf(expr);
+    if (kind === 'Identifier')
+        return getName(expr);
+    if (kind === 'MemberAccess') {
+        const prefix = expressionPath(memberExpression(expr));
+        const member = String(getField(expr, 'memberName') || '');
+        return prefix ? `${prefix}.${member}` : member;
+    }
+    if (kind === 'IndexAccess')
+        return expressionPath(indexBase(expr));
+    return getName(expr);
+}
+function isMsgSender(node) {
+    return kindOf(node) === 'MemberAccess' &&
+        String(getField(node, 'memberName') || '') === 'sender' &&
+        kindOf(memberExpression(node)) === 'Identifier' &&
+        getName(memberExpression(node)) === 'msg';
+}
+function dedupeWrites(writes) {
+    const out = [];
+    const seen = new Set();
+    for (const write of writes) {
+        const key = `${write.stateRoot}:${write.pricePath}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push(write);
+    }
+    return out;
+}
+function getContracts(ast) {
+    return getChildren(ast).filter(child => kindOf(child) === 'ContractDefinition');
+}
+function getContractMembers(contract) {
+    return getChildren(contract);
+}
+function getChildren(node) {
+    return getField(node, 'children') || getField(node, 'nodes') || getField(node, 'subNodes') || [];
+}
+function getStatements(node) {
+    return getField(node, 'statements') || [];
+}
+function getModifiers(fn) {
+    return getField(fn, 'modifiers') || [];
+}
+function getModifierName(mod) {
+    return getName(getField(mod, 'name')) || getName(mod) || String(getField(mod, 'modifierName')?.name || '');
+}
+function getBody(fn) {
+    return getField(fn, 'body');
+}
+function expressionOf(node) {
+    return getField(node, 'expression');
+}
+function callExpression(node) {
+    return getField(node, 'expression');
+}
+function callArguments(node) {
+    return getField(node, 'arguments') || [];
+}
+function assignmentLeft(node) {
+    return getField(node, 'left') || getField(node, 'leftHandSide');
+}
+function binaryLeft(node) {
+    return getField(node, 'left') || getField(node, 'leftExpression');
+}
+function binaryRight(node) {
+    return getField(node, 'right') || getField(node, 'rightExpression');
+}
+function indexBase(node) {
+    return getField(node, 'base') || getField(node, 'baseExpression');
+}
+function memberExpression(node) {
+    return getField(node, 'expression');
+}
+function getOperator(node) {
+    return String(getField(node, 'operator') || '');
+}
+function getName(node) {
+    if (!node)
+        return '';
+    if (typeof node === 'string')
+        return node;
+    if (typeof node.name === 'string')
+        return node.name;
+    if (node.name && typeof node.name === 'object')
+        return getName(node.name);
+    if (typeof node.namePath === 'string')
+        return node.namePath;
+    return '';
+}
+function kindOf(node) {
+    return String(node?.type || node?.nodeType || '');
+}
+function getField(node, key) {
+    return node ? node[key] : undefined;
+}
+function normalizeName(name) {
+    return String(name || '').toLowerCase().replace(/[^a-z0-9.]/g, '');
+}
+function walkNode(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node)) {
+        walkNode(child, visit);
+    }
+}
+function childNodes(node) {
+    const children = [];
+    for (const key of [
+        'children',
+        'nodes',
+        'subNodes',
+        'statements',
+        'body',
+        'trueBody',
+        'falseBody',
+        'expression',
+        'left',
+        'right',
+        'leftExpression',
+        'rightExpression',
+        'leftHandSide',
+        'rightHandSide',
+        'base',
+        'baseExpression',
+        'index',
+        'indexExpression',
+        'initialValue',
+        'arguments',
+        'components',
+        'subExpression',
+        'condition',
+        'returnExpression',
+    ]) {
+        const value = node[key];
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function containsSameNode(haystack, needle) {
+    let found = false;
+    walkNode(haystack, node => {
+        if (node === needle)
+            found = true;
+    });
+    return found;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    const loc = node?.loc?.start;
+    if (loc && typeof loc.line === 'number')
+        return { line: loc.line, column: loc.column || 0 };
+    const src = String(node?.src || '');
+    if (!src || !lineOffsets)
+        return null;
+    const offset = Number(src.split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return null;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=finance-access-control-price-oracle-man.js.map

package/dist/detectors/finance-bridge-address0safetransferfrom.d.ts

@@ -0,0 +1,8 @@
+import type { ScanResult } from '../index';
+export declare class FinanceBridgeAddress0SafeTransferFromDetector {
+    readonly id = "finance-bridge-address0safetransferfrom";
+    readonly patternKey = "finance-bridge-address0safetransferfrom";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+    private analyzeFunction;
+}