@snovon/solast 0.2.0

package/dist/detectors/l2-withdrawal-validation.js

@@ -0,0 +1,303 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.L2WithdrawalValidationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'l2-withdrawal-validation';
+const WITHDRAWAL_FUNCTION = /(?:withdraw|finaliz|execute|relay|bridge|claim|exit|release|unlock)/i;
+const L2_MESSAGE_NAME = /(?:l2|message|msg|hash|root|proof|withdrawal|tx)/i;
+const FINALITY_OR_PROOF_NAME = /(?:finaliz|proven|prove|proof|verified|verify|validat|outputroot|output_root|stateroot|state_root|withdrawalhash|checkpoint|outbox|inbox|portal)/i;
+const RELAY_GUARD_CALL = /^(?:executeTransaction|relayMessage|proveWithdrawalTransaction|finalizeWithdrawalTransaction)$/i;
+const TOKEN_RELEASE_METHODS = new Set(['transfer', 'safetransfer']);
+const NATIVE_RELEASE_METHODS = new Set(['transfer', 'send', 'call']);
+class L2WithdrawalValidationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scan(ast, ctx = {}) {
+        return this.scanAst(ast, ctx.file || ctx.filename || '<ast>');
+    }
+    scanAst(ast, file) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of contractMembers(contract)) {
+                if (!isNode(fn, 'FunctionDefinition'))
+                    continue;
+                if (!fn.body)
+                    continue;
+                if (!isExternallyCallable(fn))
+                    continue;
+                if (!hasL2WithdrawalTrustSignal(fn))
+                    continue;
+                const finding = analyzeFunction(file, contractName, fn);
+                if (finding)
+                    findings.push(finding);
+            }
+        }
+        return findings;
+    }
+}
+exports.L2WithdrawalValidationDetector = L2WithdrawalValidationDetector;
+function analyzeFunction(file, contractName, fn) {
+    const functionName = getName(fn) || '<anonymous>';
+    const guards = {
+        finalityOrProof: hasStrongModifier(fn),
+        messenger: hasStrongModifier(fn),
+        remoteSender: false,
+    };
+    for (const stmt of getStatements(fn.body)) {
+        const sink = findAssetRelease(stmt);
+        if (sink && !hasSufficientGuard(guards)) {
+            return makeFinding(file, contractName, functionName, locOf(sink));
+        }
+        observeGuards(stmt, guards);
+    }
+    return null;
+}
+function hasL2WithdrawalTrustSignal(fn) {
+    const fnName = getName(fn);
+    const params = getParameters(fn);
+    const names = [fnName, ...params.map(getName)].join(' ');
+    if (WITHDRAWAL_FUNCTION.test(fnName) && L2_MESSAGE_NAME.test(names))
+        return true;
+    let sawDecode = false;
+    walk(fn.body, node => {
+        if (sawDecode || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = unwrapCallOptions(node.expression);
+        if (isNode(callee, 'MemberAccess') && expressionText(callee).toLowerCase() === 'abi.decode') {
+            const args = node.arguments || [];
+            if (args.some((arg) => L2_MESSAGE_NAME.test(expressionText(arg))))
+                sawDecode = true;
+        }
+    });
+    return sawDecode && WITHDRAWAL_FUNCTION.test(fnName);
+}
+function findAssetRelease(node) {
+    let found = null;
+    walk(node, current => {
+        if (found || !isNode(current, 'FunctionCall'))
+            return;
+        if (isAssetReleaseCall(current))
+            found = current;
+    });
+    return found;
+}
+function isAssetReleaseCall(call) {
+    const callee = unwrapCallOptions(call.expression);
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    const member = String(callee.memberName || '').toLowerCase();
+    if (TOKEN_RELEASE_METHODS.has(member))
+        return true;
+    if (!NATIVE_RELEASE_METHODS.has(member))
+        return false;
+    if (member === 'call')
+        return hasCallValueOption(call.expression);
+    return true;
+}
+function hasCallValueOption(expr) {
+    let cur = expr;
+    while (cur && (isNode(cur, 'NameValueExpression') || isNode(cur, 'FunctionCallOptions'))) {
+        const names = [cur.name, cur.memberName, ...(cur.names || [])].map((n) => String(n || '').toLowerCase());
+        if (names.includes('value'))
+            return true;
+        if (cur.arguments && expressionText(cur).toLowerCase().includes('value'))
+            return true;
+        cur = cur.expression;
+    }
+    return false;
+}
+function observeGuards(node, guards) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'FunctionCall')) {
+        const callee = unwrapCallOptions(node.expression);
+        const callName = getCallName(callee);
+        if (RELAY_GUARD_CALL.test(callName))
+            guards.finalityOrProof = true;
+        if (isGuardCall(node)) {
+            const condition = (node.arguments || [])[0];
+            markGuardCondition(condition, guards);
+            return;
+        }
+    }
+    if (isNode(node, 'IfStatement') && branchReverts(node.trueBody)) {
+        markGuardCondition(node.condition, guards);
+        return;
+    }
+    for (const child of childNodes(node))
+        observeGuards(child, guards);
+}
+function markGuardCondition(condition, guards) {
+    const text = expressionText(condition).toLowerCase();
+    if (text.includes('msg.sender') && /(?:messenger|bridge|portal|outbox|inbox|relay|relayer)/i.test(text)) {
+        guards.messenger = true;
+    }
+    if (/(?:xdomainmessagesender|crossdomainsender|l2messagesender|remotesender|crossdomain|xdomain)/i.test(text)) {
+        guards.remoteSender = true;
+    }
+    if (FINALITY_OR_PROOF_NAME.test(text) && !isWeakHashOnlyCheck(text)) {
+        guards.finalityOrProof = true;
+    }
+}
+function isWeakHashOnlyCheck(text) {
+    return /(?:hash|tx|message)/i.test(text)
+        && !/(?:finaliz|proven|prove|proof|verified|verify|validat|outputroot|stateroot|root|checkpoint|outbox|inbox|portal)/i.test(text);
+}
+function hasSufficientGuard(guards) {
+    return guards.finalityOrProof || (guards.messenger && guards.remoteSender);
+}
+function hasStrongModifier(fn) {
+    const modifiers = Array.isArray(fn.modifiers) ? fn.modifiers : [];
+    return modifiers.some((m) => /(?:proven|finaliz|proof|outbox|portal|relay|crossdomain)/i.test(String(m.name || '')));
+}
+function isGuardCall(call) {
+    const callee = unwrapCallOptions(call.expression);
+    const name = getCallName(callee).toLowerCase();
+    return name === 'require' || name === 'assert';
+}
+function branchReverts(branch) {
+    if (!branch)
+        return false;
+    let found = false;
+    walk(branch, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = unwrapCallOptions(node.expression);
+        if (getCallName(callee).toLowerCase() === 'revert')
+            found = true;
+    });
+    return found;
+}
+function collectContracts(ast) {
+    const out = [];
+    walk(ast, node => {
+        if (isNode(node, 'ContractDefinition'))
+            out.push(node);
+    });
+    return out;
+}
+function contractMembers(contract) {
+    return Array.isArray(contract?.subNodes) ? contract.subNodes : [];
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external' || visibility === '';
+}
+function getParameters(fn) {
+    return fn?.parameters?.parameters || fn?.parameters || [];
+}
+function getStatements(body) {
+    if (!body)
+        return [];
+    if (Array.isArray(body.statements))
+        return body.statements;
+    if (Array.isArray(body.children))
+        return body.children;
+    return [];
+}
+function getCallName(callee) {
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '');
+    if (isNode(callee, 'MemberAccess'))
+        return String(callee.memberName || '');
+    return '';
+}
+function locOf(node) {
+    const { line, column } = (0, ast_1.assertLoc)(node);
+    return { line, column };
+}
+function makeFinding(file, contractName, functionName, loc) {
+    return {
+        file,
+        contract: contractName,
+        'function': functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `L2-to-L1 withdrawal '${contractName}.${functionName}' releases L1 assets before proving message finality or an equivalent relay guard.`,
+        rationale: 'The function combines L2 withdrawal/message-shaped input with an ETH or ERC20 payout, but no preceding finalized-withdrawal, output/state-root proof, outbox execution, or messenger-plus-remote-sender guard is visible in the same function body.',
+        suggestedFix: 'Verify the withdrawal through the canonical L1 portal/outbox/inbox or output/state-root proof before releasing assets. If using a messenger, require both the authorized messenger and the expected remote L2 bridge sender before payout.',
+        contractName,
+        functionName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+    };
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while (cur && (isNode(cur, 'NameValueExpression') || isNode(cur, 'FunctionCallOptions'))) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function expressionText(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return getName(node);
+    if (isNode(node, 'MemberAccess'))
+        return `${expressionText(node.expression)}.${node.memberName || ''}`;
+    if (isNode(node, 'IndexAccess'))
+        return `${expressionText(node.base || node.baseExpression)}[${expressionText(node.index || node.indexExpression)}]`;
+    if (isNode(node, 'FunctionCall'))
+        return `${expressionText(node.expression)}(${arrayOf(node.arguments).map(expressionText).join(',')})`;
+    if (isNode(node, 'FunctionCallOptions') || isNode(node, 'NameValueExpression'))
+        return `${expressionText(node.expression)} value ${arrayOf(node.arguments).map(expressionText).join(' ')}`;
+    if (isNode(node, 'UnaryOperation'))
+        return `${node.operator || ''}${expressionText(node.subExpression)}`;
+    if (isNode(node, 'BinaryOperation'))
+        return `${expressionText(node.left || node.leftExpression)}${node.operator || ''}${expressionText(node.right || node.rightExpression)}`;
+    if (isNode(node, 'Literal') || isNode(node, 'NumberLiteral') || isNode(node, 'StringLiteral') || isNode(node, 'BooleanLiteral'))
+        return String(node.value ?? node.number ?? '');
+    return childNodes(node).map(expressionText).join(' ');
+}
+function arrayOf(value) {
+    return Array.isArray(value) ? value : [];
+}
+function getName(node) {
+    return String(node?.name || '');
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node))
+        walk(child, visit);
+}
+function childNodes(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=l2-withdrawal-validation.js.map

package/dist/detectors/lack-of-access-control.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class LackOfAccessControlDetector {
+    readonly id = "lack-of-access-control";
+    readonly patternKey = "lack-of-access-control";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}