@snovon/solast 0.2.0

package/dist/detectors/lack-of-input-validation-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class LackOfInputValidationReentrancyDetector {
+    readonly id = "lack-of-input-validation-reentrancy";
+    readonly patternKey = "lack-of-input-validation-reentrancy";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}

package/dist/detectors/lack-of-input-validation-reentrancy.js

@@ -0,0 +1,637 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LackOfInputValidationReentrancyDetector = void 0;
+const RULE_ID = 'lack-of-input-validation-reentrancy';
+const PATTERN = 'lack-of-input-validation-reentrancy/unvalidated-callback-target';
+const PROVENANCE = 'x-20231216-gooddollar-lack-of-input-validation-reentrancy';
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyowners',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'authorized',
+    'auth',
+    'onlyoperator',
+    'onlyoperators',
+    'onlyprotocol',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+    'onlysigner',
+    'onlytrusted',
+    'onlydeployer',
+    'onlytimelock',
+]);
+const NONREENTRANT_MODIFIERS = new Set([
+    'nonreentrant',
+    'nonreentrantview',
+    'nonreentrantreadonly',
+    'nonreentrantbefore',
+    'nonreentrantafter',
+    'reentrancyguard',
+    'lock',
+    'mutex',
+]);
+const ALLOWLIST_MAPPING_RE = /(approve|allow|trust|valid|whitelist|registered|known|enabled|authoriz)/i;
+class LackOfInputValidationReentrancyDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const seen = new Set();
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                if (!isExternallyCallable(fn))
+                    continue;
+                if (hasAccessControlModifier(fn))
+                    continue;
+                if (hasNonReentrantModifier(fn))
+                    continue;
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const tainted = new Set();
+                for (const p of getParameters(fn)) {
+                    const n = String(p?.name || '');
+                    if (n)
+                        tainted.add(n);
+                }
+                if (tainted.size === 0)
+                    continue;
+                propagateAliases(body, tainted);
+                const validated = new Set();
+                const sinkRef = { node: null };
+                walkStmtsInOrder(body, tainted, validated, sinkRef);
+                if (!sinkRef.node)
+                    continue;
+                if (!hasPostCallStateWrite(body, sinkRef.node))
+                    continue;
+                const fnName = functionDisplayName(fn);
+                const key = `${contractName}:${fnName}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                const fnLoc = getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                const sinkLoc = getLoc(sinkRef.node, lineOffsets) || fnLoc;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: fnLoc.line,
+                    endLine: sinkLoc.line || fnLoc.line,
+                    column: fnLoc.column,
+                    pattern: PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Lack of input validation reentrancy in '${contractName}.${fnName}': caller-supplied callback target is invoked without prior allowlist validation, reentrancy guard, or access control.`,
+                    rationale: 'Mirrors the 2023-12-16 GoodDollar exploit shape: an externally callable function dispatches an external callback to a caller-supplied address before any allowlist validation, with no nonReentrant or access-control modifier — the attacker passes their own contract address and reenters mid-callback.',
+                    suggestedFix: 'Validate every caller-supplied callback target against a trusted allowlist before the external call, add a nonReentrant guard, or restrict the path with access control. Also ensure all dependent accounting is finalized before the external interaction (CEI).',
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: fnLoc.line, column: fnLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.LackOfInputValidationReentrancyDetector = LackOfInputValidationReentrancyDetector;
+function propagateAliases(body, tainted) {
+    let changed = true;
+    while (changed) {
+        changed = false;
+        walk(body, node => {
+            if (isNode(node, 'VariableDeclarationStatement')) {
+                const init = node.initialValue ?? node.initialvalue;
+                if (!init || !isDirectAccessExpr(init))
+                    return;
+                const path = collectAccessPath(init);
+                if (!path)
+                    return;
+                const root = pathRoot(path);
+                if (!tainted.has(root))
+                    return;
+                for (const decl of getVariableDeclarations(node)) {
+                    const dname = String(decl?.name || '');
+                    if (dname && !tainted.has(dname)) {
+                        tainted.add(dname);
+                        changed = true;
+                    }
+                }
+                return;
+            }
+            if (isAssignmentNode(node)) {
+                const right = getBinaryRight(node);
+                if (!right || !isDirectAccessExpr(right))
+                    return;
+                const path = collectAccessPath(right);
+                if (!path)
+                    return;
+                const root = pathRoot(path);
+                if (!tainted.has(root))
+                    return;
+                for (const name of collectAssignTargets(getBinaryLeft(node))) {
+                    if (!tainted.has(name)) {
+                        tainted.add(name);
+                        changed = true;
+                    }
+                }
+            }
+        });
+    }
+}
+function walkStmtsInOrder(body, tainted, validated, sinkRef) {
+    if (sinkRef.node)
+        return;
+    if (!body || typeof body !== 'object')
+        return;
+    const stmts = getBlockStatements(body);
+    if (stmts.length === 0)
+        return;
+    for (const stmt of stmts) {
+        if (sinkRef.node)
+            return;
+        processStmtInOrder(stmt, tainted, validated, sinkRef);
+    }
+}
+function processStmtInOrder(stmt, tainted, validated, sinkRef) {
+    if (sinkRef.node)
+        return;
+    if (!stmt || typeof stmt !== 'object')
+        return;
+    if (isRequireOrAssertStmt(stmt)) {
+        for (const path of collectAllowlistValidatedPaths(stmt, tainted)) {
+            validated.add(path);
+        }
+        return;
+    }
+    if (isNode(stmt, 'IfStatement')) {
+        const trueBody = stmt.trueBody ?? stmt.trueStatement ?? null;
+        const falseBody = stmt.falseBody ?? stmt.falseStatement ?? null;
+        if (trueBody)
+            descendBranch(trueBody, tainted, validated, sinkRef);
+        if (sinkRef.node)
+            return;
+        if (falseBody)
+            descendBranch(falseBody, tainted, validated, sinkRef);
+        return;
+    }
+    if (isNode(stmt, 'ForStatement')) {
+        const inner = stmt.body;
+        if (inner)
+            descendBranch(inner, tainted, validated, sinkRef);
+        return;
+    }
+    if (isNode(stmt, 'WhileStatement') || isNode(stmt, 'DoWhileStatement')) {
+        const inner = stmt.body;
+        if (inner)
+            descendBranch(inner, tainted, validated, sinkRef);
+        return;
+    }
+    if (isNode(stmt, 'Block') || isNode(stmt, 'UncheckedBlock')) {
+        walkStmtsInOrder(stmt, tainted, validated, sinkRef);
+        return;
+    }
+    if (isNode(stmt, 'TryStatement')) {
+        const externalCall = stmt.externalCall;
+        if (externalCall)
+            checkSinkInExpr(externalCall, tainted, validated, sinkRef);
+        if (sinkRef.node)
+            return;
+        const innerBody = stmt.body;
+        if (innerBody)
+            descendBranch(innerBody, tainted, validated, sinkRef);
+        if (sinkRef.node)
+            return;
+        for (const clause of stmt.clauses || []) {
+            const clauseBlock = clause?.block || clause?.body;
+            if (clauseBlock)
+                descendBranch(clauseBlock, tainted, validated, sinkRef);
+            if (sinkRef.node)
+                return;
+        }
+        return;
+    }
+    checkSinkInExpr(stmt, tainted, validated, sinkRef);
+}
+function descendBranch(node, tainted, validated, sinkRef) {
+    if (sinkRef.node)
+        return;
+    if (!node || typeof node !== 'object')
+        return;
+    if (getBlockStatements(node).length > 0) {
+        walkStmtsInOrder(node, tainted, validated, sinkRef);
+        return;
+    }
+    processStmtInOrder(node, tainted, validated, sinkRef);
+}
+function checkSinkInExpr(node, tainted, validated, sinkRef) {
+    if (sinkRef.node)
+        return;
+    walkAny(node, n => {
+        if (sinkRef.node)
+            return true;
+        if (!isFunctionCall(n))
+            return false;
+        const target = getCallbackTargetExpression(n);
+        if (!target)
+            return false;
+        const path = collectAccessPath(target);
+        if (!path)
+            return false;
+        const root = pathRoot(path);
+        if (!tainted.has(root))
+            return false;
+        if (validated.has(path) || validated.has(root))
+            return false;
+        sinkRef.node = n;
+        return true;
+    });
+}
+function getCallbackTargetExpression(call) {
+    let callee = call?.expression;
+    if (isNode(callee, 'NameValueExpression'))
+        callee = callee.expression;
+    if (isNode(callee, 'FunctionCallOptions'))
+        callee = callee.expression;
+    if (!isNode(callee, 'MemberAccess'))
+        return null;
+    const memberName = String(callee.memberName || '');
+    const inner = callee.expression;
+    if (memberName === 'call' || memberName === 'delegatecall' || memberName === 'staticcall') {
+        return inner || null;
+    }
+    if (isFunctionCall(inner)) {
+        const args = getCallArguments(inner);
+        if (args.length === 1) {
+            const typeExpr = inner.expression;
+            if (isNode(typeExpr, 'Identifier') ||
+                isNode(typeExpr, 'ElementaryTypeName') ||
+                isNode(typeExpr, 'ElementaryTypeNameExpression')) {
+                return args[0] || null;
+            }
+        }
+    }
+    return null;
+}
+function isRequireOrAssertStmt(stmt) {
+    if (!isNode(stmt, 'ExpressionStatement'))
+        return false;
+    const expr = stmt.expression;
+    if (!isFunctionCall(expr))
+        return false;
+    const callee = expr.expression;
+    if (!isNode(callee, 'Identifier'))
+        return false;
+    const name = String(callee.name || '').toLowerCase();
+    return name === 'require' || name === 'assert';
+}
+function collectAllowlistValidatedPaths(stmt, tainted) {
+    const out = new Set();
+    if (!isNode(stmt, 'ExpressionStatement'))
+        return out;
+    const expr = stmt.expression;
+    if (!isFunctionCall(expr))
+        return out;
+    const args = getCallArguments(expr);
+    if (args.length === 0)
+        return out;
+    const cond = args[0];
+    walkAny(cond, n => {
+        if (!isNode(n, 'IndexAccess'))
+            return false;
+        const base = n.base ?? n.baseExpression;
+        if (!isNode(base, 'Identifier'))
+            return false;
+        const mappingName = String(base.name || '');
+        if (!ALLOWLIST_MAPPING_RE.test(mappingName))
+            return false;
+        const idx = n.index ?? n.indexExpression;
+        if (!idx)
+            return false;
+        const path = collectAccessPath(idx);
+        if (!path)
+            return false;
+        const root = pathRoot(path);
+        if (!tainted.has(root))
+            return false;
+        if (path.endsWith('.length'))
+            return false;
+        out.add(path);
+        return false;
+    });
+    return out;
+}
+function hasPostCallStateWrite(body, sink) {
+    const sinkStart = getStartOffset(sink);
+    if (sinkStart === null)
+        return true;
+    let result = false;
+    walk(body, n => {
+        if (result)
+            return;
+        if (!isAssignmentLike(n))
+            return;
+        const lhs = getBinaryLeft(n);
+        if (!lhs)
+            return;
+        if (!isNode(lhs, 'IndexAccess') && !isNode(lhs, 'MemberAccess'))
+            return;
+        const start = getStartOffset(n);
+        if (start === null)
+            return;
+        if (start > sinkStart)
+            result = true;
+    });
+    return result;
+}
+function isAssignmentLike(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    return op === '=' || op === '+=' || op === '-=' || op === '*=' || op === '/=' ||
+        op === '%=' || op === '&=' || op === '|=' || op === '^=' || op === '<<=' || op === '>>=';
+}
+function getStartOffset(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (Array.isArray(node.range) && Number.isFinite(node.range[0]))
+        return Number(node.range[0]);
+    if (typeof node.src === 'string') {
+        const offset = Number(String(node.src).split(':')[0]);
+        if (Number.isFinite(offset) && offset >= 0)
+            return offset;
+    }
+    return null;
+}
+function isDirectAccessExpr(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    return (isNode(node, 'Identifier') ||
+        isNode(node, 'MemberAccess') ||
+        isNode(node, 'IndexAccess'));
+}
+function pathRoot(path) {
+    return path.split(/[.\[]/)[0];
+}
+function collectAccessPath(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (isNode(node, 'Identifier'))
+        return node.name ? String(node.name) : null;
+    if (isNode(node, 'MemberAccess')) {
+        const base = collectAccessPath(node.expression);
+        if (!base || !node.memberName)
+            return null;
+        return `${base}.${String(node.memberName)}`;
+    }
+    if (isNode(node, 'IndexAccess')) {
+        const base = collectAccessPath(node.base ?? node.baseExpression);
+        if (!base)
+            return null;
+        return `${base}[]`;
+    }
+    return null;
+}
+function getVariableDeclarations(stmt) {
+    if (Array.isArray(stmt?.variables))
+        return stmt.variables;
+    if (Array.isArray(stmt?.declarations))
+        return stmt.declarations;
+    return [];
+}
+function collectAssignTargets(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if (isNode(node, 'Identifier'))
+        return node.name ? [String(node.name)] : [];
+    if (isNode(node, 'TupleExpression')) {
+        return (node.components || node.elements || []).flatMap((c) => collectAssignTargets(c));
+    }
+    return [];
+}
+function isAssignmentNode(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    return op === '=';
+}
+function getBinaryLeft(node) {
+    return node?.left ?? node?.leftExpression ?? node?.leftHandSide;
+}
+function getBinaryRight(node) {
+    return node?.right ?? node?.rightExpression ?? node?.rightHandSide;
+}
+function hasAccessControlModifier(fn) {
+    for (const m of fn?.modifiers || []) {
+        const name = getModifierName(m).toLowerCase();
+        if (ACCESS_CONTROL_MODIFIERS.has(name))
+            return true;
+    }
+    return false;
+}
+function hasNonReentrantModifier(fn) {
+    for (const m of fn?.modifiers || []) {
+        const name = getModifierName(m).toLowerCase();
+        if (NONREENTRANT_MODIFIERS.has(name))
+            return true;
+    }
+    return false;
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || fn.functionKind || '').toLowerCase();
+    if (kind === 'constructor')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    if (Array.isArray(body.statements))
+        return body.statements;
+    return [];
+}
+function getParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    return getName(fn) || '<anonymous>';
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(c => isNode(c, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=lack-of-input-validation-reentrancy.js.map

package/dist/detectors/lack-of-slippage-control.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class LackOfSlippageControlDetector {
+    readonly id = "lack-of-slippage-control";
+    readonly patternKey = "lack-of-slippage-control";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}