@snovon/solast 0.2.0

package/dist/detectors/lack-of-validation-userdata.js

@@ -0,0 +1,583 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LackOfValidationUserdataDetector = void 0;
+const RULE_ID = 'lack-of-validation-userdata';
+class LackOfValidationUserdataDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const seen = new Set();
+        walkContracts(ast, contractNode => {
+            const contractName = getName(contractNode) || '<anonymous>';
+            for (const fn of getContractFunctions(contractNode)) {
+                if (!isExternallyCallable(fn))
+                    continue;
+                if (hasRecognizedGuardModifier(fn))
+                    continue;
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const bytesParams = getBytesParameterNames(fn);
+                if (bytesParams.size === 0)
+                    continue;
+                const tainted = new Set(bytesParams);
+                let sawAbiDecodeOfTainted = false;
+                let sawAuthorityGuard = false;
+                // Walk in source order to track abi.decode and validation order.
+                const validatedFields = new Set();
+                const statements = getBlockStatements(body);
+                const sinks = [];
+                for (const stmt of statements) {
+                    // Track abi.decode(taintedBytes, ...) -> bind result variable as tainted.
+                    collectAbiDecodeAssignments(stmt, tainted, () => { sawAbiDecodeOfTainted = true; });
+                    // Track inline taint propagation through ordinary assignments.
+                    collectAssignmentTaint(stmt, tainted);
+                    // Track explicit field validation: require/if conditions referencing tainted variables.
+                    for (const validated of collectValidatedFields(stmt, tainted)) {
+                        validatedFields.add(validated);
+                    }
+                    // Detect a top-level authority guard like `require(msg.sender == owner)`
+                    // BEFORE evaluating sinks for this statement. Once a guard appears, all
+                    // following statements (including any sinks) are suppressed; sinks that
+                    // appeared earlier in source order are still reported, since a guard
+                    // placed after a sink does not retroactively protect it.
+                    if (!sawAuthorityGuard && isAuthorityMsgSenderGuard(stmt, tainted)) {
+                        sawAuthorityGuard = true;
+                        continue;
+                    }
+                    if (sawAuthorityGuard)
+                        continue;
+                    // Detect sinks in this statement.
+                    for (const sink of findSinksInStatement(stmt, tainted, validatedFields)) {
+                        sinks.push(sink);
+                    }
+                }
+                if (!sawAbiDecodeOfTainted)
+                    continue;
+                if (sinks.length === 0)
+                    continue;
+                for (const sink of sinks) {
+                    const fnName = getName(fn) || '<anonymous>';
+                    const loc = getLoc(sink.node, lineOffsets);
+                    const line = loc?.line || 0;
+                    const column = loc?.column || 0;
+                    const key = `${file}:${line}:${column}:${sink.pattern}`;
+                    if (seen.has(key))
+                        continue;
+                    seen.add(key);
+                    findings.push({
+                        file,
+                        contract: contractName,
+                        'function': fnName,
+                        line,
+                        endLine: line,
+                        column,
+                        pattern: sink.pattern,
+                        confidence: 'medium',
+                        ruleId: RULE_ID,
+                        severity: 'warning',
+                        message: `Lack of validation on user data in '${contractName}.${fnName}': caller-supplied bytes are abi.decode-d into fields that reach a privileged sink without recipient/target validation or access control.`,
+                        rationale: 'Mirrors the 2024-02-01 affinedefi exploit shape: an unguarded function decodes attacker-supplied bytes and forwards the decoded token / recipient / amount to a transfer or low-level call, letting the caller drain pre-approved balances.',
+                        suggestedFix: 'Validate the decoded fields before any transfer or call (allowlist tokens / recipients, gate by msg.sender, or require an expected selector), or restrict the function with onlyOwner / onlyRole / nonReentrant + receiver pinning.',
+                        contractName,
+                        functionName: fnName,
+                        sourceLocation: { line, column },
+                        findingId: '',
+                        contractHash: '',
+                    });
+                }
+            }
+        });
+        return findings;
+    }
+}
+exports.LackOfValidationUserdataDetector = LackOfValidationUserdataDetector;
+function getBytesParameterNames(fn) {
+    const names = new Set();
+    for (const param of getParameters(fn)) {
+        if (!param || typeof param !== 'object')
+            continue;
+        if (!isBytesType(param.typeName))
+            continue;
+        if (param.name)
+            names.add(String(param.name));
+    }
+    return names;
+}
+function getParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    const inner = fn?.parameters?.parameters;
+    if (Array.isArray(inner))
+        return inner;
+    return [];
+}
+function isBytesType(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    const name = typeName.name || typeName.typeDescriptions?.typeString || '';
+    if (typeof name !== 'string')
+        return false;
+    // Match `bytes` and `bytes calldata` / `bytes memory`. Excludes `bytesNN` (fixed-size).
+    return /^bytes(\s|$)/.test(name) || name === 'bytes';
+}
+function collectAbiDecodeAssignments(stmt, tainted, onMatch) {
+    if (!stmt || typeof stmt !== 'object')
+        return;
+    // VariableDeclarationStatement: parser uses `variables`, solc uses `declarations`.
+    if (isNode(stmt, 'VariableDeclarationStatement')) {
+        const init = stmt.initialValue;
+        if (isAbiDecodeOfTainted(init, tainted)) {
+            onMatch();
+            const decls = (Array.isArray(stmt.variables) && stmt.variables) ||
+                (Array.isArray(stmt.declarations) && stmt.declarations) || [];
+            for (const decl of decls) {
+                if (decl?.name)
+                    tainted.add(String(decl.name));
+            }
+        }
+    }
+    // (a, b) = abi.decode(...) shows up as ExpressionStatement(Assignment).
+    if (isNode(stmt, 'ExpressionStatement')) {
+        const expr = stmt.expression;
+        if (isAssignmentNode(expr) && isAbiDecodeOfTainted(getBinaryRight(expr), tainted)) {
+            onMatch();
+            collectAssignTargets(getBinaryLeft(expr)).forEach(name => tainted.add(name));
+        }
+    }
+}
+function collectAssignmentTaint(stmt, tainted) {
+    walk(stmt, node => {
+        if (!isAssignmentNode(node))
+            return;
+        const right = getBinaryRight(node);
+        if (!referencesTainted(right, tainted))
+            return;
+        for (const name of collectAssignTargets(getBinaryLeft(node)))
+            tainted.add(name);
+    });
+}
+function collectAssignTargets(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if (isNode(node, 'Identifier'))
+        return node.name ? [String(node.name)] : [];
+    if (isNode(node, 'TupleExpression')) {
+        const components = node.components || node.elements || [];
+        return components.flatMap((c) => collectAssignTargets(c));
+    }
+    return [];
+}
+function isAbiDecodeOfTainted(expr, tainted) {
+    if (!isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = expr.expression;
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    if (callee.memberName !== 'decode')
+        return false;
+    const base = callee.expression;
+    if (!isNode(base, 'Identifier') || base.name !== 'abi')
+        return false;
+    const args = expr.arguments || [];
+    if (args.length === 0)
+        return false;
+    return referencesTainted(args[0], tainted);
+}
+function referencesTainted(node, tainted) {
+    return walkAny(node, n => isNode(n, 'Identifier') && tainted.has(String(n.name || '')));
+}
+function collectValidatedFields(stmt, tainted) {
+    const validated = new Set();
+    // Top-level require(...) / assert(...) referencing tainted -> validates the
+    // specific access path, e.g. `p.token` rather than just root `p`, so a check
+    // on one decoded field does not silently cover the others.
+    if (isNode(stmt, 'ExpressionStatement') && isNode(stmt.expression, 'FunctionCall')) {
+        const calleeName = getCalleeIdentifierName(stmt.expression.expression).toLowerCase();
+        if (calleeName === 'require' || calleeName === 'assert') {
+            for (const arg of stmt.expression.arguments || []) {
+                for (const path of collectTaintedAccessPaths(arg, tainted))
+                    validated.add(path);
+            }
+        }
+    }
+    // if (cond) revert / if (...) on tainted: recognize as validation-of-path.
+    if (isNode(stmt, 'IfStatement')) {
+        for (const path of collectTaintedAccessPaths(stmt.condition, tainted))
+            validated.add(path);
+    }
+    return validated;
+}
+function collectAccessPath(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (isNode(node, 'Identifier'))
+        return node.name ? String(node.name) : null;
+    if (isNode(node, 'MemberAccess')) {
+        const base = collectAccessPath(node.expression);
+        if (!base)
+            return null;
+        const member = node.memberName ? String(node.memberName) : '';
+        if (!member)
+            return null;
+        return `${base}.${member}`;
+    }
+    return null;
+}
+function collectTaintedAccessPaths(node, tainted) {
+    const out = [];
+    function visit(n) {
+        if (!n || typeof n !== 'object')
+            return;
+        if (isNode(n, 'MemberAccess')) {
+            const path = collectAccessPath(n);
+            if (path) {
+                const root = path.split('.')[0];
+                if (tainted.has(root)) {
+                    out.push(path);
+                    return;
+                }
+            }
+            // Path not constructible (e.g. base is a FunctionCall like IERC20(p.t))
+            // or the base root isn't tainted — recurse so we still find tainted
+            // sub-expressions like `p.t` inside `IERC20(p.t).transferFrom`.
+            for (const child of childrenOf(n))
+                visit(child);
+            return;
+        }
+        if (isNode(n, 'Identifier')) {
+            const name = String(n.name || '');
+            if (name && tainted.has(name))
+                out.push(name);
+            return;
+        }
+        for (const child of childrenOf(n))
+            visit(child);
+    }
+    visit(node);
+    return out;
+}
+function findSinksInStatement(stmt, tainted, validated) {
+    const sinks = [];
+    walk(stmt, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return;
+        const tokenSink = matchTokenTransferSink(node, tainted, validated);
+        if (tokenSink) {
+            sinks.push(tokenSink);
+            return;
+        }
+        const callSink = matchLowLevelCallSink(node, tainted, validated);
+        if (callSink) {
+            sinks.push(callSink);
+            return;
+        }
+    });
+    return sinks;
+}
+function matchTokenTransferSink(call, tainted, validated) {
+    const callee = call.expression;
+    if (!isNode(callee, 'MemberAccess'))
+        return null;
+    const member = String(callee.memberName || '');
+    if (member !== 'transfer' && member !== 'transferFrom' && member !== 'safeTransfer' && member !== 'safeTransferFrom') {
+        return null;
+    }
+    const args = call.arguments || [];
+    // Native ETH transfer is .transfer(amount) (1 arg); we only flag ERC20-shape (2 or 3 args).
+    if (member === 'transfer' || member === 'safeTransfer') {
+        if (args.length < 2)
+            return null;
+    }
+    else {
+        if (args.length < 3)
+            return null;
+    }
+    // For transferFrom / safeTransferFrom both `from` (args[0]) and `to` (args[1])
+    // are dangerous when caller-controlled: an attacker who pins themselves as `to`
+    // but leaves `from` unvalidated can still drain a victim's pre-existing approval.
+    let argTainted;
+    if (member === 'transferFrom' || member === 'safeTransferFrom') {
+        argTainted = anyTaintedRootUnvalidated(args[0], tainted, validated) ||
+            anyTaintedRootUnvalidated(args[1], tainted, validated);
+    }
+    else {
+        argTainted = anyTaintedRootUnvalidated(args[0], tainted, validated);
+    }
+    // The token (base of member access) being a tainted decoded field is also a strong signal.
+    const tokenBaseTainted = isTokenBaseTainted(callee.expression, tainted, validated);
+    if (!argTainted && !tokenBaseTainted)
+        return null;
+    return { node: call, pattern: 'lack-of-validation-userdata/decoded-token-transfer' };
+}
+function matchLowLevelCallSink(call, tainted, validated) {
+    let callee = call.expression;
+    // peel off { value: ... } options wrappers
+    if (isNode(callee, 'NameValueExpression') || isNode(callee, 'FunctionCallOptions')) {
+        callee = callee.expression;
+    }
+    if (!isNode(callee, 'MemberAccess'))
+        return null;
+    const member = String(callee.memberName || '');
+    if (member !== 'call' && member !== 'delegatecall' && member !== 'staticcall')
+        return null;
+    const target = callee.expression;
+    const args = call.arguments || [];
+    const targetTainted = anyTaintedRootUnvalidated(target, tainted, validated);
+    const dataTainted = args.some((a) => anyTaintedRootUnvalidated(a, tainted, validated));
+    if (!targetTainted || !dataTainted)
+        return null;
+    return { node: call, pattern: 'lack-of-validation-userdata/decoded-low-level-call' };
+}
+function isTokenBaseTainted(expr, tainted, validated) {
+    // IERC20(decoded.token).transfer(...) -> base is FunctionCall whose argument is tainted.
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'FunctionCall')) {
+        return (expr.arguments || []).some((a) => anyTaintedRootUnvalidated(a, tainted, validated));
+    }
+    return anyTaintedRootUnvalidated(expr, tainted, validated);
+}
+function anyTaintedRootUnvalidated(expr, tainted, validated) {
+    // Access-path-aware: a validation of `p.token` does not suppress a tainted
+    // `p.from` reference — only the specific access path that was constrained
+    // counts as validated. Simple identifiers (e.g. `uint256 x = abi.decode(...)`
+    // followed by `require(x < MAX)`) act as their own access path.
+    for (const path of collectTaintedAccessPaths(expr, tainted)) {
+        if (!validated.has(path))
+            return true;
+    }
+    return false;
+}
+// Recognize a top-level `require(msg.sender == AUTHORITY)` / `assert(...)` where
+// AUTHORITY is a trusted state-side expression (owner / admin / governance /
+// role helper, etc.) — never a tainted decoded field. This narrowly classifies
+// genuine whole-function access control while letting recipient-style guards
+// such as `require(decoded.to == msg.sender)` fall through to access-path
+// validation, where they only mark the specific decoded field as validated.
+function isAuthorityMsgSenderGuard(stmt, tainted) {
+    if (!isNode(stmt, 'ExpressionStatement'))
+        return false;
+    const expr = stmt.expression;
+    if (!isNode(expr, 'FunctionCall'))
+        return false;
+    const calleeName = getCalleeIdentifierName(expr.expression).toLowerCase();
+    if (calleeName !== 'require' && calleeName !== 'assert')
+        return false;
+    for (const arg of expr.arguments || []) {
+        if (isMsgSenderAuthorityEquality(arg, tainted))
+            return true;
+    }
+    return false;
+}
+function isMsgSenderAuthorityEquality(expr, tainted) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (!isBinaryOpNode(expr))
+        return false;
+    if (expr.operator !== '==' && expr.operator !== '===')
+        return false;
+    const left = getBinaryLeft(expr);
+    const right = getBinaryRight(expr);
+    if (isMsgSender(left) && isTrustedAuthorityExpression(right, tainted))
+        return true;
+    if (isMsgSender(right) && isTrustedAuthorityExpression(left, tainted))
+        return true;
+    return false;
+}
+// `msg.sender` plus the OZ Context equivalent `_msgSender()` (no-arg call).
+function isMsgSender(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'MemberAccess') &&
+        node.memberName === 'sender' &&
+        isNode(node.expression, 'Identifier') &&
+        node.expression.name === 'msg')
+        return true;
+    if (isNode(node, 'FunctionCall')) {
+        const callee = node.expression;
+        if (isNode(callee, 'Identifier') && callee.name === '_msgSender') {
+            return (node.arguments || []).length === 0;
+        }
+    }
+    return false;
+}
+const AUTHORITY_KEYWORDS = /(owner|admin|authori|governance|governor|treasury|multisig|custodian|guardian|council|operator|trustee)/i;
+function isTrustedAuthorityExpression(expr, tainted) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    const path = collectAccessPath(expr);
+    if (path) {
+        const root = path.split('.')[0];
+        // A tainted decoded field (e.g. `p.recipient`, `decoded.to`) is never an
+        // authority — guarding against it is recipient-pinning, not access control.
+        if (tainted.has(root))
+            return false;
+        return AUTHORITY_KEYWORDS.test(path);
+    }
+    return false;
+}
+function hasRecognizedGuardModifier(fn) {
+    for (const modifier of fn.modifiers || []) {
+        const name = getModifierName(modifier).toLowerCase();
+        if (name === 'onlyowner' || name === 'onlyrole' || name === 'onlyadmin' ||
+            name === 'authorized' || name === 'onlyauthorized')
+            return true;
+    }
+    return false;
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner.name)
+            return String(inner.name);
+    }
+    if (modifier.name) {
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name.name)
+            return String(modifier.name.name);
+        if (modifier.name.namePath)
+            return String(modifier.name.namePath);
+    }
+    return '';
+}
+function getCalleeIdentifierName(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return expr.name || '';
+    return '';
+}
+function isAssignmentNode(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    return op === '=' || op === '+=' || op === '-=' || op === '*=' || op === '/=' ||
+        op === '%=' || op === '&=' || op === '|=' || op === '^=' || op === '<<=' || op === '>>=';
+}
+function isBinaryOpNode(node) {
+    return isNode(node, 'BinaryOperation') || isNode(node, 'Assignment');
+}
+function getBinaryLeft(node) {
+    return node?.left ?? node?.leftExpression ?? node?.leftHandSide;
+}
+function getBinaryRight(node) {
+    return node?.right ?? node?.rightExpression ?? node?.rightHandSide;
+}
+function isExternallyCallable(node) {
+    const kind = (node.kind || node.functionKind || '').toLowerCase();
+    if (kind === 'constructor' || node.isConstructor)
+        return false;
+    const visibility = String(node.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external' || kind === 'fallback' || kind === 'receive';
+}
+function getContractFunctions(contractNode) {
+    return childrenOf(contractNode).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    if (Array.isArray(body.statements))
+        return body.statements;
+    return [];
+}
+function getName(node) {
+    return node?.name || '';
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition'))
+        visit(node);
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return node.loc.start;
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=lack-of-validation-userdata.js.map

package/dist/detectors/lack-of-validation.d.ts

@@ -0,0 +1,27 @@
+import type { ScanResult } from '../index';
+export declare class LackOfValidationDetector {
+    readonly id = "lack-of-validation";
+    readonly patternKey = "lack-of-validation";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private findings;
+    private helpers;
+    private contractTypes;
+    private hasSafeErc20ForErc20;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+    FunctionCall(_node: any): void;
+    private recordUsingFor;
+    private recordTypedVariable;
+}