@snovon/solast 0.2.0

package/dist/detectors/missing-access-control-caller-supplied-auth.js

@@ -0,0 +1,550 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingAccessControlCallerSuppliedAuthDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'missing-access-control';
+const RECOGNIZED_GUARD_MODIFIER_NAMES = new Set(['onlyowner', 'onlyrole']);
+class MissingAccessControlCallerSuppliedAuthDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        walkContracts(ast, contractNode => {
+            if (isInterfaceLike(contractNode))
+                return;
+            const ctx = {
+                stateVariables: collectStateVariables(contractNode),
+                modifierBodies: collectModifierBodies(contractNode),
+                internalFunctions: collectInternalFunctions(contractNode),
+            };
+            const contractName = getName(contractNode) || '<anonymous>';
+            for (const fn of getContractMembers(contractNode, 'FunctionDefinition')) {
+                const functionName = getName(fn);
+                if (!functionName)
+                    continue;
+                if (!isExternallyCallable(fn))
+                    continue;
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const params = collectParameterNames(fn);
+                const addressParams = collectAddressParameterNames(fn);
+                if (addressParams.size === 0)
+                    continue;
+                if (hasRecognizedModifierGuard(fn, ctx))
+                    continue;
+                const callerSuppliedAuthCheck = findCallerSuppliedAuthCheck(body, ctx, params, addressParams);
+                if (!callerSuppliedAuthCheck)
+                    continue;
+                if (!containsDestructiveMutation(body, ctx))
+                    continue;
+                const loc = getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': functionName,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Land-access-control gap in '${contractName}.${functionName}': function accepts a caller-supplied address parameter used as the authorization subject in a require/assert check, but no msg.sender-based guard is present. Any caller can supply the correct 'from' address to pass ownership validation before the destructive operation.`,
+                    rationale: `Mirrors the 2022-02-08 Sandbox LAND exploit: a public _burn/burnForMigration function accepted a caller-supplied 'from' address, checked 'require(from == ownerOf(tokenId))', and then performed the destructive burn/delete/transfer — without verifying that the caller actually owns the token. Because 'from' is caller-supplied, an attacker can pass ownerOf(tokenId) as 'from' and burn any LAND token.`,
+                    suggestedFix: `Replace the caller-supplied parameter authorization check with msg.sender-based authorization: 'require(msg.sender == ownerOf(tokenId))' or add an 'onlyOwner'/'onlyRole' modifier. Alternatively, restrict the function visibility to 'internal' if it is only intended to be called by trusted internal helpers.`,
+                    contractName,
+                    functionName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        });
+        return findings;
+    }
+}
+exports.MissingAccessControlCallerSuppliedAuthDetector = MissingAccessControlCallerSuppliedAuthDetector;
+function findCallerSuppliedAuthCheck(body, ctx, params, addressParams) {
+    let found = null;
+    walk(body, node => {
+        if (found)
+            return;
+        if (isRecognizedAuthCheckWithCallerSuppliedParam(node, ctx, params, addressParams)) {
+            found = node;
+        }
+    });
+    return found;
+}
+function isRecognizedAuthCheckWithCallerSuppliedParam(expr, ctx, params, addressParams) {
+    if (!expr || !isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = (getCallExpressionName(expr) || '').toLowerCase();
+    const args = getCallArguments(expr);
+    if (callee === 'require' || callee === 'assert') {
+        return args.some(arg => isCallerSuppliedParamEquality(expr, ctx, params, addressParams));
+    }
+    return false;
+}
+function isCallerSuppliedParamEquality(callExpr, ctx, params, addressParams) {
+    const args = getCallArguments(callExpr);
+    if (args.length < 1)
+        return false;
+    const pred = args[0];
+    if (!pred || !isNode(pred, 'BinaryOperation'))
+        return false;
+    if (getOperator(pred) !== '==' && getOperator(pred) !== '===')
+        return false;
+    const left = pred.left ?? pred.leftExpression;
+    const right = pred.right ?? pred.rightExpression;
+    if (!hasAddressTypedParameterSide(left, right, addressParams))
+        return false;
+    if (isCallerReference(left) || isCallerReference(right))
+        return false;
+    return true;
+}
+function hasAddressTypedParameterSide(left, right, addressParams) {
+    return isAddressTypedParameter(left, addressParams) || isAddressTypedParameter(right, addressParams);
+}
+function isAddressTypedParameter(expr, addressParams) {
+    if (!expr)
+        return false;
+    const root = getReferenceRoot(expr);
+    return addressParams.has(root);
+}
+function containsDestructiveMutation(body, ctx) {
+    let found = false;
+    walk(body, node => {
+        if (found)
+            return;
+        if (isDestructiveMutation(node, ctx)) {
+            found = true;
+        }
+    });
+    return found;
+}
+function isDestructiveMutation(node, ctx) {
+    if (isDeleteOperation(node, ctx))
+        return true;
+    if (isAssignmentToState(node, ctx))
+        return true;
+    if (isStateVariableIncrementDecrement(node, ctx))
+        return true;
+    if (isTransferToNonCaller(node, ctx))
+        return true;
+    if (isInternalFunctionCallWithDestructiveEffect(node, ctx))
+        return true;
+    return false;
+}
+function isInternalFunctionCallWithDestructiveEffect(node, ctx) {
+    if (!node || !isNode(node, 'FunctionCall'))
+        return false;
+    const callee = node.expression;
+    if (!callee || !isNode(callee, 'Identifier'))
+        return false;
+    const fnName = getName(callee);
+    if (!fnName)
+        return false;
+    if (ctx.internalFunctions?.has(fnName)) {
+        const body = ctx.internalFunctions.get(fnName);
+        if (body) {
+            let found = false;
+            walk(body, n => {
+                if (found)
+                    return;
+                if (isDestructiveMutation(n, ctx))
+                    found = true;
+            });
+            return found;
+        }
+    }
+    return false;
+}
+function isDeleteOperation(node, ctx) {
+    if (!node || !isNode(node, 'UnaryOperation'))
+        return false;
+    if (getOperator(node) !== 'delete')
+        return false;
+    const target = node.subExpression ?? node.vSubExpression;
+    const root = getReferenceRoot(target);
+    return !!root && ctx.stateVariables.has(root);
+}
+function isAssignmentToState(node, ctx) {
+    if (!node)
+        return false;
+    let expr = node;
+    if (isNode(node, 'ExpressionStatement')) {
+        expr = node.expression;
+    }
+    if (!expr)
+        return false;
+    if (isNode(expr, 'Assignment')) {
+        const left = expr.left ?? expr.leftHandSide;
+        const root = getReferenceRoot(left);
+        return !!root && ctx.stateVariables.has(root);
+    }
+    if (isNode(expr, 'BinaryOperation') && isAssignmentOperator(getOperator(expr))) {
+        const left = expr.left ?? expr.leftHandSide;
+        const root = getReferenceRoot(left);
+        return !!root && ctx.stateVariables.has(root);
+    }
+    return false;
+}
+function isAssignmentOperator(op) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(op);
+}
+function isStateVariableIncrementDecrement(node, ctx) {
+    if (!node || !isNode(node, 'UnaryOperation'))
+        return false;
+    const op = getOperator(node);
+    if (op !== '++' && op !== '--')
+        return false;
+    const target = node.subExpression ?? node.vSubExpression;
+    const root = getReferenceRoot(target);
+    return !!root && ctx.stateVariables.has(root) && !isLocalVariable(root);
+}
+function isTransferToNonCaller(node, ctx) {
+    if (!node || !isNode(node, 'FunctionCall'))
+        return false;
+    const callee = getCallExpressionName(node).toLowerCase();
+    if (callee !== 'transferfrom' && !callee.endsWith('.transferfrom'))
+        return false;
+    const args = getCallArguments(node);
+    if (args.length < 3)
+        return false;
+    const recipientArg = args[1];
+    if (!recipientArg)
+        return false;
+    if (isMsgSender(recipientArg))
+        return false;
+    return true;
+}
+function isLocalVariable(name) {
+    return false;
+}
+function hasRecognizedModifierGuard(fn, ctx) {
+    for (const mod of fn.modifiers || []) {
+        const modName = getModifierInvocationName(mod);
+        if (!modName)
+            continue;
+        if (RECOGNIZED_GUARD_MODIFIER_NAMES.has(modName.toLowerCase()))
+            return true;
+        const body = ctx.modifierBodies.get(modName);
+        if (!body)
+            continue;
+        if (containsRecognizedMsgSenderGuard(body))
+            return true;
+    }
+    return false;
+}
+function containsRecognizedMsgSenderGuard(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isRecognizedMsgSenderGuardExpr(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (containsRecognizedMsgSenderGuard(child))
+            return true;
+    }
+    return false;
+}
+function isRecognizedMsgSenderGuardExpr(expr) {
+    if (!expr || !isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = (getCallExpressionName(expr) || '').toLowerCase();
+    const args = getCallArguments(expr);
+    if (callee === 'require' || callee === 'assert') {
+        return args.some(arg => isMsgSenderEquality(arg));
+    }
+    if (callee === '_checkrole' || callee === 'checkrole' || callee.endsWith('._checkrole')) {
+        return true;
+    }
+    return false;
+}
+function isMsgSenderEquality(expr) {
+    if (!expr || !isNode(expr, 'BinaryOperation'))
+        return false;
+    if (getOperator(expr) !== '==' && getOperator(expr) !== '===')
+        return false;
+    const left = expr.left ?? expr.leftExpression;
+    const right = expr.right ?? expr.rightExpression;
+    if (isMsgSender(left) && !isMsgSender(right)) {
+        return isPrivilegedAuthorityReference(right);
+    }
+    if (isMsgSender(right) && !isMsgSender(left)) {
+        return isPrivilegedAuthorityReference(left);
+    }
+    return false;
+}
+function isPrivilegedAuthorityReference(expr) {
+    const root = getReferenceRoot(expr);
+    if (!root)
+        return false;
+    return (0, access_control_1.isPrivilegedIdentifier)(root, { keywords: PRIVILEGED_STATE_KEYWORDS });
+}
+// Detector-local keyword set (post roadmap 1.2.2 migration). The
+// list matches the pre-extraction inline regex exactly;
+// behaviour is preserved.
+const PRIVILEGED_STATE_KEYWORDS = ['owner', 'admin', 'role', 'paused', 'pause',
+    'guardian', 'timelock', 'governor', 'fee', 'treasury', 'operator'];
+function isMsgSender(expr) {
+    if (!expr || !isNode(expr, 'MemberAccess'))
+        return false;
+    if ((expr.memberName || '') !== 'sender')
+        return false;
+    const inner = expr.expression;
+    return inner && isNode(inner, 'Identifier') && getName(inner) === 'msg';
+}
+function isTxOrigin(expr) {
+    if (!expr || !isNode(expr, 'MemberAccess'))
+        return false;
+    if ((expr.memberName || '') !== 'origin')
+        return false;
+    const inner = expr.expression;
+    return inner && isNode(inner, 'Identifier') && getName(inner) === 'tx';
+}
+function isCallerReference(expr) {
+    if (isMsgSender(expr) || isTxOrigin(expr))
+        return true;
+    if (!expr || !isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = (getCallExpressionName(expr) || '').toLowerCase();
+    return callee === 'sender' || callee === '_sender' || callee === 'msgsender' || callee === '_msgsender';
+}
+function getReferenceRoot(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'IndexAccess')) {
+        return getReferenceRoot(expr.base ?? expr.baseExpression);
+    }
+    if (isNode(expr, 'MemberAccess')) {
+        return getReferenceRoot(expr.expression);
+    }
+    return '';
+}
+function collectStateVariables(contractNode) {
+    const stateVars = new Set();
+    for (const member of getContractMembers(contractNode, 'StateVariableDeclaration')) {
+        for (const variable of member.variables || []) {
+            if (variable?.name)
+                stateVars.add(variable.name);
+        }
+    }
+    for (const member of getContractMembers(contractNode, 'VariableDeclaration')) {
+        if (member?.stateVariable && member.name)
+            stateVars.add(member.name);
+    }
+    return stateVars;
+}
+function collectModifierBodies(contractNode) {
+    const map = new Map();
+    for (const member of getContractMembers(contractNode, 'ModifierDefinition')) {
+        const modName = getName(member);
+        if (modName && member.body)
+            map.set(modName, member.body);
+    }
+    return map;
+}
+function collectInternalFunctions(contractNode) {
+    const map = new Map();
+    for (const member of getContractMembers(contractNode, 'FunctionDefinition')) {
+        const fnName = getName(member);
+        if (fnName && member.body) {
+            const visibility = String(member.visibility || '').toLowerCase();
+            if (visibility === 'private' || visibility === 'internal') {
+                map.set(fnName, member.body);
+            }
+        }
+    }
+    return map;
+}
+function collectParameterNames(fn) {
+    const params = new Set();
+    const list = fn.parameters?.parameters || fn.parameters || [];
+    for (const param of list) {
+        if (param?.name)
+            params.add(param.name);
+    }
+    return params;
+}
+function collectAddressParameterNames(fn) {
+    const addressParams = new Set();
+    const list = fn.parameters?.parameters || fn.parameters || [];
+    for (const param of list) {
+        if (!param?.name)
+            continue;
+        const typeName = param.typeName || param.type || {};
+        const typeStr = String(typeName.name || typeName.type || '').toLowerCase();
+        if (typeStr === 'address') {
+            addressParams.add(param.name);
+        }
+    }
+    return addressParams;
+}
+function getContractMembers(contractNode, kind) {
+    const members = [];
+    const lists = [contractNode.subNodes, contractNode.nodes];
+    for (const list of lists) {
+        if (!Array.isArray(list))
+            continue;
+        for (const child of list) {
+            if (child && (child.type === kind || child.nodeType === kind)) {
+                members.push(child);
+            }
+        }
+    }
+    return members;
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function isExternallyCallable(fn) {
+    const kind = String(fn.kind || (fn.isConstructor ? 'constructor' : '') || 'function').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn?.isConstructor === true || fn?.isFallback === true || fn?.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function getModifierInvocationName(mod) {
+    if (!mod)
+        return '';
+    if (mod.modifierName) {
+        if (typeof mod.modifierName === 'string')
+            return mod.modifierName;
+        if (mod.modifierName.name)
+            return String(mod.modifierName.name);
+    }
+    if (mod.name) {
+        if (typeof mod.name === 'string')
+            return mod.name;
+        if (mod.name.name)
+            return String(mod.name.name);
+        if (mod.name.namePath)
+            return String(mod.name.namePath);
+    }
+    return '';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition'))
+        visit(node);
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walk(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return;
+    visitor(node);
+    for (const child of childrenOf(node))
+        walk(child, visitor);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    if (!node)
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    return '';
+}
+function getOperator(node) {
+    return String(node?.operator || '');
+}
+function getCallExpressionName(call) {
+    if (!call)
+        return '';
+    const callee = call.expression;
+    if (!callee)
+        return '';
+    if (isNode(callee, 'Identifier'))
+        return getName(callee);
+    if (isNode(callee, 'MemberAccess')) {
+        const inner = callee.expression;
+        const innerName = inner ? getCallExpressionNameFromExpression(inner) : '';
+        const memberName = callee.memberName || '';
+        return innerName ? `${innerName}.${memberName}` : memberName;
+    }
+    if (isNode(callee, 'NameValueExpression')) {
+        return getCallExpressionName({ expression: callee.expression });
+    }
+    return '';
+}
+function getCallExpressionNameFromExpression(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'MemberAccess')) {
+        const inner = expr.expression;
+        const innerName = inner ? getCallExpressionNameFromExpression(inner) : '';
+        const memberName = expr.memberName || '';
+        return innerName ? `${innerName}.${memberName}` : memberName;
+    }
+    return '';
+}
+function getCallArguments(call) {
+    return Array.isArray(call?.arguments) ? call.arguments : [];
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line, column: node.loc.start.column };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=missing-access-control-caller-supplied-auth.js.map

package/dist/detectors/missing-access-control-receiver-payout.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class MissingAccessControlReceiverPayoutDetector {
+    readonly id = "missing-access-control";
+    readonly patternKey = "missing-access-control";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}