@snovon/solast 0.2.0

package/dist/detectors/incorrect-input-validation.js

@@ -0,0 +1,312 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IncorrectInputValidationDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'incorrect-input-validation';
+const PATTERN = `${RULE_ID}/unguarded-parameter-sensitive-sink`;
+const PRIVILEGED_KEYWORDS = Object.freeze([
+    ...access_control_1.DEFAULT_PRIVILEGED_KEYWORDS,
+    'auth',
+    'authority',
+    'authorized',
+    'allowlist',
+    'whitelist',
+]);
+class IncorrectInputValidationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Caller-controlled value-moving parameters reach a sensitive sink before validation.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Validate caller-supplied recipients, transfer amounts, and low-level call targets before using them in fund-moving calls, or restrict the function with recognized access control.',
+    };
+    currentFile = '';
+    findings = [];
+    currentContract = '';
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'ContractDefinition') || node?.kind === 'interface' || node?.kind === 'library') {
+            this.currentContract = '';
+            return;
+        }
+        this.currentContract = String(node?.name || '<anonymous>');
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContract)
+            return;
+        if (!node?.body)
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        if (isReadOnly(node))
+            return;
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node))
+            return;
+        const params = collectNamedParameters(node);
+        if (params.size === 0)
+            return;
+        const state = {
+            params,
+            validated: new Set(),
+            accessControlled: false,
+        };
+        for (const statement of node.body.statements || []) {
+            applyPreSinkGuards(statement, state);
+            if (state.accessControlled)
+                return;
+            const sink = findSensitiveSink(statement, params);
+            if (!sink)
+                continue;
+            const missing = [...sink.requiredParams].filter((name) => !state.validated.has(name));
+            if (missing.length === 0)
+                continue;
+            this.emitFinding(node, sink, missing);
+            return;
+        }
+    }
+    emitFinding(fnNode, sink, missing) {
+        const loc = (0, ast_1.assertLoc)(fnNode, sink.node);
+        const sinkLoc = (0, ast_1.assertLoc)(sink.node, fnNode);
+        const functionName = String(fnNode?.name || '<anonymous>');
+        const missingList = missing.sort().join(', ');
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': functionName,
+            line: loc.line,
+            endLine: sinkLoc.endLine,
+            column: loc.column,
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'high',
+            confidence: 'medium',
+            category: 'input-validation',
+            message: `Function '${this.currentContract}.${functionName}' forwards caller-controlled parameter(s) ` +
+                `${missingList} to ${sink.kind} before validating them.`,
+            rationale: 'Mirrors the Hexotic incorrect-input-validation shape: externally supplied recipients, amounts, or low-level call targets reach a fund-moving sink before a bounds, nonzero, allowlist, or access-control check.',
+            suggestedFix: 'Validate every caller-controlled recipient, amount, and low-level call target before the sink, or gate rescue-style operations with recognized access control.',
+            findingId: '',
+            contractHash: '',
+            contractName: this.currentContract,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+        });
+    }
+}
+exports.IncorrectInputValidationDetector = IncorrectInputValidationDetector;
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public' || visibility === 'default';
+}
+function isReadOnly(fn) {
+    const stateMutability = String(fn?.stateMutability || '').toLowerCase();
+    return stateMutability === 'view' || stateMutability === 'pure';
+}
+function collectNamedParameters(fn) {
+    const params = new Set();
+    for (const param of fn?.parameters || []) {
+        const name = String(param?.name || '');
+        if (name)
+            params.add(name);
+    }
+    return params;
+}
+function applyPreSinkGuards(statement, state) {
+    const condition = guardCondition(statement);
+    if (!condition)
+        return;
+    if ((0, access_control_1.requireExpressesAccessControl)(condition, isGuardPrivilegedName)) {
+        state.accessControlled = true;
+        return;
+    }
+    if (findSensitiveSink(condition, state.params))
+        return;
+    for (const name of collectReferencedParams(condition, state.params)) {
+        state.validated.add(name);
+    }
+}
+function guardCondition(statement) {
+    if (!statement || typeof statement !== 'object')
+        return null;
+    if ((0, ast_1.isNode)(statement, 'ExpressionStatement')) {
+        const expr = statement.expression;
+        if (isRequireLikeCall(expr))
+            return (expr.arguments || [])[0] || null;
+    }
+    if ((0, ast_1.isNode)(statement, 'IfStatement') && branchAlwaysReverts(statement.trueBody || statement.trueStatement)) {
+        return statement.condition || null;
+    }
+    return null;
+}
+function isRequireLikeCall(expr) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallExpression(expr.expression);
+    return (0, ast_1.isNode)(callee, 'Identifier') && ['require', 'assert'].includes(String(callee.name || ''));
+}
+function branchAlwaysReverts(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'RevertStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'ExpressionStatement') && isRevertCall(node.expression))
+        return true;
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        const statements = node.statements || [];
+        return statements.length > 0 && branchAlwaysReverts(statements[0]);
+    }
+    return false;
+}
+function isRevertCall(expr) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallExpression(expr.expression);
+    if ((0, ast_1.isNode)(callee, 'Identifier') && String(callee.name || '') === 'revert')
+        return true;
+    return (0, ast_1.isNode)(callee, 'MemberAccess') && String(callee.memberName || '') === 'revert';
+}
+function findSensitiveSink(statement, params) {
+    let found = null;
+    walk(statement, (node) => {
+        if (found || !(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        const sink = classifySink(node, params);
+        if (sink && sink.requiredParams.size > 0)
+            found = sink;
+    });
+    return found;
+}
+function classifySink(call, params) {
+    const callee = unwrapCallExpression(call.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return null;
+    const member = String(callee.memberName || '');
+    const args = call.arguments || [];
+    if (member === 'transfer' && args.length >= 2) {
+        return sinkFromArgs(call, 'token transfer', params, [args[0], args[1]]);
+    }
+    if (member === 'transferFrom' && args.length >= 3) {
+        return sinkFromArgs(call, 'token transferFrom', params, [args[0], args[1], args[2]]);
+    }
+    if (member === 'safeTransfer' && args.length >= 2) {
+        return sinkFromArgs(call, 'safe token transfer', params, [args[0], args[1]]);
+    }
+    if (member === 'safeTransferFrom' && args.length >= 3) {
+        return sinkFromArgs(call, 'safe token transferFrom', params, [args[0], args[1], args[2]]);
+    }
+    if (member === 'call') {
+        const required = new Set();
+        for (const name of collectReferencedParams(callee.expression, params))
+            required.add(name);
+        const valueExpr = callValueExpression(call);
+        for (const name of collectReferencedParams(valueExpr, params))
+            required.add(name);
+        return { node: call, kind: 'low-level call', requiredParams: required };
+    }
+    if ((member === 'send' || member === 'transfer') && args.length === 1) {
+        return sinkFromArgs(call, `ETH ${member}`, params, [callee.expression, args[0]]);
+    }
+    return null;
+}
+function sinkFromArgs(call, kind, params, expressions) {
+    const requiredParams = new Set();
+    for (const expr of expressions) {
+        for (const name of collectReferencedParams(expr, params))
+            requiredParams.add(name);
+    }
+    return { node: call, kind, requiredParams };
+}
+function callValueExpression(call) {
+    let expr = call?.expression;
+    while (expr && ((0, ast_1.isNode)(expr, 'NameValueExpression') || (0, ast_1.isNode)(expr, 'FunctionCallOptions'))) {
+        const direct = namedArgumentValue(expr, 'value');
+        if (direct)
+            return direct;
+        expr = expr.expression;
+    }
+    return null;
+}
+function namedArgumentValue(node, wanted) {
+    const argsObj = node?.arguments;
+    if (argsObj && !Array.isArray(argsObj) && typeof argsObj === 'object') {
+        if (wanted in argsObj)
+            return argsObj[wanted];
+        const names = argsObj.names || argsObj.identifiers || [];
+        const args = argsObj.arguments || [];
+        for (let i = 0; i < args.length; i += 1) {
+            if (nodeName(names[i]).toLowerCase() === wanted)
+                return args[i];
+        }
+    }
+    const names = node?.names || [];
+    const options = node?.options || [];
+    for (let i = 0; i < options.length; i += 1) {
+        const option = options[i];
+        if ((0, ast_1.isNode)(option, 'NamedArgument') && String(option.name || '').toLowerCase() === wanted)
+            return option.expression;
+        if (nodeName(names[i]).toLowerCase() === wanted)
+            return option?.expression || option;
+    }
+    return null;
+}
+function nodeName(node) {
+    if (typeof node === 'string')
+        return node;
+    return String(node?.name || node?.memberName || '');
+}
+function unwrapCallExpression(expr) {
+    let current = expr;
+    while (current && ((0, ast_1.isNode)(current, 'NameValueExpression') || (0, ast_1.isNode)(current, 'FunctionCallOptions'))) {
+        current = current.expression;
+    }
+    return current;
+}
+function collectReferencedParams(expr, params) {
+    const names = new Set();
+    walk(expr, (node) => {
+        if ((0, ast_1.isNode)(node, 'Identifier')) {
+            const name = String(node.name || '');
+            if (params.has(name))
+                names.add(name);
+        }
+    });
+    return names;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const key of Object.keys(node)) {
+        if (key === 'loc' || key === 'range' || key === 'src')
+            continue;
+        const value = node[key];
+        if (Array.isArray(value)) {
+            for (const item of value)
+                walk(item, visit);
+        }
+        else if (value && typeof value === 'object') {
+            walk(value, visit);
+        }
+    }
+}
+function isGuardPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, { keywords: PRIVILEGED_KEYWORDS, mode: 'word-boundary' });
+}
+//# sourceMappingURL=incorrect-input-validation.js.map

package/dist/detectors/incorrect-signature-verification.d.ts

@@ -0,0 +1,26 @@
+import type { ScanResult } from '../index';
+export declare class IncorrectSignatureVerificationDetector {
+    readonly id = "incorrect-signature-verification";
+    readonly patternKey = "incorrect-signature-verification";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private currentContractKind;
+    private currentContractStateNames;
+    private currentContractHasAccessControlInheritance;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(_node: any): void;
+    ContractDefinition_post(node: any): void;
+    FunctionDefinition(node: any): void;
+    private makeFinding;
+}