@snovon/solast 0.2.0

package/dist/detectors/layerzero-dvn-quorum-missing.js

@@ -0,0 +1,464 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LayerZeroDvnQuorumMissingDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'layerzero-dvn-quorum-missing';
+const RECEIVE_HANDLERS = new Set(['lzReceive', '_lzReceive']);
+const REQUIRE_LIKE = new Set(['require', 'assert']);
+const QUORUM_KEYWORDS = new Set(['dvn', 'dvns', 'quorum', 'threshold', 'verifier', 'verifiers', 'verified']);
+class LayerZeroDvnQuorumMissingDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'LayerZero v2 receive handler consumes payloads without a dominating DVN quorum guard.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Require a DVN verifier count, quorum approval, or threshold check before LayerZero v2 lzReceive/_lzReceive handlers decode or apply cross-chain payload data.',
+    };
+    currentFile = '';
+    currentContract = null;
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = null;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.currentContract = null;
+            return;
+        }
+        const modifiers = new Map();
+        for (const sub of node?.subNodes || []) {
+            if (!(0, ast_1.isNode)(sub, 'ModifierDefinition'))
+                continue;
+            const name = getNodeName(sub);
+            if (name)
+                modifiers.set(name, sub);
+        }
+        this.currentContract = {
+            name: node?.name || '<anonymous>',
+            node,
+            modifiers,
+        };
+    }
+    ContractDefinition_post(node) {
+        if (this.currentContract?.node === node) {
+            this.currentContract = null;
+        }
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContract || !node?.body)
+            return;
+        const fnName = getNodeName(node);
+        if (!RECEIVE_HANDLERS.has(fnName))
+            return;
+        const params = collectReceiveParams(node);
+        if (!params.hasOriginParam)
+            return;
+        if (isPureSuperForwarder(node.body, fnName))
+            return;
+        const consumes = firstPayloadConsumption(node.body, params);
+        if (!consumes)
+            return;
+        if (hasDominatingQuorumGuard(node, params, this.currentContract.modifiers, consumes))
+            return;
+        const loc = (0, ast_1.assertLoc)(node, this.currentContract.node);
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract.name,
+            'function': fnName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            category: 'vulnerability',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `LayerZero v2 receive handler '${fnName}' consumes cross-chain payload data before enforcing a DVN quorum or verifier threshold.`,
+            rationale: 'Endpoint or owner checks do not prove that a sufficient LayerZero DVN quorum verified the message payload before it is decoded, emitted, or written into state.',
+            suggestedFix: 'Require a verifier-count, quorum-approval, or threshold predicate keyed to the received payload before decoding or applying the message.',
+            contractName: this.currentContract.name,
+            functionName: fnName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+}
+exports.LayerZeroDvnQuorumMissingDetector = LayerZeroDvnQuorumMissingDetector;
+LayerZeroDvnQuorumMissingDetector.prototype['ContractDefinition:exit'] =
+    LayerZeroDvnQuorumMissingDetector.prototype.ContractDefinition_post;
+function collectReceiveParams(fn) {
+    const params = {
+        hasOriginParam: false,
+        originNames: new Set(),
+        messageNames: new Set(),
+        guidNames: new Set(),
+    };
+    const functionParams = Array.isArray(fn?.parameters) ? fn.parameters : [];
+    functionParams.forEach((param, index) => {
+        const isOrigin = isOriginType(param?.typeName);
+        if (isOrigin)
+            params.hasOriginParam = true;
+        const name = getNodeName(param);
+        if (!name)
+            return;
+        if (isOrigin)
+            params.originNames.add(name);
+        if (index === 1)
+            params.guidNames.add(name);
+        if (index === 2)
+            params.messageNames.add(name);
+    });
+    return params;
+}
+function isOriginType(typeName) {
+    if (!typeName)
+        return false;
+    const name = String(typeName.namePath || typeName.name || '');
+    return name === 'Origin';
+}
+function hasDominatingQuorumGuard(fn, params, modifiers, consumption) {
+    for (const modifier of fn?.modifiers || []) {
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)({ modifiers: [modifier] }))
+            continue;
+        const modifierDef = modifiers.get(extractModifierName(modifier));
+        if (!modifierDef?.body)
+            continue;
+        const subbedParams = substituteModifierParams(modifierDef, modifier, params);
+        if (bodyHasLeadingQuorumGuard(modifierDef.body, subbedParams, null))
+            return true;
+    }
+    return bodyHasLeadingQuorumGuard(fn.body, params, consumption);
+}
+function substituteModifierParams(modifierDef, invocation, handlerParams) {
+    const out = {
+        hasOriginParam: handlerParams.hasOriginParam,
+        originNames: new Set(handlerParams.originNames),
+        messageNames: new Set(handlerParams.messageNames),
+        guidNames: new Set(handlerParams.guidNames),
+    };
+    const defParams = Array.isArray(modifierDef?.parameters) ? modifierDef.parameters : [];
+    const callArgs = Array.isArray(invocation?.arguments) ? invocation.arguments : [];
+    const upTo = Math.min(defParams.length, callArgs.length);
+    for (let i = 0; i < upTo; i += 1) {
+        const paramName = getNodeName(defParams[i]);
+        const arg = callArgs[i];
+        if (!paramName || !(0, ast_1.isNode)(arg, 'Identifier'))
+            continue;
+        const argName = String(arg.name || '');
+        if (!argName)
+            continue;
+        if (handlerParams.guidNames.has(argName))
+            out.guidNames.add(paramName);
+        if (handlerParams.messageNames.has(argName))
+            out.messageNames.add(paramName);
+        if (handlerParams.originNames.has(argName))
+            out.originNames.add(paramName);
+    }
+    return out;
+}
+function bodyHasLeadingQuorumGuard(body, params, stopNode) {
+    for (const statement of body?.statements || []) {
+        if (statement === stopNode)
+            return false;
+        if ((0, ast_1.isNode)(statement, 'PlaceholderStatement'))
+            continue;
+        if (statementProvidesQuorumGuard(statement, params))
+            return true;
+        if (statementConsumesPayload(statement, params))
+            return false;
+    }
+    return false;
+}
+function statementProvidesQuorumGuard(statement, params) {
+    if ((0, ast_1.isNode)(statement, 'ExpressionStatement')) {
+        const expr = statement.expression;
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const callee = callName(expr.expression);
+            if (REQUIRE_LIKE.has(callee) && expr.arguments?.[0]) {
+                return conditionExpressesQuorum(expr.arguments[0], params, 'positive');
+            }
+            return isPayloadKeyedQuorumPredicate(expr, params);
+        }
+    }
+    if ((0, ast_1.isNode)(statement, 'IfStatement') && branchAlwaysReverts(statement.trueBody)) {
+        return conditionExpressesQuorum(statement.condition, params, 'revert');
+    }
+    return false;
+}
+function conditionExpressesQuorum(expr, params, mode) {
+    expr = unwrapExpression(expr);
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        const operator = String(expr.operator || '');
+        if (operator === '&&') {
+            if (mode === 'positive') {
+                return conditionExpressesQuorum(expr.left, params, mode) || conditionExpressesQuorum(expr.right, params, mode);
+            }
+            return conditionExpressesQuorum(expr.left, params, mode) && conditionExpressesQuorum(expr.right, params, mode);
+        }
+        if (operator === '||') {
+            if (mode === 'positive')
+                return false;
+            return conditionExpressesQuorum(expr.left, params, mode) || conditionExpressesQuorum(expr.right, params, mode);
+        }
+        return expressesPayloadKeyedThreshold(expr, params, mode);
+    }
+    if ((0, ast_1.isNode)(expr, 'UnaryOperation')) {
+        const nextMode = String(expr.operator || '') === '!' ? flipGuardMode(mode) : mode;
+        return conditionExpressesQuorum(expr.subExpression, params, nextMode);
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+        return isPayloadKeyedQuorumPredicate(expr, params);
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        return isPayloadKeyedQuorumApproval(expr, params);
+    }
+    return false;
+}
+function flipGuardMode(mode) {
+    return mode === 'positive' ? 'revert' : 'positive';
+}
+function expressesPayloadKeyedThreshold(expr, params, mode) {
+    expr = unwrapExpression(expr);
+    if (!(0, ast_1.isNode)(expr, 'BinaryOperation'))
+        return false;
+    const operator = String(expr.operator || '');
+    const left = classifyQuorumSide(expr.left, params);
+    const right = classifyQuorumSide(expr.right, params);
+    if (mode === 'positive') {
+        if ((left === 'count' && right === 'threshold' && (operator === '>=' || operator === '>')) ||
+            (left === 'threshold' && right === 'count' && (operator === '<=' || operator === '<'))) {
+            return true;
+        }
+        return predicateComparisonIsQuorumProof(left, right, operator, true);
+    }
+    if ((left === 'count' && right === 'threshold' && (operator === '<' || operator === '<=')) ||
+        (left === 'threshold' && right === 'count' && (operator === '>' || operator === '>='))) {
+        return true;
+    }
+    return predicateComparisonIsQuorumProof(left, right, operator, false);
+}
+function predicateComparisonIsQuorumProof(left, right, operator, expectedValue) {
+    if (left === 'predicate' && right === 'other')
+        return booleanComparisonMatches(operator, expectedValue);
+    if (right === 'predicate' && left === 'other')
+        return booleanComparisonMatches(operator, expectedValue);
+    return false;
+}
+function booleanComparisonMatches(operator, expectedValue) {
+    if (expectedValue)
+        return operator === '==' || operator === '===';
+    return operator === '!=' || operator === '!==';
+}
+function classifyQuorumSide(expr, params) {
+    expr = unwrapExpression(expr);
+    if (isPayloadKeyedCount(expr, params))
+        return 'count';
+    if (isPayloadKeyedQuorumPredicate(expr, params))
+        return 'predicate';
+    if (isThresholdReference(expr))
+        return 'threshold';
+    return 'other';
+}
+function isPayloadKeyedQuorumPredicate(expr, params) {
+    expr = unwrapExpression(expr);
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = callName(expr.expression);
+    if (!sufficiencyPredicateName(callee) && !hasQuorumReference(expr.expression))
+        return false;
+    return anyArgumentMatches(expr.arguments || [], params);
+}
+function isPayloadKeyedQuorumApproval(expr, params) {
+    expr = unwrapExpression(expr);
+    if (!(0, ast_1.isNode)(expr, 'IndexAccess'))
+        return false;
+    if (!hasQuorumReference(expr.base || expr.expression))
+        return false;
+    return anyArgumentMatches([expr.index || expr.indexExpression], params);
+}
+function isPayloadKeyedCount(expr, params) {
+    expr = unwrapExpression(expr);
+    if (!anyArgumentMatches([expr], params))
+        return false;
+    return expressionHasToken(expr, (token) => (token === 'count' ||
+        token === 'confirmations' ||
+        token === 'confirmation' ||
+        token === 'verified' ||
+        token === 'verifier' ||
+        token === 'verifiers' ||
+        token === 'dvn' ||
+        token === 'dvns'));
+}
+function isThresholdReference(expr) {
+    expr = unwrapExpression(expr);
+    return expressionHasToken(expr, (token) => token === 'threshold' || token === 'quorum' || token === 'required' || token === 'minimum' || token === 'min');
+}
+function unwrapExpression(expr) {
+    let current = expr;
+    while ((0, ast_1.isNode)(current, 'TupleExpression') && Array.isArray(current.components) && current.components.length === 1) {
+        current = current.components[0];
+    }
+    return current;
+}
+function sufficiencyPredicateName(name) {
+    const tokens = (0, access_control_1.splitIdentifierTokens)(name);
+    const hasSufficiencyVerb = tokens.some((token) => (token === 'has' ||
+        token === 'is' ||
+        token === 'check' ||
+        token === 'checks' ||
+        token === 'require' ||
+        token === 'requires' ||
+        token === 'enforce' ||
+        token === 'verify' ||
+        token === 'verified'));
+    return hasSufficiencyVerb && tokens.some((token) => QUORUM_KEYWORDS.has(token) || token === 'approval' || token === 'approved');
+}
+function expressionHasToken(expr, predicate) {
+    return containsNode(expr, (node) => {
+        for (const name of nodeIdentifierNames(node)) {
+            if ((0, access_control_1.splitIdentifierTokens)(name).some(predicate))
+                return true;
+        }
+        return false;
+    });
+}
+function nodeIdentifierNames(node) {
+    const names = [];
+    if (typeof node?.name === 'string')
+        names.push(node.name);
+    if (typeof node?.memberName === 'string')
+        names.push(node.memberName);
+    if (typeof node?.namePath === 'string')
+        names.push(node.namePath);
+    return names;
+}
+function firstPayloadConsumption(body, params) {
+    for (const statement of body?.statements || []) {
+        if (statementProvidesQuorumGuard(statement, params))
+            continue;
+        if (statementConsumesPayload(statement, params))
+            return statement;
+    }
+    return null;
+}
+function statementConsumesPayload(statement, params) {
+    if (!statement || typeof statement !== 'object')
+        return false;
+    if (isPureSuperCallStatement(statement))
+        return false;
+    return containsNode(statement, (node) => {
+        if (!(0, ast_1.isNode)(node, 'Identifier'))
+            return false;
+        const name = String(node.name || '');
+        return params.originNames.has(name) || params.messageNames.has(name) || params.guidNames.has(name);
+    });
+}
+function isPureSuperForwarder(body, fnName) {
+    const statements = Array.isArray(body?.statements) ? body.statements : [];
+    return statements.length === 1 && isSuperCallStatement(statements[0], fnName);
+}
+function isPureSuperCallStatement(statement) {
+    if (!(0, ast_1.isNode)(statement, 'ExpressionStatement'))
+        return false;
+    const expr = statement.expression;
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = expr.expression;
+    return (0, ast_1.isNode)(callee, 'MemberAccess') && (0, ast_1.isNode)(callee.expression, 'Identifier') && callee.expression.name === 'super';
+}
+function isSuperCallStatement(statement, fnName) {
+    if (!isPureSuperCallStatement(statement))
+        return false;
+    return String(statement.expression?.expression?.memberName || '') === fnName;
+}
+function branchAlwaysReverts(node) {
+    if (!node)
+        return false;
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        return (node.statements || []).some((statement) => statementReverts(statement));
+    }
+    return statementReverts(node);
+}
+function statementReverts(statement) {
+    if ((0, ast_1.isNode)(statement, 'RevertStatement') || (0, ast_1.isNode)(statement, 'ThrowStatement'))
+        return true;
+    if (!(0, ast_1.isNode)(statement, 'ExpressionStatement'))
+        return false;
+    const expr = statement.expression;
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = callName(expr.expression);
+    return callee === 'revert' || REQUIRE_LIKE.has(callee);
+}
+function anyArgumentMatches(nodes, params) {
+    return nodes.some((node) => containsNode(node, (child) => {
+        if (!(0, ast_1.isNode)(child, 'Identifier'))
+            return false;
+        const name = String(child.name || '');
+        return params.guidNames.has(name) || params.messageNames.has(name) || params.originNames.has(name);
+    }));
+}
+function hasQuorumReference(expr) {
+    return (0, access_control_1.isPrivilegedReference)(expr, quorumName);
+}
+function quorumName(name) {
+    return (0, access_control_1.splitIdentifierTokens)(name).some((token) => QUORUM_KEYWORDS.has(token));
+}
+function callName(expr) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function getNodeName(node) {
+    if (!node)
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    if (node.identifier?.name)
+        return String(node.identifier.name);
+    return '';
+}
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name?.name)
+        return String(modifier.name.name);
+    if (modifier.modifierName?.name)
+        return String(modifier.modifierName.name);
+    return '';
+}
+function containsNode(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const value of Object.values(node)) {
+        if (Array.isArray(value)) {
+            if (value.some((child) => containsNode(child, predicate)))
+                return true;
+        }
+        else if (value && typeof value === 'object') {
+            if (containsNode(value, predicate))
+                return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=layerzero-dvn-quorum-missing.js.map

package/dist/detectors/layerzero-v2-unverified-origin.d.ts

@@ -0,0 +1,40 @@
+import type { ScanResult } from '../index';
+export declare class LayerZeroV2UnverifiedOriginDetector {
+    readonly id = "layerzero-v2-unverified-origin";
+    readonly patternKey = "layerzero-v2-unverified-origin";
+    readonly supportedAstKinds: "parser"[];
+    scan(ast: any, ctx?: any): ScanResult[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private collectModifiers;
+    private isLayerZeroHandler;
+    private collectDominatingGuards;
+    private collectOriginContext;
+    private cloneOriginContext;
+    private collectTopLevelGuards;
+    private guardsFromTopLevelStatement;
+    private guardsFromCondition;
+    private isEndpointComparison;
+    private isPeerComparison;
+    private isMsgSender;
+    private isEndpointLike;
+    private isPeerSender;
+    private isOriginSrcEid;
+    private originBaseName;
+    private isTrustedPeerLookup;
+    private isTrustedPeerStore;
+    private branchAlwaysReverts;
+    private statementReverts;
+    private delegatesToSuper;
+    private isEmptyBody;
+    private isEndpointAuthCall;
+    private recordPeerAlias;
+    private isPeerAliasInitializer;
+    private callName;
+    private unwrapCall;
+    private contains;
+    private walk;
+    private childNodes;
+    private merge;
+    private makeFinding;
+    private locOf;
+}