@snovon/solast 0.2.0

package/dist/detectors/inheritance-override.js

@@ -0,0 +1,320 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InheritanceOverrideDetector = void 0;
+exports.canonicalizeType = canonicalizeType;
+const contracts_1 = require("../semantic/contracts");
+const RULE_ID = 'inheritance-override';
+function canonicalizeElementaryType(name) {
+    if (name === 'uint')
+        return 'uint256';
+    if (name === 'int')
+        return 'int256';
+    if (name === 'byte')
+        return 'bytes1';
+    return name;
+}
+function splitTopLevelMapping(inner) {
+    let depth = 0;
+    for (let i = 0; i < inner.length - 1; i++) {
+        const ch = inner[i];
+        if (ch === '(')
+            depth++;
+        if (ch === ')')
+            depth--;
+        if (depth === 0 && inner[i] === '=' && inner[i + 1] === '>') {
+            return [inner.slice(0, i), inner.slice(i + 2)];
+        }
+    }
+    return null;
+}
+function canonicalizeTypeString(typeName) {
+    let value = typeName.trim();
+    const arraySuffixes = [];
+    while (true) {
+        const match = value.match(/^(.*)(\[[^\]]*\])$/);
+        if (!match)
+            break;
+        value = match[1].trim();
+        arraySuffixes.unshift(match[2].replace(/\s+/g, ''));
+    }
+    let canonical;
+    if (value.startsWith('mapping(') && value.endsWith(')')) {
+        const split = splitTopLevelMapping(value.slice('mapping('.length, -1));
+        canonical = split
+            ? `mapping(${canonicalizeType(split[0])}=>${canonicalizeType(split[1])})`
+            : value;
+    }
+    else {
+        canonical = canonicalizeElementaryType(value);
+    }
+    return `${canonical}${arraySuffixes.join('')}`;
+}
+function typeLengthToString(length) {
+    if (!length)
+        return '';
+    if (typeof length.number === 'string')
+        return length.number;
+    if (typeof length.name === 'string')
+        return length.name;
+    return '';
+}
+function canonicalizeType(typeName) {
+    if (!typeName)
+        return '';
+    if (typeof typeName === 'string')
+        return canonicalizeTypeString(typeName);
+    if (typeName.type === 'ElementaryTypeName')
+        return canonicalizeElementaryType(typeName.name);
+    if (typeName.type === 'UserDefinedTypeName')
+        return typeName.namePath;
+    if (typeName.type === 'ArrayTypeName')
+        return `${canonicalizeType(typeName.baseTypeName)}[${typeLengthToString(typeName.length)}]`;
+    if (typeName.type === 'Mapping')
+        return `mapping(${canonicalizeType(typeName.keyType)}=>${canonicalizeType(typeName.valueType)})`;
+    return '';
+}
+function getParamSignature(fnNode) {
+    const params = Array.isArray(fnNode.parameters)
+        ? fnNode.parameters
+        : fnNode.parameters && Array.isArray(fnNode.parameters.parameters)
+            ? fnNode.parameters.parameters
+            : [];
+    return params.map((p) => canonicalizeType(p.typeName)).join(',');
+}
+function getReturnType(fnNode) {
+    const params = Array.isArray(fnNode.returnParameters)
+        ? fnNode.returnParameters
+        : fnNode.returnParameters && Array.isArray(fnNode.returnParameters.parameters)
+            ? fnNode.returnParameters.parameters
+            : [];
+    return params.map((p) => canonicalizeType(p.typeName)).join(',');
+}
+function compareVersions(a, b) {
+    for (let i = 0; i < 3; i++) {
+        if (a[i] !== b[i])
+            return a[i] > b[i] ? 1 : -1;
+    }
+    return 0;
+}
+function incrementPatch(version) {
+    return [version[0], version[1], version[2] + 1];
+}
+function parseVersion(major, minor, patch) {
+    return [parseInt(major, 10), parseInt(minor, 10), patch == null ? 0 : parseInt(patch, 10)];
+}
+function pragmaMinVersionAtLeast(pragmaValue, target) {
+    if (!pragmaValue)
+        return false;
+    const normalized = pragmaValue
+        .replace(/^v(?=\d)/i, '')
+        .replace(/\+commit\.[a-f0-9]+/ig, '')
+        .trim();
+    if (!normalized)
+        return false;
+    const branches = normalized.split('||');
+    for (const branch of branches) {
+        const tokens = branch.trim().split(/\s+/).filter(Boolean);
+        if (tokens.length === 0)
+            return false;
+        let lowerBound = null;
+        let upperBound = null;
+        for (const token of tokens) {
+            const match = token.match(/^([\^~]|>=|>|<=|<|=)?\s*(\d+)\.(\d+)(?:\.(\d+))?$/);
+            if (!match)
+                return false;
+            const op = match[1] || '=';
+            const version = parseVersion(match[2], match[3], match[4]);
+            if (op === '<' || op === '<=') {
+                if (!upperBound || compareVersions(version, upperBound) < 0)
+                    upperBound = version;
+                continue;
+            }
+            const candidate = op === '>' ? incrementPatch(version) : version;
+            if (!lowerBound || compareVersions(candidate, lowerBound) > 0)
+                lowerBound = candidate;
+        }
+        if (!lowerBound || compareVersions(lowerBound, target) < 0)
+            return false;
+        if (upperBound && compareVersions(upperBound, target) < 0)
+            return false;
+    }
+    return true;
+}
+/**
+ * The `override` (and `virtual`) keywords were introduced in Solidity 0.6.0.
+ * Contracts constrained to 0.5.x or earlier cannot carry an `override` marker,
+ * so override-keyword findings against them are guaranteed false positives.
+ *
+ * Returns `true` only when the file pragma is clearly and fully constrained to
+ * `>=0.6.0`. Anything ambiguous — a missing pragma, an unrecognized token, or a
+ * range that can resolve below 0.6.0 — returns `false` so override-keyword
+ * checks are conservatively suppressed.
+ */
+function overrideKeywordAvailable(pragmaValue) {
+    return pragmaMinVersionAtLeast(pragmaValue, [0, 6, 0]);
+}
+function interfaceOverrideOptional(pragmaValue) {
+    return pragmaMinVersionAtLeast(pragmaValue, [0, 8, 8]);
+}
+function hasSuperCall(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type === 'MemberAccess' && node.expression && node.expression.type === 'Identifier' && node.expression.name === 'super') {
+        return true;
+    }
+    for (const key of Object.keys(node)) {
+        const val = node[key];
+        if (Array.isArray(val)) {
+            if (val.some(hasSuperCall))
+                return true;
+        }
+        else if (typeof val === 'object') {
+            if (hasSuperCall(val))
+                return true;
+        }
+    }
+    return false;
+}
+class InheritanceOverrideDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Inherited Solidity function is overridden without an override marker, narrows the inherited ABI contract, or drops a required super call.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    file = '';
+    semantic;
+    findings = [];
+    pragmaValue;
+    setFile(file) {
+        this.file = file;
+        this.findings = [];
+        this.pragmaValue = undefined;
+    }
+    PragmaDirective(node) {
+        if (node && node.name === 'solidity' && node.value != null) {
+            this.pragmaValue = String(node.value);
+        }
+    }
+    setSemanticModel(model) {
+        this.semantic = model;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!this.semantic || !this.file)
+            return;
+        const contractId = (0, contracts_1.makeContractId)(this.file, node.name || '');
+        const contractInfo = this.semantic.contracts.get(contractId);
+        if (!contractInfo || contractInfo.bases.some((b) => !b.resolved))
+            return;
+        const linear = this.semantic.linearize(contractId);
+        if (!linear)
+            return;
+        const parentIds = linear.mro.slice(1);
+        for (const sub of node.subNodes || []) {
+            if (!sub || typeof sub !== 'object' || sub.type !== 'FunctionDefinition')
+                continue;
+            const isFallback = !!sub.isFallback;
+            const isReceiveEther = !!sub.isReceiveEther;
+            const fnName = sub.name;
+            if (isFallback || isReceiveEther || !fnName)
+                continue;
+            const sig = getParamSignature(sub);
+            const isOverride = !!sub.override;
+            const childMut = sub.stateMutability || 'nonpayable';
+            const childVis = sub.visibility || 'default';
+            const childRet = getReturnType(sub);
+            const matchingBases = [];
+            for (const pid of parentIds) {
+                const pContract = this.semantic.contracts.get(pid);
+                if (!pContract)
+                    continue;
+                for (const pFn of pContract.functions) {
+                    if (pFn.visibility === 'private')
+                        continue;
+                    if (pFn.name === fnName && getParamSignature(pFn.node) === sig) {
+                        matchingBases.push(pFn);
+                    }
+                }
+            }
+            // `override`/`unmatched-override` only make sense when the `override`
+            // keyword exists in the targeted Solidity version (0.6.0+). For pre-0.6
+            // (or ambiguous/missing) pragmas, suppress those keyword checks to avoid
+            // false positives on historical contracts.
+            const keywordChecksApply = overrideKeywordAvailable(this.pragmaValue);
+            if (matchingBases.length === 0) {
+                if (isOverride && keywordChecksApply) {
+                    this.addFinding('inheritance-override/unmatched-override', node.name, fnName, sub.loc);
+                }
+            }
+            else {
+                if (!isOverride) {
+                    if (keywordChecksApply && this.requiresExplicitOverride(matchingBases)) {
+                        this.addFinding('inheritance-override/missing-override', node.name, fnName, sub.loc);
+                    }
+                }
+                else {
+                    let visNarrowed = false;
+                    let mutWeakened = false;
+                    let retNarrowed = false;
+                    let parentRequiresSuper = false;
+                    for (const base of matchingBases) {
+                        const baseVis = base.visibility || 'default';
+                        const score = { public: 3, default: 3, external: 2, internal: 1, private: 0 };
+                        if ((score[childVis] || 0) < (score[baseVis] || 0)) {
+                            visNarrowed = true;
+                        }
+                        const baseMut = base.mutability || 'nonpayable';
+                        if ((baseMut === 'pure' || baseMut === 'view') && (childMut !== 'pure' && childMut !== 'view')) {
+                            mutWeakened = true;
+                        }
+                        if (getReturnType(base.node) !== childRet) {
+                            retNarrowed = true;
+                        }
+                        if (hasSuperCall(base.node)) {
+                            parentRequiresSuper = true;
+                        }
+                    }
+                    if (visNarrowed)
+                        this.addFinding('inheritance-override/visibility-narrowing', node.name, fnName, sub.loc);
+                    if (mutWeakened)
+                        this.addFinding('inheritance-override/mutability-weakening', node.name, fnName, sub.loc);
+                    if (retNarrowed)
+                        this.addFinding('inheritance-override/return-type-narrowing', node.name, fnName, sub.loc);
+                    if (parentRequiresSuper && !hasSuperCall(sub)) {
+                        this.addFinding('inheritance-override/missing-super-call', node.name, fnName, sub.loc);
+                    }
+                }
+            }
+        }
+    }
+    requiresExplicitOverride(matchingBases) {
+        if (matchingBases.length !== 1)
+            return true;
+        if (!interfaceOverrideOptional(this.pragmaValue))
+            return true;
+        const baseContract = this.semantic?.contracts.get(matchingBases[0].contractId);
+        return baseContract?.kind !== 'interface';
+    }
+    addFinding(pattern, contract, fnName, loc) {
+        this.findings.push({
+            file: this.file,
+            line: loc?.start?.line || 1,
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Violation of inheritance-override: ${pattern}`,
+            pattern,
+            contract,
+            'function': fnName,
+            findingId: '',
+            contractHash: '',
+        });
+    }
+}
+exports.InheritanceOverrideDetector = InheritanceOverrideDetector;
+//# sourceMappingURL=inheritance-override.js.map

package/dist/detectors/initialization-access-control.d.ts

@@ -0,0 +1,8 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class InitializationAccessControlDetector {
+    readonly id = "initialization-access-control";
+    readonly patternKey = "initialization-access-control";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string, ctxArg?: DetectorContext): ScanResult[];
+}