@snovon/solast 0.2.0

package/dist/detectors/lack-of-calldata-validation.js

@@ -0,0 +1,914 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LackOfCalldataValidationDetector = void 0;
+const dataflow_1 = require("./_common/dataflow");
+const RULE_ID = 'lack-of-calldata-validation';
+const PATTERN = 'lack-of-calldata-validation/socketgateway-unvalidated-call';
+class LackOfCalldataValidationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    currentFile = '';
+    sourceText;
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+    }
+    setSourceText(sourceText) {
+        this.sourceText = sourceText;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    SourceUnit(ast) {
+        if (ast?.nodeType === 'SourceUnit') {
+            this.findings.push(...this.runAst(ast, this.currentFile, this.sourceText));
+        }
+    }
+    ContractDefinition(node) {
+        if (node?.type !== 'ContractDefinition')
+            return;
+        this.findings.push(...this.runAst(node, this.currentFile, this.sourceText));
+    }
+    scanAst(ast, file, sourceText) {
+        return this.runAst(ast, file, sourceText);
+    }
+    runAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const seen = new Set();
+        walkContracts(ast, contractNode => {
+            const contractName = getName(contractNode) || '<anonymous>';
+            const zeroAddressNames = collectZeroAddressConstants(contractNode);
+            const summaries = getContractFunctions(contractNode).map(fn => ({
+                node: fn,
+                name: getName(fn) || '<anonymous>',
+                parameters: getParameters(fn),
+                externallyCallable: isExternallyCallable(fn),
+                guarded: hasRecognizedGuardModifier(fn),
+            }));
+            const propagated = collectPropagatedParamTaint(summaries);
+            for (const summary of summaries) {
+                const body = getFunctionBody(summary.node);
+                if (!body)
+                    continue;
+                const seededIndexes = new Set();
+                if (summary.externallyCallable && !summary.guarded) {
+                    summary.parameters.forEach((_param, index) => seededIndexes.add(index));
+                }
+                for (const index of propagated.get(summary.name) || [])
+                    seededIndexes.add(index);
+                if (seededIndexes.size === 0 || summary.guarded)
+                    continue;
+                const tainted = new Set();
+                summary.parameters.forEach((param, index) => {
+                    if (seededIndexes.has(index) && param?.name)
+                        tainted.add(String(param.name));
+                });
+                if (tainted.size === 0)
+                    continue;
+                const state = {
+                    tainted,
+                    targetValidated: new Set(),
+                    selectorValidated: new Set(),
+                    authorityGuarded: false,
+                };
+                const sink = analyzeBlockStatements(getBlockStatements(body), state, zeroAddressNames);
+                if (!sink)
+                    continue;
+                const loc = getLoc(sink, lineOffsets);
+                const line = loc?.line || 0;
+                const column = loc?.column || 0;
+                const key = `${file}:${contractName}:${summary.name}:${RULE_ID}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': summary.name,
+                    line,
+                    endLine: line,
+                    column,
+                    pattern: PATTERN,
+                    confidence: 'medium',
+                    ruleId: RULE_ID,
+                    severity: 'warning',
+                    message: `Lack of calldata validation in '${contractName}.${summary.name}': caller-controlled target and calldata reach a low-level call without a selector validation plus target boundary before the call.`,
+                    rationale: 'Mirrors the SocketGateway exploit shape: swap calldata supplied by the caller is forwarded to a token/router target before constraining the selector and target, enabling arbitrary token actions through the route.',
+                    suggestedFix: 'Validate both the low-level call target and calldata selector before the call, route through typed interfaces, or restrict the executor with trusted access control.',
+                    contractName,
+                    functionName: summary.name,
+                    sourceLocation: { line, column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        });
+        return findings;
+    }
+}
+exports.LackOfCalldataValidationDetector = LackOfCalldataValidationDetector;
+function collectPropagatedParamTaint(functions) {
+    const internalNames = new Set(functions.filter(fn => !fn.externallyCallable).map(fn => fn.name));
+    const propagated = new Map();
+    if (internalNames.size === 0)
+        return propagated;
+    // Outer fixed point: walk every function each pass, propagate taint
+    // through internal calls, repeat until no new (callee, arg-index)
+    // pairs are added.
+    (0, dataflow_1.runFixedPoint)(() => {
+        let changed = false;
+        for (const fn of functions) {
+            const tainted = new Set();
+            if (fn.externallyCallable && !fn.guarded) {
+                fn.parameters.forEach(param => { if (param?.name)
+                    tainted.add(String(param.name)); });
+            }
+            for (const index of propagated.get(fn.name) || []) {
+                const name = fn.parameters[index]?.name;
+                if (name)
+                    tainted.add(String(name));
+            }
+            if (tainted.size === 0)
+                continue;
+            // Inner fixed point: within a single function body, propagate
+            // taint through assignments and `var x = tainted_expr` declarations
+            // until the local tainted set stops growing.
+            (0, dataflow_1.runFixedPoint)(() => {
+                const before = tainted.size;
+                walk(fn.node.body, node => {
+                    if (isAssignmentNode(node) && referencesTainted(getBinaryRight(node), tainted)) {
+                        for (const name of collectAssignTargets(getBinaryLeft(node)))
+                            tainted.add(name);
+                    }
+                    if (isNode(node, 'VariableDeclarationStatement') && referencesTainted(node.initialValue, tainted)) {
+                        for (const decl of getVariableDeclarations(node)) {
+                            if (decl?.name)
+                                tainted.add(String(decl.name));
+                        }
+                    }
+                });
+                return tainted.size !== before;
+            }, { maxPasses: 8, name: 'lack-of-calldata-validation/intra-function-taint' });
+            walk(fn.node.body, node => {
+                if (!isNode(node, 'FunctionCall'))
+                    return;
+                const callee = getCalleeName(node);
+                if (!internalNames.has(callee))
+                    return;
+                const indexes = propagated.get(callee) || new Set();
+                getArguments(node).forEach((arg, index) => {
+                    if (referencesTainted(arg, tainted) && !indexes.has(index)) {
+                        indexes.add(index);
+                        changed = true;
+                    }
+                });
+                if (indexes.size > 0)
+                    propagated.set(callee, indexes);
+            });
+        }
+        return changed;
+    }, { maxPasses: 12, name: 'lack-of-calldata-validation/inter-procedural-taint' });
+    return propagated;
+}
+function collectAssignmentTaint(stmt, tainted) {
+    (0, dataflow_1.runFixedPoint)(() => {
+        const before = tainted.size;
+        walk(stmt, node => {
+            if (isAssignmentNode(node) && referencesTainted(getBinaryRight(node), tainted)) {
+                for (const name of collectAssignTargets(getBinaryLeft(node)))
+                    tainted.add(name);
+            }
+            if (isNode(node, 'VariableDeclarationStatement') && referencesTainted(node.initialValue, tainted)) {
+                for (const decl of getVariableDeclarations(node)) {
+                    if (decl?.name)
+                        tainted.add(String(decl.name));
+                }
+            }
+        });
+        return tainted.size !== before;
+    }, { maxPasses: 4, name: 'lack-of-calldata-validation/local-assignment-taint' });
+}
+function collectValidation(stmt, tainted, targetValidated, selectorValidated, zeroAddressNames) {
+    if (!isRequireOrAssertStatement(stmt))
+        return;
+    const condition = getArguments(stmt.expression)[0];
+    if (!condition)
+        return;
+    collectConditionValidations(condition, tainted, targetValidated, selectorValidated, zeroAddressNames);
+}
+function collectConditionValidations(condition, tainted, targetValidated, selectorValidated, zeroAddressNames) {
+    for (const name of collectTargetBoundedIdentifiers(condition, tainted, zeroAddressNames))
+        targetValidated.add(name);
+    for (const name of collectSelectorCheckedData(condition))
+        selectorValidated.add(name);
+}
+function analyzeBlockStatements(stmts, state, zeroAddressNames) {
+    for (const stmt of stmts) {
+        const sink = analyzeStatement(stmt, state, zeroAddressNames);
+        if (sink)
+            return sink;
+    }
+    return null;
+}
+function analyzeStatement(stmt, state, zeroAddressNames) {
+    if (!stmt || typeof stmt !== 'object')
+        return null;
+    collectAssignmentTaint(stmt, state.tainted);
+    if (!state.authorityGuarded && isAuthorityMsgSenderGuard(stmt, state.tainted)) {
+        state.authorityGuarded = true;
+        return null;
+    }
+    if (state.authorityGuarded)
+        return null;
+    if (isNode(stmt, 'IfStatement')) {
+        return analyzeIfStatement(stmt, state, zeroAddressNames);
+    }
+    if (isNode(stmt, 'Block') || isNode(stmt, 'UncheckedBlock')) {
+        return analyzeBlockStatements(getBlockStatements(stmt), state, zeroAddressNames);
+    }
+    if (isNode(stmt, 'ForStatement') || isNode(stmt, 'WhileStatement') || isNode(stmt, 'DoWhileStatement')) {
+        const body = stmt.body ?? stmt.statement;
+        if (body) {
+            const loopState = cloneAnalysisState(state);
+            const loopSink = analyzeBranchBody(body, loopState, zeroAddressNames);
+            if (loopSink)
+                return loopSink;
+            // Loop body may not execute; only propagate taint conservatively.
+            for (const t of loopState.tainted)
+                state.tainted.add(t);
+        }
+        return null;
+    }
+    if (isNode(stmt, 'TryStatement')) {
+        return analyzeTryStatement(stmt, state, zeroAddressNames);
+    }
+    collectValidation(stmt, state.tainted, state.targetValidated, state.selectorValidated, zeroAddressNames);
+    return findUnvalidatedCallSink(stmt, state.tainted, state.targetValidated, state.selectorValidated);
+}
+function analyzeIfStatement(stmt, state, zeroAddressNames) {
+    const condition = stmt.condition ?? stmt.conditionExpression;
+    const trueState = cloneAnalysisState(state);
+    if (condition) {
+        collectConditionValidations(condition, trueState.tainted, trueState.targetValidated, trueState.selectorValidated, zeroAddressNames);
+    }
+    const trueBody = stmt.trueBody ?? stmt.trueStatement;
+    if (trueBody) {
+        const trueSink = analyzeBranchBody(trueBody, trueState, zeroAddressNames);
+        if (trueSink)
+            return trueSink;
+    }
+    const falseBody = stmt.falseBody ?? stmt.falseStatement;
+    const falseState = cloneAnalysisState(state);
+    if (falseBody) {
+        const falseSink = analyzeBranchBody(falseBody, falseState, zeroAddressNames);
+        if (falseSink)
+            return falseSink;
+    }
+    mergeBranchStates(state, [trueState, falseState]);
+    return null;
+}
+function analyzeTryStatement(stmt, state, zeroAddressNames) {
+    const branchStates = [];
+    const tryBody = stmt.body;
+    if (tryBody) {
+        const tryState = cloneAnalysisState(state);
+        const trySink = analyzeBranchBody(tryBody, tryState, zeroAddressNames);
+        if (trySink)
+            return trySink;
+        branchStates.push(tryState);
+    }
+    const clauses = stmt.clauses || stmt.catchClauses || [];
+    for (const clause of clauses) {
+        const clauseBody = clause?.block || clause?.body;
+        if (!clauseBody)
+            continue;
+        const clauseState = cloneAnalysisState(state);
+        const clauseSink = analyzeBranchBody(clauseBody, clauseState, zeroAddressNames);
+        if (clauseSink)
+            return clauseSink;
+        branchStates.push(clauseState);
+    }
+    if (branchStates.length > 0)
+        mergeBranchStates(state, branchStates);
+    return null;
+}
+function analyzeBranchBody(body, state, zeroAddressNames) {
+    if (!body || typeof body !== 'object')
+        return null;
+    const stmts = getBlockStatements(body);
+    if (stmts.length > 0)
+        return analyzeBlockStatements(stmts, state, zeroAddressNames);
+    return analyzeStatement(body, state, zeroAddressNames);
+}
+function cloneAnalysisState(s) {
+    return {
+        tainted: new Set(s.tainted),
+        targetValidated: new Set(s.targetValidated),
+        selectorValidated: new Set(s.selectorValidated),
+        authorityGuarded: s.authorityGuarded,
+    };
+}
+function mergeBranchStates(target, branches) {
+    if (branches.length === 0)
+        return;
+    // Taint propagates conservatively (union) so later code sees any aliases learned in any branch.
+    for (const b of branches) {
+        for (const t of b.tainted)
+            target.tainted.add(t);
+    }
+    // Validations only persist past the join point if every branch established them.
+    target.targetValidated = intersectSets(branches.map(b => b.targetValidated));
+    target.selectorValidated = intersectSets(branches.map(b => b.selectorValidated));
+    target.authorityGuarded = branches.every(b => b.authorityGuarded);
+}
+function intersectSets(sets) {
+    if (sets.length === 0)
+        return new Set();
+    const [first, ...rest] = sets;
+    const out = new Set();
+    for (const v of first) {
+        if (rest.every(s => s.has(v)))
+            out.add(v);
+    }
+    return out;
+}
+function findUnvalidatedCallSink(stmt, tainted, targetValidated, selectorValidated) {
+    let found = null;
+    walk(stmt, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const call = lowLevelCall(node);
+        if (!call || (call.member !== 'call' && call.member !== 'delegatecall'))
+            return;
+        const dataArgs = call.args.filter(arg => !isEmptyCallData(arg));
+        if (dataArgs.length === 0)
+            return;
+        const targetTainted = referencesTainted(call.target, tainted);
+        const dataTainted = dataArgs.some(arg => referencesTainted(arg, tainted));
+        if (!targetTainted || !dataTainted)
+            return;
+        const targetRoot = rootIdentifier(call.target);
+        const targetChecked = !!targetRoot && targetValidated.has(targetRoot);
+        const dataChecked = dataArgs.some(arg => {
+            const root = rootIdentifier(arg);
+            return !!root && selectorValidated.has(root);
+        });
+        if (targetChecked && dataChecked)
+            return;
+        found = node;
+    });
+    return found;
+}
+function lowLevelCall(expr) {
+    if (!isNode(expr, 'FunctionCall'))
+        return null;
+    const args = getArguments(expr);
+    let callee = expr.expression;
+    if (isNode(callee, 'NameValueExpression') || isNode(callee, 'FunctionCallOptions')) {
+        callee = callee.expression;
+    }
+    if (!isNode(callee, 'MemberAccess'))
+        return null;
+    const member = String(callee.memberName || '').toLowerCase();
+    if (member !== 'call' && member !== 'delegatecall' && member !== 'staticcall')
+        return null;
+    return { member, target: callee.expression, args };
+}
+function collectTargetBoundedIdentifiers(expr, tainted, zeroAddressNames) {
+    const out = new Set();
+    walk(expr, node => {
+        for (const name of allowlistMembershipTargetRoots(node, tainted))
+            out.add(name);
+        if (!isBinaryOpNode(node))
+            return;
+        const op = String(node.operator || '');
+        if (op !== '==' && op !== '===')
+            return;
+        collectTrustedBoundaryComparison(getBinaryLeft(node), getBinaryRight(node), tainted, zeroAddressNames, out);
+        collectTrustedBoundaryComparison(getBinaryRight(node), getBinaryLeft(node), tainted, zeroAddressNames, out);
+    });
+    return out;
+}
+function collectTrustedBoundaryComparison(candidate, boundary, tainted, zeroAddressNames, out) {
+    const root = rootIdentifier(candidate);
+    if (!root || !tainted.has(root))
+        return;
+    if (isTrustedTargetBoundary(boundary, tainted, zeroAddressNames))
+        out.add(root);
+}
+function isTrustedTargetBoundary(expr, tainted, zeroAddressNames) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isZeroAddressExpression(expr))
+        return false;
+    const path = accessPath(expr);
+    if (path && zeroAddressNames.has(path.split('.')[0]))
+        return false;
+    if (referencesTainted(expr, tainted))
+        return false;
+    if (isNonzeroAddressLiteralExpression(expr))
+        return true;
+    if (path && !isMsgSender(expr))
+        return true;
+    return false;
+}
+function allowlistMembershipTargetRoots(expr, tainted) {
+    const out = new Set();
+    const index = isNode(expr, 'IndexAccess') ? getIndexExpression(expr) : null;
+    const base = isNode(expr, 'IndexAccess') ? accessPath(expr.base || expr.baseExpression) : null;
+    if (index && base && nameLooksLikeAllowlistMapping(base)) {
+        const root = rootIdentifier(index);
+        if (root && tainted.has(root))
+            out.add(root);
+    }
+    return out;
+}
+// Tokens that, when they appear as a complete word inside the base
+// identifier of an `IndexAccess`, count as "this looks like an
+// allowlist mapping." Reviewed in the audit (review finding E2): the
+// previous broad substring regex matched mid-word patterns like
+// `routerInternal`, `targetingMode`, `destinationConfig`, which are
+// not allowlists, suppressing legitimate findings on functions that
+// happen to use those identifiers.
+const ALLOWLIST_TOKENS = new Set([
+    'allow', 'allowed', 'allows', 'allowlist', 'allowlisted',
+    'approved', 'approvelist', 'approvelisted',
+    'trusted', 'trustlist', 'trustlisted', 'whitelist', 'whitelisted',
+    'permitted', 'permit',
+    'authorized', 'authorised',
+    // Structural-name tokens: they're allowed as a word, but unlike the
+    // old substring regex they never match mid-identifier. So
+    // `targetAllowlist` matches via `targetallowlist` AND `target`, and
+    // `targetingMode` matches NEITHER (the token is `targeting`, not
+    // `target`). Without these tokens fixtures that name their
+    // allowlist mapping `targets` or `routes` would regress; see the
+    // regression fixture for both shapes.
+    'target', 'targets', 'route', 'routes', 'router', 'routers',
+    'destination', 'destinations',
+]);
+function nameLooksLikeAllowlistMapping(name) {
+    // Split dotted access paths (e.g. `cfg.targets`) by segment, mirroring
+    // the authority-path handling in `isTrustedAuthorityExpression`. Without
+    // this, a member base like `cfg.targets[target]` arrives here as
+    // `cfg.targets`, which `tokenizeIdentifier` would emit as the single
+    // token `cfg.targets` — never matching the structural `targets` token.
+    for (const segment of name.split('.')) {
+        for (const token of tokenizeIdentifier(segment)) {
+            if (ALLOWLIST_TOKENS.has(token))
+                return true;
+        }
+    }
+    return false;
+}
+function collectSelectorCheckedData(expr) {
+    const out = new Set();
+    walk(expr, node => {
+        if (!isBinaryOpNode(node))
+            return;
+        const op = String(node.operator || '');
+        if (op !== '==' && op !== '!=' && op !== '===' && op !== '!==')
+            return;
+        for (const side of [getBinaryLeft(node), getBinaryRight(node)]) {
+            const checked = selectorDataRoot(side);
+            if (checked)
+                out.add(checked);
+        }
+    });
+    return out;
+}
+function selectorDataRoot(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (isNode(expr, 'FunctionCall') && getCalleeName(expr) === 'bytes4') {
+        return rootIdentifier(getArguments(expr)[0]);
+    }
+    return null;
+}
+function collectZeroAddressConstants(contractNode) {
+    const out = new Set();
+    walk(contractNode, node => {
+        if (!isNode(node, 'VariableDeclaration') || !node.name)
+            return;
+        const initialValue = node.initialValue || node.value;
+        if (isZeroAddressExpression(initialValue))
+            out.add(String(node.name));
+    });
+    return out;
+}
+function isZeroAddressExpression(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'FunctionCall') && getCalleeName(expr).toLowerCase() === 'address') {
+        return getArguments(expr).some(isZeroLiteral);
+    }
+    return isZeroLiteral(expr);
+}
+function isNonzeroAddressLiteralExpression(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'FunctionCall') && getCalleeName(expr).toLowerCase() === 'address') {
+        return getArguments(expr).some(arg => isNumberishLiteral(arg) && !isZeroLiteral(arg));
+    }
+    return isNumberishLiteral(expr) && !isZeroLiteral(expr);
+}
+function isZeroLiteral(expr) {
+    if (!isNumberishLiteral(expr))
+        return false;
+    const value = literalValue(expr).toLowerCase();
+    return value === '0' || value === '0x0' || /^0x0+$/.test(value);
+}
+function isNumberishLiteral(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'NumberLiteral') || isNode(expr, 'HexNumber') || isNode(expr, 'HexLiteral'))
+        return true;
+    if (!isNode(expr, 'Literal'))
+        return false;
+    const value = literalValue(expr);
+    return /^0x[0-9a-f]+$/i.test(value) || /^[0-9]+$/.test(value);
+}
+function literalValue(expr) {
+    return String(expr?.number ?? expr?.hexValue ?? expr?.value ?? '');
+}
+function isRequireOrAssertStatement(stmt) {
+    if (!isNode(stmt, 'ExpressionStatement'))
+        return false;
+    const expr = stmt.expression;
+    if (!isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = getCalleeName(expr);
+    return callee === 'require' || callee === 'assert';
+}
+function isAuthorityMsgSenderGuard(stmt, tainted) {
+    if (!isRequireOrAssertStatement(stmt))
+        return false;
+    const condition = getArguments(stmt.expression)[0];
+    return isMsgSenderAuthorityEquality(condition, tainted);
+}
+function isMsgSenderAuthorityEquality(expr, tainted) {
+    if (!expr || typeof expr !== 'object' || !isBinaryOpNode(expr))
+        return false;
+    const op = String(expr.operator || '');
+    if (op !== '==' && op !== '===')
+        return false;
+    const left = getBinaryLeft(expr);
+    const right = getBinaryRight(expr);
+    if (isMsgSender(left) && isTrustedAuthorityExpression(right, tainted))
+        return true;
+    if (isMsgSender(right) && isTrustedAuthorityExpression(left, tainted))
+        return true;
+    return false;
+}
+function isMsgSender(node) {
+    if (isNode(node, 'MemberAccess') &&
+        String(node.memberName || '') === 'sender' &&
+        isNode(node.expression, 'Identifier') &&
+        node.expression.name === 'msg')
+        return true;
+    if (isNode(node, 'FunctionCall')) {
+        const callee = node.expression;
+        return isNode(callee, 'Identifier') && callee.name === '_msgSender' && getArguments(node).length === 0;
+    }
+    return false;
+}
+// Authority-keyword tokens that, when matched as a complete word in an
+// access path, count as a "trusted authority expression." Tokenised for
+// the same reason as ALLOWLIST_TOKENS above (review finding E2): the
+// previous substring regex `(owner|admin|authori|...)` matched
+// `enrolled`, `unauthorized`, `roleplay`, etc. mid-identifier and over-
+// suppressed the detector.
+const AUTHORITY_TOKENS = new Set([
+    'owner', 'owners',
+    'admin', 'admins',
+    'authority', 'authorised', 'authorized',
+    'governance', 'governor', 'governors',
+    'treasury',
+    'multisig',
+    'timelock',
+    'accesscontrol',
+    'custodian',
+    'guardian', 'guardians',
+    'council',
+    'operator', 'operators',
+    'trustee', 'trustees',
+    'role', 'roles',
+]);
+function segmentMatchesAuthorityKeyword(segment) {
+    const normalized = segment.replace(/^_+/, '').toLowerCase();
+    if (AUTHORITY_TOKENS.has(normalized))
+        return true;
+    const tokens = tokenizeIdentifier(segment);
+    for (const token of tokens) {
+        if (AUTHORITY_TOKENS.has(token))
+            return true;
+    }
+    const compoundAuthorityTokens = new Set(['multisig', 'timelock', 'accesscontrol']);
+    const suffixTokens = new Set(['wallet', 'controller', 'manager', 'admin', 'owner', 'guard', 'role']);
+    for (let i = 0; i < tokens.length; i++) {
+        const compound = tokens[i] + tokens[i + 1];
+        if (compoundAuthorityTokens.has(compound)) {
+            const next = tokens[i + 2];
+            if (!next || suffixTokens.has(next))
+                return true;
+        }
+    }
+    return false;
+}
+function isTrustedAuthorityExpression(expr, tainted) {
+    const path = accessPath(expr);
+    if (!path)
+        return false;
+    const root = path.split('.')[0];
+    if (tainted.has(root))
+        return false;
+    for (const segment of path.split('.')) {
+        if (segmentMatchesAuthorityKeyword(segment))
+            return true;
+    }
+    return false;
+}
+/**
+ * Split an identifier into lowercase tokens by camelCase / PascalCase
+ * boundaries and underscores, dropping any leading underscores
+ * (Solidity's idiomatic private-field marker).
+ *
+ *   '_allowedTargets'     → ['allowed', 'targets']
+ *   'router_internal'     → ['router', 'internal']
+ *   'isAllowedRouter'     → ['is', 'allowed', 'router']
+ *   'targetingMode'       → ['targeting', 'mode']  (NOT 'target')
+ *   'unauthorizedAccess'  → ['unauthorized', 'access']
+ *
+ * Used by both ALLOWLIST_TOKENS and AUTHORITY_TOKENS lookups so a
+ * substring like `auth` inside `unauthorizedAccess` doesn't masquerade
+ * as a trusted-authority match. Pure function — safe to memoise if
+ * profiling ever calls for it.
+ */
+function tokenizeIdentifier(name) {
+    const stripped = name.replace(/^_+/, '');
+    const tokens = [];
+    for (const part of stripped.split(/_+/)) {
+        if (!part)
+            continue;
+        for (const camel of part.split(/(?=[A-Z])/)) {
+            if (camel)
+                tokens.push(camel.toLowerCase());
+        }
+    }
+    return tokens;
+}
+function hasRecognizedGuardModifier(fn) {
+    for (const modifier of fn.modifiers || []) {
+        const name = getModifierName(modifier).toLowerCase();
+        if (name === 'onlyowner' || name === 'onlyrole' || name === 'onlyadmin' ||
+            name === 'authorized' || name === 'onlyauthorized' || name.startsWith('only'))
+            return true;
+    }
+    return false;
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner.name)
+            return String(inner.name);
+    }
+    if (modifier.name) {
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name.name)
+            return String(modifier.name.name);
+        if (modifier.name.namePath)
+            return String(modifier.name.namePath);
+    }
+    return '';
+}
+function getContractFunctions(contractNode) {
+    return childrenOf(contractNode).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    return Array.isArray(body.statements) ? body.statements : [];
+}
+function isExternallyCallable(node) {
+    const kind = String(node.kind || node.functionKind || '').toLowerCase();
+    if (kind === 'constructor' || node.isConstructor)
+        return false;
+    const visibility = String(node.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external' || kind === 'fallback' || kind === 'receive';
+}
+function referencesTainted(node, tainted) {
+    return walkAny(node, n => isNode(n, 'Identifier') && tainted.has(String(n.name || '')));
+}
+function collectAssignTargets(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if (isNode(node, 'Identifier'))
+        return node.name ? [String(node.name)] : [];
+    if (isNode(node, 'TupleExpression')) {
+        return getArguments(node).flatMap((component) => collectAssignTargets(component));
+    }
+    return [];
+}
+function getVariableDeclarations(node) {
+    if (Array.isArray(node?.variables))
+        return node.variables;
+    if (Array.isArray(node?.declarations))
+        return node.declarations;
+    return [];
+}
+function isAssignmentNode(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    return String(node.operator || '').endsWith('=');
+}
+function isBinaryOpNode(node) {
+    return isNode(node, 'BinaryOperation') || isNode(node, 'Assignment');
+}
+function getBinaryLeft(node) {
+    return node?.left ?? node?.leftExpression ?? node?.leftHandSide;
+}
+function getBinaryRight(node) {
+    return node?.right ?? node?.rightExpression ?? node?.rightHandSide;
+}
+function getCalleeName(call) {
+    const expr = call?.expression;
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return expr.name || '';
+    if (isNode(expr, 'MemberAccess')) {
+        const prefix = expressionName(expr.expression);
+        return prefix ? `${prefix}.${expr.memberName || ''}` : expr.memberName || '';
+    }
+    if (isNode(expr, 'ElementaryTypeName'))
+        return expr.name || '';
+    if (isNode(expr, 'ElementaryTypeNameExpression'))
+        return expr.typeName?.name || '';
+    return '';
+}
+function expressionName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return expr.name || '';
+    if (isNode(expr, 'MemberAccess')) {
+        const prefix = expressionName(expr.expression);
+        return prefix ? `${prefix}.${expr.memberName || ''}` : expr.memberName || '';
+    }
+    return '';
+}
+function rootIdentifier(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (isNode(expr, 'Identifier'))
+        return expr.name || null;
+    if (isNode(expr, 'MemberAccess'))
+        return rootIdentifier(expr.expression);
+    if (isNode(expr, 'IndexAccess') || isNode(expr, 'IndexRangeAccess')) {
+        return rootIdentifier(expr.base || expr.baseExpression);
+    }
+    if (isNode(expr, 'FunctionCall'))
+        return rootIdentifier(getArguments(expr)[0]);
+    return null;
+}
+function getIndexExpression(expr) {
+    return expr?.index ?? expr?.indexExpression;
+}
+function accessPath(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (isNode(expr, 'Identifier'))
+        return expr.name ? String(expr.name) : null;
+    if (isNode(expr, 'MemberAccess')) {
+        const base = accessPath(expr.expression);
+        return base && expr.memberName ? `${base}.${expr.memberName}` : null;
+    }
+    return null;
+}
+function isLiteral(expr) {
+    return isNode(expr, 'NumberLiteral') || isNode(expr, 'StringLiteral') ||
+        isNode(expr, 'BooleanLiteral') || isNode(expr, 'HexLiteral') ||
+        isNode(expr, 'Literal');
+}
+function isEmptyCallData(expr) {
+    return !expr ||
+        (isNode(expr, 'StringLiteral') && String(expr.value || '') === '') ||
+        (isNode(expr, 'HexLiteral') && String(expr.value || '') === '') ||
+        (isNode(expr, 'Literal') && String(expr.value || '') === '' &&
+            /string|hexstring/i.test(String(expr.kind || expr.typeDescriptions?.typeString || '')));
+}
+function getArguments(node) {
+    if (Array.isArray(node?.arguments))
+        return node.arguments;
+    if (Array.isArray(node?.arguments?.arguments))
+        return node.arguments.arguments;
+    if (Array.isArray(node?.components))
+        return node.components;
+    return [];
+}
+function getName(node) {
+    return node?.name || '';
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition'))
+        visit(node);
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return node.loc.start;
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=lack-of-calldata-validation.js.map