@snovon/solast 0.2.0

package/dist/detectors/incorrect-access-control.js

@@ -0,0 +1,328 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IncorrectAccessControlDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'incorrect-access-control';
+const PROVENANCE = 'issue-603-cgt-20240323-incorrect-access-control';
+const PRIVILEGED_CALLS = new Set(['mint', 'suck']);
+class IncorrectAccessControlDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Externally callable spell or privileged-control mutator reaches mint/accounting authority without caller authorization.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'critical',
+        help: 'Gate spell-like mint/accounting actions and owner/admin reassignment with onlyOwner/onlyRole or an early inline msg.sender/hasRole authorization check.',
+    };
+    currentFile = '';
+    currentContract = '';
+    executableContract = true;
+    contractStack = [];
+    stateVars = new Set();
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.executableContract = true;
+        this.contractStack = [];
+        this.stateVars = new Set();
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.contractStack.push({
+            name: this.currentContract,
+            executable: this.executableContract,
+            stateVars: this.stateVars,
+        });
+        this.currentContract = String(node?.name || '<anonymous>');
+        const kind = String(node?.kind || '').toLowerCase();
+        this.executableContract = kind !== 'interface' && kind !== 'library';
+        this.stateVars = collectStateVariables(node);
+    }
+    ContractDefinition_post(_node) {
+        const previous = this.contractStack.pop();
+        this.currentContract = previous?.name || '';
+        this.executableContract = previous?.executable ?? true;
+        this.stateVars = previous?.stateVars || new Set();
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        if (!this.executableContract || !node?.body)
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        if (isReadOnly(node))
+            return;
+        const state = {
+            node,
+            name: functionDisplayName(node),
+            guarded: (0, access_control_1.hasRecognisedAccessControlModifier)(node),
+            localNames: collectLocalNames(node),
+        };
+        if (state.guarded)
+            return;
+        const sink = firstUnguardedSink(node.body, state, this.stateVars);
+        if (!sink)
+            return;
+        this.findings.push(this.makeFinding(state, sink));
+    }
+    makeFinding(state, sink) {
+        const loc = (0, ast_1.assertLoc)(sink, state.node);
+        const contractName = this.currentContract || '<anonymous>';
+        return {
+            file: this.currentFile,
+            contract: contractName,
+            'function': state.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            pattern: RULE_ID,
+            confidence: 'high',
+            category: 'access-control',
+            ruleId: RULE_ID,
+            severity: 'critical',
+            message: `Incorrect access control in '${contractName}.${state.name}': externally callable function reaches ` +
+                'privileged mint/accounting authority or reassigns privileged control without an owner/role guard first.',
+            rationale: 'Mirrors the cgt 2024-03-23 incorrect-access-control shape: any caller can execute a spell-like privileged value path or reassign global control because authorization does not dominate the sink.',
+            suggestedFix: 'Add a recognized onlyOwner/onlyRole-style modifier or an early require(msg.sender == owner) / require(hasRole(role, msg.sender)) check before the privileged operation.',
+            contractName,
+            functionName: state.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+            provenance: PROVENANCE,
+            source: PROVENANCE,
+        };
+    }
+}
+exports.IncorrectAccessControlDetector = IncorrectAccessControlDetector;
+function firstUnguardedSink(node, state, stateVars) {
+    let sink = null;
+    scanStatement(node, state.guarded);
+    return sink;
+    function scanStatement(current, guarded) {
+        if (sink || !current || typeof current !== 'object')
+            return guarded;
+        if (isBlock(current))
+            return scanStatements(blockStatements(current), guarded);
+        if (isAccessControlGuard(current)) {
+            guarded = true;
+        }
+        if (!guarded && isPrivilegedSink(current, state, stateVars)) {
+            sink = current;
+            return guarded;
+        }
+        if ((0, ast_1.isNode)(current, 'IfStatement'))
+            return scanIfStatement(current, guarded);
+        if (isLoopStatement(current)) {
+            scanStatement(loopBody(current), guarded);
+            return guarded;
+        }
+        for (const child of childrenOf(current)) {
+            if (sink)
+                return guarded;
+            guarded = scanStatement(child, guarded);
+        }
+        return guarded;
+    }
+    function scanStatements(statements, guarded) {
+        for (const statement of statements) {
+            if (sink)
+                return guarded;
+            guarded = scanStatement(statement, guarded);
+        }
+        return guarded;
+    }
+    function scanIfStatement(current, guarded) {
+        const trueGuarded = scanStatement(current.trueBody, guarded);
+        if (sink)
+            return guarded;
+        if (!current.falseBody)
+            return guarded;
+        const falseGuarded = scanStatement(current.falseBody, guarded);
+        if (sink)
+            return guarded;
+        return trueGuarded && falseGuarded;
+    }
+}
+function isAccessControlGuard(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const callee = calleeTail((0, access_control_1.getCalleeNameDefault)(node));
+    if (callee !== 'require' && callee !== 'assert')
+        return false;
+    const condition = Array.isArray(node.arguments) ? node.arguments[0] : null;
+    return (0, access_control_1.requireExpressesAccessControl)(condition, isPrivilegedGuardName, access_control_1.getCalleeNameDefault);
+}
+function isPrivilegedSink(node, state, stateVars) {
+    return isPrivilegedExternalCall(node) || isPrivilegedControlAssignment(node, state, stateVars);
+}
+function isPrivilegedExternalCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const name = calleeTail((0, access_control_1.getCalleeNameDefault)(node));
+    return PRIVILEGED_CALLS.has(name);
+}
+function isPrivilegedControlAssignment(node, state, stateVars) {
+    if (!isAssignment(node))
+        return false;
+    const left = assignmentLeft(node);
+    if (!left || !(0, access_control_1.isPrivilegedReference)(left, isPrivilegedName))
+        return false;
+    const root = rootIdentifierName(left);
+    if (root) {
+        if (!stateVars.has(root))
+            return false;
+        if (state.localNames.has(root))
+            return false;
+    }
+    return true;
+}
+function collectStateVariables(contract) {
+    const names = new Set();
+    for (const child of contractMembers(contract)) {
+        if (!(0, ast_1.isNode)(child, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of child.variables || []) {
+            if (typeof variable?.name === 'string')
+                names.add(variable.name);
+        }
+    }
+    return names;
+}
+function collectLocalNames(fn) {
+    const names = new Set();
+    for (const param of parameterList(fn?.parameters)) {
+        if (typeof param?.name === 'string' && param.name)
+            names.add(param.name);
+    }
+    walk(fn?.body, (node) => {
+        if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+            return;
+        for (const variable of node.variables || []) {
+            if (typeof variable?.name === 'string' && variable.name)
+                names.add(variable.name);
+        }
+    });
+    return names;
+}
+function isExternallyCallable(fn) {
+    if (fn?.isConstructor === true)
+        return false;
+    const kind = String(fn?.kind || fn?.functionKind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'receive' || kind === 'fallback')
+        return false;
+    if (fn?.isFallback === true || fn?.isReceiveEther === true)
+        return false;
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isReadOnly(fn) {
+    const mutability = String(fn?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function isAssignment(node) {
+    if ((0, ast_1.isNode)(node, 'Assignment'))
+        return true;
+    if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+        return false;
+    return String(node.operator || '') === '=';
+}
+function assignmentLeft(node) {
+    return node?.left ?? node?.leftHandSide;
+}
+function rootIdentifierName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '');
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return rootIdentifierName(node.expression);
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return rootIdentifierName(node.base || node.baseExpression);
+    return '';
+}
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, { mode: 'word-boundary' });
+}
+function isPrivilegedGuardName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name);
+}
+function calleeTail(name) {
+    const normalized = String(name || '').toLowerCase();
+    const parts = normalized.split('.');
+    return parts[parts.length - 1] || normalized;
+}
+function functionDisplayName(fn) {
+    return String(fn?.name || '<anonymous>');
+}
+function parameterList(params) {
+    if (!params)
+        return [];
+    if (Array.isArray(params))
+        return params;
+    if (Array.isArray(params.parameters))
+        return params.parameters;
+    return [];
+}
+function contractMembers(contract) {
+    if (Array.isArray(contract?.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract?.nodes))
+        return contract.nodes;
+    return [];
+}
+function isBlock(node) {
+    return (0, ast_1.isNode)(node, 'Block') || (0, ast_1.isNode)(node, 'BlockStatement');
+}
+function blockStatements(node) {
+    if (Array.isArray(node?.statements))
+        return node.statements;
+    if (Array.isArray(node?.body))
+        return node.body;
+    return [];
+}
+function isLoopStatement(node) {
+    return ((0, ast_1.isNode)(node, 'ForStatement') ||
+        (0, ast_1.isNode)(node, 'WhileStatement') ||
+        (0, ast_1.isNode)(node, 'DoWhileStatement') ||
+        (0, ast_1.isNode)(node, 'ForInStatement'));
+}
+function loopBody(node) {
+    return node?.body;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'src' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=incorrect-access-control.js.map

package/dist/detectors/incorrect-burn-accounting.d.ts

@@ -0,0 +1,10 @@
+import type { ScanResult } from '../index';
+export declare class IncorrectBurnAccountingDetector {
+    readonly id = "incorrect-burn-accounting";
+    readonly patternKey = "incorrect-burn-accounting";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+    private findUnsafePayout;
+    private buildFinding;
+    private walkContracts;
+}