@snovon/solast 0.2.0

package/dist/detectors/insufficient-access-control-trusted-param.d.ts

@@ -0,0 +1,39 @@
+import type { ScanResult } from '../index';
+export declare class InsufficientAccessControlTrustedParamDetector {
+    readonly id = "insufficient-access-control-trusted-param";
+    readonly patternKey = "insufficient-access-control-trusted-param";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private currentContract;
+    private currentFunction;
+    private currentFunctionName;
+    private stateVariables;
+    private modifierBodies;
+    private targetParams;
+    private validatedParams;
+    private localAliases;
+    private functionProtected;
+    private emittedForFunction;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    FunctionCall(node: any): void;
+    private hasStructuralModifierGuard;
+    private recordGuardOrValidation;
+    private resolveCallTargetParam;
+    private resolveTrustedParam;
+    private makeFinding;
+}

package/dist/detectors/insufficient-access-control-trusted-param.js

@@ -0,0 +1,356 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InsufficientAccessControlTrustedParamDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'insufficient-access-control-trusted-param';
+const PRIVILEGED_NAME_KEYWORDS = Object.freeze([
+    ...access_control_1.DEFAULT_PRIVILEGED_KEYWORDS,
+    'auth',
+    'authority',
+    'authorized',
+    'manager',
+    'migrator',
+    'migration',
+]);
+class InsufficientAccessControlTrustedParamDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Migration-style function dereferences a caller-supplied trusted contract parameter before authorization or allowlist validation.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    currentContract = '';
+    currentFunction = null;
+    currentFunctionName = '';
+    stateVariables = new Set();
+    modifierBodies = new Map();
+    targetParams = new Set();
+    validatedParams = new Set();
+    localAliases = new Map();
+    functionProtected = false;
+    emittedForFunction = false;
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.currentFunction = null;
+        this.currentFunctionName = '';
+        this.stateVariables.clear();
+        this.modifierBodies.clear();
+        this.targetParams.clear();
+        this.validatedParams.clear();
+        this.localAliases.clear();
+        this.functionProtected = false;
+        this.emittedForFunction = false;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.currentContract = '';
+            this.stateVariables.clear();
+            this.modifierBodies.clear();
+            return;
+        }
+        this.currentContract = String(node?.name || '');
+        this.stateVariables = collectStateVariables(node);
+        this.modifierBodies = collectModifierBodies(node);
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+        this.stateVariables.clear();
+        this.modifierBodies.clear();
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = null;
+        this.currentFunctionName = '';
+        this.targetParams.clear();
+        this.validatedParams.clear();
+        this.localAliases.clear();
+        this.functionProtected = false;
+        this.emittedForFunction = false;
+        if (!this.currentContract || !node?.body)
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        const functionName = String(node.name || '');
+        if (!isMigrationIntentName(functionName))
+            return;
+        const params = collectTrustedTargetParams(node);
+        if (params.size === 0)
+            return;
+        this.currentFunction = node;
+        this.currentFunctionName = functionName;
+        this.targetParams = params;
+        this.functionProtected = (0, access_control_1.hasRecognisedAccessControlModifier)(node) || this.hasStructuralModifierGuard(node);
+    }
+    FunctionDefinition_post(_node) {
+        this.currentFunction = null;
+        this.currentFunctionName = '';
+        this.targetParams.clear();
+        this.validatedParams.clear();
+        this.localAliases.clear();
+        this.functionProtected = false;
+        this.emittedForFunction = false;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.currentFunction)
+            return;
+        const declarations = node.declarations || node.variables || [];
+        if (declarations.length !== 1 || !node.initialValue)
+            return;
+        const declName = String(declarations[0]?.name || '');
+        if (!declName)
+            return;
+        const paramName = this.resolveTrustedParam(node.initialValue);
+        if (paramName)
+            this.localAliases.set(declName, paramName);
+    }
+    FunctionCall(node) {
+        if (!this.currentFunction)
+            return;
+        const calleeName = (0, access_control_1.getCalleeNameDefault)(node).toLowerCase();
+        if (calleeName === 'require' || calleeName === 'assert') {
+            this.recordGuardOrValidation(node);
+            return;
+        }
+        if (this.functionProtected || this.emittedForFunction)
+            return;
+        const targetParam = this.resolveCallTargetParam(node);
+        if (!targetParam || this.validatedParams.has(targetParam))
+            return;
+        this.findings.push(this.makeFinding(node, targetParam));
+        this.emittedForFunction = true;
+    }
+    hasStructuralModifierGuard(fn) {
+        for (const modifier of fn?.modifiers || []) {
+            const name = extractModifierName(modifier);
+            const body = name ? this.modifierBodies.get(name) : null;
+            if (!body)
+                continue;
+            if (blockContainsAccessControlGuard(body))
+                return true;
+        }
+        return false;
+    }
+    recordGuardOrValidation(call) {
+        const predicate = call?.arguments?.[0];
+        if (!predicate)
+            return;
+        if ((0, access_control_1.requireExpressesAccessControl)(predicate, isPrivilegedName)) {
+            this.functionProtected = true;
+            return;
+        }
+        for (const param of this.targetParams) {
+            if (predicateValidatesParam(predicate, param, this.stateVariables)) {
+                this.validatedParams.add(param);
+            }
+        }
+    }
+    resolveCallTargetParam(call) {
+        const expr = unwrapNameValueExpression(call?.expression);
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return null;
+        return this.resolveTrustedParam(expr.expression);
+    }
+    resolveTrustedParam(expr) {
+        let current = unwrapTypeConversion(expr);
+        if ((0, ast_1.isNode)(current, 'Identifier')) {
+            const name = String(current.name || '');
+            if (this.targetParams.has(name))
+                return name;
+            return this.localAliases.get(name) || null;
+        }
+        return null;
+    }
+    makeFinding(node, targetParam) {
+        const loc = (0, ast_1.assertLoc)(node, this.currentFunction);
+        return {
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': this.currentFunctionName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            category: 'vulnerability',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Insufficient access control in '${this.currentContract}.${this.currentFunctionName}': ` +
+                `caller-supplied trusted target '${targetParam}' is dereferenced before access-control or allowlist validation.`,
+            rationale: 'TempleDAO-style migration flows trust an address supplied by the caller as an old staking/token contract. ' +
+                'Without an authorization guard or pre-call allowlist/equality check, an attacker can point the migration at a malicious contract.',
+            suggestedFix: `Restrict '${this.currentFunctionName}' with a recognized access-control guard or require '${targetParam}' ` +
+                'to match a trusted storage address or allowlist entry before the external call.',
+            contractName: this.currentContract,
+            functionName: this.currentFunctionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.InsufficientAccessControlTrustedParamDetector = InsufficientAccessControlTrustedParamDetector;
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isMigrationIntentName(name) {
+    const lower = name.toLowerCase();
+    return lower.includes('migrat') || lower.includes('rescue') || lower.includes('recover');
+}
+function collectTrustedTargetParams(fn) {
+    const params = new Set();
+    for (const param of fn?.parameters || []) {
+        const name = String(param?.name || '');
+        if (!name)
+            continue;
+        if (isTrustedTargetType(param?.typeName))
+            params.add(name);
+    }
+    return params;
+}
+function isTrustedTargetType(typeName) {
+    if (!typeName)
+        return false;
+    if ((0, ast_1.isNode)(typeName, 'ElementaryTypeName')) {
+        return String(typeName.name || '').toLowerCase() === 'address';
+    }
+    if ((0, ast_1.isNode)(typeName, 'UserDefinedTypeName'))
+        return true;
+    return false;
+}
+function collectStateVariables(contractNode) {
+    const names = new Set();
+    for (const child of contractNode?.subNodes || contractNode?.nodes || []) {
+        if (!(0, ast_1.isNode)(child, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of child.variables || []) {
+            const name = String(variable?.name || '');
+            if (name)
+                names.add(name);
+        }
+    }
+    return names;
+}
+function collectModifierBodies(contractNode) {
+    const bodies = new Map();
+    for (const child of contractNode?.subNodes || contractNode?.nodes || []) {
+        if (!(0, ast_1.isNode)(child, 'ModifierDefinition'))
+            continue;
+        const name = String(child.name || '');
+        if (name && child.body)
+            bodies.set(name, child.body);
+    }
+    return bodies;
+}
+function blockContainsAccessControlGuard(block) {
+    for (const stmt of block?.statements || []) {
+        const expr = (0, ast_1.isNode)(stmt, 'ExpressionStatement') ? stmt.expression : stmt;
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            continue;
+        const callee = (0, access_control_1.getCalleeNameDefault)(expr).toLowerCase();
+        if (callee !== 'require' && callee !== 'assert')
+            continue;
+        const predicate = expr.arguments?.[0];
+        if (predicate && (0, access_control_1.requireExpressesAccessControl)(predicate, isPrivilegedName))
+            return true;
+    }
+    return false;
+}
+function predicateValidatesParam(expr, param, stateVariables) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        const operator = String(expr.operator || '');
+        const left = expr.left || expr.leftExpression;
+        const right = expr.right || expr.rightExpression;
+        if (operator === '&&' || operator === '||') {
+            return predicateValidatesParam(left, param, stateVariables) || predicateValidatesParam(right, param, stateVariables);
+        }
+        if (operator === '==' || operator === '===') {
+            return isParamReference(left, param) && isTrustedStorageReference(right, stateVariables)
+                || isParamReference(right, param) && isTrustedStorageReference(left, stateVariables);
+        }
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        const base = expr.base || expr.baseExpression;
+        const index = expr.index || expr.indexExpression;
+        return isParamReference(index, param) && isTrustedStorageReference(base, stateVariables);
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+        return (expr.arguments || []).some((arg) => predicateValidatesParam(arg, param, stateVariables));
+    }
+    if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+        return (expr.components || []).some((child) => predicateValidatesParam(child, param, stateVariables));
+    }
+    return false;
+}
+function isParamReference(expr, param) {
+    return (0, ast_1.isNode)(expr, 'Identifier') && String(expr.name || '') === param;
+}
+function isTrustedStorageReference(expr, stateVariables) {
+    const root = referenceRoot(expr);
+    return !!root && stateVariables.has(root);
+}
+function referenceRoot(expr) {
+    if (!expr)
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return referenceRoot(expr.expression);
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return referenceRoot(expr.base || expr.baseExpression);
+    return '';
+}
+function unwrapTypeConversion(expr) {
+    let current = unwrapNameValueExpression(expr);
+    while ((0, ast_1.isNode)(current, 'FunctionCall')) {
+        const args = current.arguments || [];
+        const callee = unwrapNameValueExpression(current.expression);
+        if (args.length !== 1)
+            break;
+        if (!(0, ast_1.isNode)(callee, 'Identifier') && !(0, ast_1.isNode)(callee, 'ElementaryTypeNameExpression'))
+            break;
+        current = unwrapNameValueExpression(args[0]);
+    }
+    return current;
+}
+function unwrapNameValueExpression(expr) {
+    return (0, ast_1.isNode)(expr, 'NameValueExpression') ? expr.expression : expr;
+}
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: PRIVILEGED_NAME_KEYWORDS,
+        mode: 'word-boundary',
+    });
+}
+//# sourceMappingURL=insufficient-access-control-trusted-param.js.map

package/dist/detectors/insufficient-dvn-threshold.d.ts

@@ -0,0 +1,32 @@
+import type { ScanResult } from '../index';
+export declare class InsufficientDvnThresholdDetector {
+    readonly id = "insufficient-dvn-threshold";
+    readonly patternKey = "insufficient-dvn-threshold";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private findings;
+    private stateConstants;
+    private ulnStructFields;
+    private fn;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    StateVariableDeclaration(node: any): void;
+    StructDefinition(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    FunctionCall(node: any): void;
+}