@snovon/solast 0.2.0

package/dist/detectors/incorrect-signature-verification.js

@@ -0,0 +1,530 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IncorrectSignatureVerificationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'incorrect-signature-verification';
+const ACCESS_CONTROL_PARENT_TOKENS = new Set([
+    'ownable',
+    'owned',
+    'accesscontrol',
+    'accesscontrolled',
+    'authority',
+    'auth',
+    'roles',
+    'governance',
+    'governable',
+]);
+const TRUSTED_BARE_TOKENS = new Set([
+    'owner',
+    'admin',
+    'governor',
+    'guardian',
+    'operator',
+    'authority',
+    'authorizer',
+    'trusted',
+]);
+const TRUSTED_SET_TOKENS = new Set([
+    'owner',
+    'admin',
+    'role',
+    'signer',
+    'trusted',
+    'operator',
+    'authority',
+    'authorizer',
+]);
+const REPLAY_TOKENS = new Set([
+    'used',
+    'processed',
+    'consumed',
+    'nonce',
+    'nonces',
+    'replay',
+]);
+class IncorrectSignatureVerificationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Raw ecrecover flows must bind the signer and consume a replay marker.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags state-changing raw ecrecover authorization or proof flows that do not compare the recovered signer against a trusted signer/role set, or do not both check and write a replay marker.',
+    };
+    currentFile = '';
+    currentContract = '';
+    currentContractKind = '';
+    currentContractStateNames = new Set();
+    currentContractHasAccessControlInheritance = false;
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.currentContractStateNames = new Set();
+        this.currentContractHasAccessControlInheritance = false;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node?.name || '';
+        this.currentContractKind = node?.kind || '';
+        this.currentContractStateNames = collectStateVariableNames(node);
+        this.currentContractHasAccessControlInheritance = hasAccessControlInheritance(node);
+    }
+    'ContractDefinition:exit'(_node) {
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.currentContractStateNames = new Set();
+        this.currentContractHasAccessControlInheritance = false;
+    }
+    ContractDefinition_post(node) {
+        this['ContractDefinition:exit'](node);
+    }
+    FunctionDefinition(node) {
+        if (this.currentContractKind === 'interface' || this.currentContractKind === 'library')
+            return;
+        if (!isStateChangingExternalFunction(node))
+            return;
+        const facts = collectFunctionFacts(node, this.currentContractStateNames, this.currentContractHasAccessControlInheritance);
+        if (facts.rawRecoverCalls.length === 0)
+            return;
+        if (!facts.hasTrustedBinding && (0, access_control_1.hasRecognisedAccessControlModifier)(node)) {
+            facts.hasTrustedBinding = true;
+        }
+        if (!facts.hasTrustedBinding) {
+            this.findings.push(this.makeFinding(facts, 'missing-trusted-signer-binding', facts.rawRecoverCalls[0]));
+            return;
+        }
+        if (!hasReplayProtection(facts)) {
+            this.findings.push(this.makeFinding(facts, 'missing-replay-protection', facts.rawRecoverCalls[0]));
+        }
+    }
+    makeFinding(facts, mode, node) {
+        const loc = (0, ast_1.assertLoc)(node, facts.node);
+        return {
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': facts.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: `${RULE_ID}/${mode}`,
+            severity: 'high',
+            confidence: 'medium',
+            category: 'vulnerability',
+            message: messageFor(mode, facts.name),
+            rationale: rationaleFor(mode),
+            suggestedFix: 'Compare the recovered signer against an owner/role/signer-set authority and require a replay marker before writing it consumed.',
+            contractName: this.currentContract,
+            functionName: facts.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.IncorrectSignatureVerificationDetector = IncorrectSignatureVerificationDetector;
+function collectFunctionFacts(fn, contractStateNames, contractHasAccessControlInheritance) {
+    const facts = {
+        name: fn.isConstructor ? '<constructor>' : (fn.name || '<anonymous>'),
+        node: fn,
+        rawRecoverCalls: [],
+        recoveredVars: new Set(),
+        localInitializers: new Map(),
+        hasTrustedBinding: false,
+        replayGuardRoots: new Map(),
+        replayWriteRoots: new Map(),
+        paramNames: collectParameterNames(fn),
+        localNames: new Set(),
+        contractStateNames,
+        contractHasAccessControlInheritance,
+    };
+    walk(fn.body, (current) => {
+        if ((0, ast_1.isNode)(current, 'VariableDeclarationStatement')) {
+            for (const variable of current.variables || []) {
+                if (variable?.name)
+                    facts.localNames.add(variable.name);
+            }
+        }
+        if ((0, ast_1.isNode)(current, 'VariableDeclarationStatement') && current.initialValue) {
+            for (const variable of current.variables || []) {
+                if (variable?.name)
+                    facts.localInitializers.set(variable.name, current.initialValue);
+                if (variable?.name && containsRawEcrecover(current.initialValue, facts.localInitializers)) {
+                    facts.recoveredVars.add(variable.name);
+                }
+            }
+        }
+        if ((0, ast_1.isNode)(current, 'ExpressionStatement') && isAssignment(current.expression)) {
+            const leftName = identifierName(current.expression.left);
+            if (leftName && current.expression.right) {
+                facts.localInitializers.set(leftName, current.expression.right);
+                if (containsRawEcrecover(current.expression.right, facts.localInitializers)) {
+                    facts.recoveredVars.add(leftName);
+                }
+            }
+        }
+        if (isRawEcrecoverCall(current))
+            facts.rawRecoverCalls.push(current);
+        if (isGuardCall(current)) {
+            const condition = current.arguments?.[0];
+            if (hasTrustedBinding(condition, facts))
+                facts.hasTrustedBinding = true;
+            collectReplayGuardRoots(condition, facts);
+        }
+        if ((0, ast_1.isNode)(current, 'IfStatement')) {
+            if (hasTrustedBinding(current.condition, facts))
+                facts.hasTrustedBinding = true;
+            collectReplayGuardRoots(current.condition, facts);
+        }
+        collectReplayWrites(current, facts);
+    });
+    return facts;
+}
+function collectParameterNames(fn) {
+    const names = new Set();
+    for (const param of fn?.parameters || []) {
+        if (param?.name)
+            names.add(String(param.name));
+    }
+    return names;
+}
+function collectStateVariableNames(contract) {
+    const names = new Set();
+    for (const member of contract?.subNodes || []) {
+        if ((0, ast_1.isNode)(member, 'StateVariableDeclaration')) {
+            for (const variable of member.variables || []) {
+                if (variable?.name)
+                    names.add(String(variable.name));
+            }
+        }
+    }
+    return names;
+}
+function hasAccessControlInheritance(contract) {
+    for (const base of contract?.baseContracts || []) {
+        const name = baseContractName(base);
+        if (!name)
+            continue;
+        for (const token of (0, access_control_1.splitIdentifierTokens)(name)) {
+            if (ACCESS_CONTROL_PARENT_TOKENS.has(token))
+                return true;
+        }
+    }
+    return false;
+}
+function baseContractName(base) {
+    if (!base || typeof base !== 'object')
+        return '';
+    const baseName = base.baseName || base;
+    if (typeof baseName?.namePath === 'string')
+        return baseName.namePath;
+    if (typeof baseName?.name === 'string')
+        return baseName.name;
+    if (typeof baseName?.name?.name === 'string')
+        return baseName.name.name;
+    return '';
+}
+function isStateChangingExternalFunction(node) {
+    if (!node?.body)
+        return false;
+    const visibility = String(node.visibility || '').toLowerCase();
+    if (visibility !== 'public' && visibility !== 'external')
+        return false;
+    const mutability = String(node.stateMutability || '').toLowerCase();
+    return mutability !== 'view' && mutability !== 'pure';
+}
+function hasReplayProtection(facts) {
+    for (const [root, guardLine] of facts.replayGuardRoots) {
+        const writeLine = facts.replayWriteRoots.get(root);
+        if (writeLine !== undefined && writeLine >= guardLine)
+            return true;
+    }
+    return false;
+}
+function hasTrustedBinding(expr, facts) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, access_control_1.isHasRoleStyleCall)(expr, access_control_1.getCalleeNameDefault)) {
+        return (expr.arguments || []).some((arg) => expressionIsRecovered(arg, facts));
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        const op = String(expr.operator || '');
+        if (op === '==' || op === '===' || op === '!=') {
+            const left = expr.left || expr.leftExpression;
+            const right = expr.right || expr.rightExpression;
+            if (expressionIsRecovered(left, facts) && isTrustedReference(right, facts))
+                return true;
+            if (expressionIsRecovered(right, facts) && isTrustedReference(left, facts))
+                return true;
+        }
+    }
+    if (isTrustedSignerSetLookup(expr, facts))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'UnaryOperation') && expr.operator === '!') {
+        return hasTrustedBinding(expr.subExpression, facts);
+    }
+    if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+        return (expr.components || []).some((component) => hasTrustedBinding(component, facts));
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation') && (expr.operator === '&&' || expr.operator === '||')) {
+        return hasTrustedBinding(expr.left || expr.leftExpression, facts)
+            || hasTrustedBinding(expr.right || expr.rightExpression, facts);
+    }
+    for (const child of childNodes(expr)) {
+        if (hasTrustedBinding(child, facts))
+            return true;
+    }
+    return false;
+}
+function isTrustedReference(expr, facts) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    const baseName = baseVariableName(expr);
+    if (baseName && (facts.paramNames.has(baseName) || facts.localNames.has(baseName)))
+        return false;
+    if (isAddressZero(expr))
+        return false;
+    if (expressionIsRecovered(expr, facts))
+        return false;
+    if (isTrustedSignerSetLookup(expr, facts))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        if (!hasAnyToken(name, TRUSTED_BARE_TOKENS))
+            return false;
+        // Allow only when the bare name resolves to contract-level
+        // authority: a state variable declared on the contract, or an
+        // inherited access-control parent (Ownable, AccessControl, ...).
+        if (facts.contractStateNames.has(name))
+            return true;
+        if (facts.contractHasAccessControlInheritance)
+            return true;
+        return false;
+    }
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        return hasAnyToken(expr.memberName, TRUSTED_BARE_TOKENS)
+            || isTrustedReference(expr.expression, facts);
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+        if (isAddressZero(expr))
+            return false;
+        return isTrustedReference(expr.expression, facts);
+    }
+    return false;
+}
+function isTrustedSignerSetLookup(expr, facts) {
+    if (!(0, ast_1.isNode)(expr, 'IndexAccess'))
+        return false;
+    const baseName = baseVariableName(expr);
+    if (baseName && (facts.paramNames.has(baseName) || facts.localNames.has(baseName)))
+        return false;
+    const base = expr.base || expr.baseExpression;
+    const index = expr.index || expr.indexExpression;
+    return expressionIsRecovered(index, facts) && hasAnyToken(rootReferenceName(base), TRUSTED_SET_TOKENS);
+}
+function expressionIsRecovered(expr, facts) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isRawEcrecoverCall(expr))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        if (facts.recoveredVars.has(expr.name))
+            return true;
+        const resolved = resolveLocal(expr, facts.localInitializers, new Set());
+        return resolved !== expr && expressionIsRecovered(resolved, facts);
+    }
+    return containsRawEcrecover(expr, facts.localInitializers);
+}
+function collectReplayGuardRoots(expr, facts) {
+    walk(expr, (current) => {
+        if (!(0, ast_1.isNode)(current, 'IndexAccess'))
+            return;
+        const root = replayRootName(current);
+        if (!root)
+            return;
+        const line = locLine(current, facts.node);
+        const existing = facts.replayGuardRoots.get(root);
+        if (existing === undefined || line < existing)
+            facts.replayGuardRoots.set(root, line);
+    });
+}
+function collectReplayWrites(node, facts) {
+    if ((0, ast_1.isNode)(node, 'BinaryOperation') && isAssignmentOperator(node.operator)) {
+        const root = replayRootName(node.left || node.leftExpression);
+        if (root)
+            facts.replayWriteRoots.set(root, locLine(node, facts.node));
+    }
+    if ((0, ast_1.isNode)(node, 'UnaryOperation') && (node.operator === '++' || node.operator === '--' || node.operator === 'delete')) {
+        const root = replayRootName(node.subExpression);
+        if (root)
+            facts.replayWriteRoots.set(root, locLine(node, facts.node));
+    }
+}
+function replayRootName(expr) {
+    if (!(0, ast_1.isNode)(expr, 'IndexAccess'))
+        return '';
+    const root = rootReferenceName(expr.base || expr.baseExpression);
+    if (!hasAnyToken(root, REPLAY_TOKENS))
+        return '';
+    return root;
+}
+function containsRawEcrecover(expr, localInitializers, seen = new Set()) {
+    let found = false;
+    walk(expr, (current) => {
+        if (found)
+            return;
+        if (isRawEcrecoverCall(current)) {
+            found = true;
+            return;
+        }
+        if ((0, ast_1.isNode)(current, 'Identifier')) {
+            // Share `seen` across the resolveLocal call and the recursive
+            // containsRawEcrecover call so that a self-referencing local
+            // (e.g. `total = total.add(amounts[i])`) cannot loop forever.
+            const name = String(current.name || '');
+            if (!name || seen.has(name))
+                return;
+            const resolved = resolveLocal(current, localInitializers, seen);
+            if (resolved !== current && containsRawEcrecover(resolved, localInitializers, seen))
+                found = true;
+        }
+    });
+    return found;
+}
+function isRawEcrecoverCall(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall')
+        && (0, ast_1.isNode)(node.expression, 'Identifier')
+        && String(node.expression.name || '') === 'ecrecover';
+}
+function isGuardCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const name = directCallName(node.expression);
+    return name === 'require' || name === 'assert';
+}
+function directCallName(expr) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function isAssignment(expr) {
+    return (0, ast_1.isNode)(expr, 'BinaryOperation') && isAssignmentOperator(expr.operator);
+}
+function isAssignmentOperator(op) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>='].includes(String(op || ''));
+}
+function identifierName(expr) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    return '';
+}
+function rootReferenceName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return String(expr.memberName || '') || rootReferenceName(expr.expression);
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return rootReferenceName(expr.base || expr.baseExpression);
+    if ((0, ast_1.isNode)(expr, 'FunctionCall'))
+        return rootReferenceName(expr.expression);
+    return '';
+}
+function baseVariableName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '') || null;
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        if ((0, ast_1.isNode)(expr.expression, 'Identifier') && startsWithUppercase(expr.expression.name))
+            return null;
+        return baseVariableName(expr.expression);
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return baseVariableName(expr.base || expr.baseExpression);
+    if ((0, ast_1.isNode)(expr, 'FunctionCall'))
+        return baseVariableName(expr.expression);
+    return null;
+}
+function startsWithUppercase(value) {
+    const name = String(value || '');
+    return /^[A-Z]/.test(name);
+}
+function resolveLocal(expr, localInitializers, seen) {
+    let current = expr;
+    while ((0, ast_1.isNode)(current, 'Identifier')) {
+        const name = String(current.name || '');
+        if (!name || seen.has(name))
+            return current;
+        seen.add(name);
+        const next = localInitializers.get(name);
+        if (!next)
+            return current;
+        current = next;
+    }
+    return current;
+}
+function isAddressZero(expr) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    if (directCallName(expr.expression) !== 'address')
+        return false;
+    const arg = expr.arguments?.[0];
+    return (0, ast_1.isNode)(arg, 'NumberLiteral') && String(arg.number || '') === '0';
+}
+function hasAnyToken(name, tokens) {
+    return (0, access_control_1.splitIdentifierTokens)(String(name || '')).some((token) => tokens.has(token));
+}
+function locLine(node, fallback) {
+    return (0, ast_1.assertLoc)(node, fallback).line;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node)) {
+        walk(child, visit);
+    }
+}
+function childNodes(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node || {})) {
+        if (key === 'loc' || key === 'range' || key === 'src')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function messageFor(mode, fnName) {
+    if (mode === 'missing-trusted-signer-binding') {
+        return `Incorrect signature verification in '${fnName}': ecrecover result is not bound to a trusted signer, owner, or role set.`;
+    }
+    return `Incorrect signature verification in '${fnName}': signature/proof gate lacks a checked-and-written replay marker.`;
+}
+function rationaleFor(mode) {
+    if (mode === 'missing-trusted-signer-binding') {
+        return 'A nonzero recovered address only proves that some key signed the digest; it must be compared against a trusted signer authority.';
+    }
+    return 'A signature or proof that is not guarded by a consumed hash/nonce marker can be reused after one valid execution.';
+}
+//# sourceMappingURL=incorrect-signature-verification.js.map

package/dist/detectors/infinite-loop.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from "../index";
+export declare class InfiniteLoopDetector {
+    readonly id = "infinite-loop";
+    readonly patternKey = "infinite-loop";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}