@snovon/solast 0.2.0

package/dist/detectors/missing-access-control-role-or-transferfrom.js

@@ -0,0 +1,663 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingAccessControlRoleOrTransferfromDetector = void 0;
+const RULE_ID = 'missing-access-control';
+const PROVENANCE = 'x-20231112-mev-missing-access-control';
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyowners',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlyoperators',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+]);
+class MissingAccessControlRoleOrTransferfromDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const functions = new Map();
+            for (const fn of getContractFunctions(contract)) {
+                const body = getFunctionBody(fn);
+                const params = collectParameterInfo(fn);
+                const orderedParameterNames = params.map(p => p.name);
+                const parameterNames = new Set(orderedParameterNames.filter(Boolean));
+                const addressParameterNames = new Set(params.filter(p => p.isAddress && p.name).map(p => p.name));
+                const sinkNodes = collectSinkNodes(body, parameterNames, addressParameterNames);
+                functions.set(functionDisplayName(fn), {
+                    node: fn,
+                    name: functionDisplayName(fn),
+                    body,
+                    parameterNames,
+                    orderedParameterNames,
+                    addressParameterNames,
+                    sinkNodes,
+                    hasDirectSink: sinkNodes.length > 0,
+                    internalCallees: collectInternalCallNames(body),
+                    internalCallSites: collectInternalCallSites(body),
+                });
+            }
+            const reachable = computeTransitiveReachable(functions);
+            const seen = new Set();
+            for (const info of functions.values()) {
+                if (!isExternallyCallable(info.node))
+                    continue;
+                if (!info.body)
+                    continue;
+                if (hasRecognizedAccessControlModifier(info.node))
+                    continue;
+                if (!reachable.get(info.name))
+                    continue;
+                const stmts = getBlockStatements(info.body);
+                let firstGuardIdx = -1;
+                let firstSinkIdx = -1;
+                let sinkLocNode = null;
+                for (let i = 0; i < stmts.length; i++) {
+                    const stmt = stmts[i];
+                    if (firstGuardIdx === -1 && statementHasInlineGuard(stmt)) {
+                        firstGuardIdx = i;
+                    }
+                    if (firstSinkIdx === -1) {
+                        let direct = null;
+                        for (const sink of info.sinkNodes) {
+                            if (statementContainsNode(stmt, sink)) {
+                                direct = sink;
+                                break;
+                            }
+                        }
+                        if (direct) {
+                            firstSinkIdx = i;
+                            sinkLocNode = direct;
+                        }
+                        else {
+                            const callSites = collectInternalCallSites(stmt);
+                            for (const cs of callSites) {
+                                const callee = functions.get(cs.name);
+                                if (!callee)
+                                    continue;
+                                if (!reachable.get(callee.name))
+                                    continue;
+                                const binding = buildArgumentBinding(callee.orderedParameterNames, cs.arguments, null);
+                                if (isCalleeVulnerableUnderBinding(callee, binding, functions, new Set())) {
+                                    firstSinkIdx = i;
+                                    sinkLocNode = stmt;
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                }
+                if (firstSinkIdx === -1)
+                    continue;
+                if (firstGuardIdx !== -1 && firstSinkIdx >= firstGuardIdx)
+                    continue;
+                const key = `${contractName}:${info.name}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                const fnLoc = getLoc(info.node, lineOffsets) || { line: 0, column: 0 };
+                const sinkLoc = sinkLocNode ? getLoc(sinkLocNode, lineOffsets) : null;
+                const loc = sinkLoc || fnLoc;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': info.name,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Lack of access control in '${contractName}.${info.name}': externally callable function performs a privileged role designation or pulls tokens from a caller-supplied source to a caller-supplied recipient without an owner/role check or inline msg.sender guard before the privileged operation.`,
+                    rationale: 'Mirrors the 2023-11-12 MEV bot role-or-transferfrom incident: the bot exposed externally callable selectors (0xac3994ec for designateRole, 0x1270d364 for harvestAssets) that any caller could invoke to grant operator authority or move tokens from an arbitrary victim to an arbitrary recipient without verifying msg.sender.',
+                    suggestedFix: 'Add an owner/role-only modifier (e.g., onlyOwner) or an early require(msg.sender == owner) / require(hasRole(role, msg.sender)) guard that runs before any role assignment or transferFrom on caller-supplied addresses.',
+                    contractName,
+                    functionName: info.name,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.MissingAccessControlRoleOrTransferfromDetector = MissingAccessControlRoleOrTransferfromDetector;
+function computeTransitiveReachable(functions) {
+    const cache = new Map();
+    function compute(info, seen) {
+        const cached = cache.get(info.name);
+        if (cached !== undefined)
+            return cached;
+        if (info.hasDirectSink) {
+            cache.set(info.name, true);
+            return true;
+        }
+        if (seen.has(info.name))
+            return false;
+        seen.add(info.name);
+        for (const calleeName of info.internalCallees) {
+            const callee = functions.get(calleeName);
+            if (callee && compute(callee, seen)) {
+                cache.set(info.name, true);
+                return true;
+            }
+        }
+        cache.set(info.name, false);
+        return false;
+    }
+    for (const info of functions.values())
+        compute(info, new Set());
+    return cache;
+}
+function collectSinkNodes(body, parameterNames, addressParameterNames) {
+    if (!body)
+        return [];
+    const sinks = [];
+    walk(body, n => {
+        if (isFunctionCall(n) && getCalleeMemberName(n).toLowerCase() === 'transferfrom') {
+            const args = getCallArguments(n);
+            if (args.length < 2)
+                return;
+            const fromArg = args[0];
+            const toArg = args[1];
+            if (isMsgSenderRef(fromArg))
+                return;
+            if (!isCallerControlledRecipient(toArg, fromArg, parameterNames))
+                return;
+            sinks.push(n);
+            return;
+        }
+        if (isAssignmentNode(n)) {
+            const op = String(getAssignmentOperator(n) || '');
+            if (op !== '=')
+                return;
+            const left = getAssignmentLeft(n);
+            const right = getAssignmentRight(n);
+            if (!isIndexAccessWithAddressParamKey(left, addressParameterNames))
+                return;
+            if (!isBooleanRhs(right))
+                return;
+            sinks.push(n);
+        }
+    });
+    return sinks;
+}
+function isCallerControlledRecipient(toArg, fromArg, parameterNames) {
+    if (!toArg)
+        return false;
+    if (isAddressThisRef(toArg) || isThisExpression(toArg))
+        return false;
+    const toName = getIdentifierName(toArg);
+    const fromName = getIdentifierName(fromArg);
+    if (toName && fromName && toName === fromName)
+        return false;
+    if (isMsgSenderRef(toArg))
+        return true;
+    if (toName && parameterNames.has(toName))
+        return true;
+    return false;
+}
+function isIndexAccessWithAddressParamKey(node, addressParameterNames) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (!isNode(node, 'IndexAccess'))
+        return false;
+    const indexExpr = node.index ?? node.indexExpression;
+    if (!indexExpr)
+        return false;
+    const name = getIdentifierName(indexExpr);
+    if (!name)
+        return false;
+    return addressParameterNames.has(name);
+}
+function isBooleanRhs(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'BooleanLiteral'))
+        return true;
+    if (isNode(node, 'Literal')) {
+        const kind = String(node.kind || '').toLowerCase();
+        if (kind === 'bool')
+            return true;
+        if (typeof node.value === 'string' && (node.value === 'true' || node.value === 'false'))
+            return true;
+    }
+    if (isNode(node, 'BinaryOperation')) {
+        const op = String(node.operator || '');
+        if (BOOLEAN_BINARY_OPERATORS.has(op))
+            return true;
+    }
+    if (isNode(node, 'UnaryOperation')) {
+        const op = String(node.operator || '');
+        if (op === '!')
+            return true;
+    }
+    return false;
+}
+const BOOLEAN_BINARY_OPERATORS = new Set([
+    '==', '!=', '<', '>', '<=', '>=', '&&', '||',
+]);
+function isAssignmentNode(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    if (isNode(node, 'BinaryOperation')) {
+        const op = String(node.operator || '');
+        return op === '=';
+    }
+    return false;
+}
+function getAssignmentOperator(node) {
+    return typeof node?.operator === 'string' ? node.operator : '';
+}
+function getAssignmentLeft(node) {
+    return node?.left ?? node?.leftHandSide;
+}
+function getAssignmentRight(node) {
+    return node?.right ?? node?.rightHandSide;
+}
+function isAddressThisRef(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const args = getCallArguments(node);
+    if (args.length !== 1)
+        return false;
+    if (!isThisExpression(args[0]))
+        return false;
+    return isAddressTypeExpression(node.expression);
+}
+function isThisExpression(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'ThisExpression'))
+        return true;
+    if (isNode(node, 'Identifier') && String(node.name || '') === 'this')
+        return true;
+    return false;
+}
+function isAddressTypeExpression(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'ElementaryTypeName') && String(expr.name || '') === 'address')
+        return true;
+    if (isNode(expr, 'ElementaryTypeNameExpression')) {
+        const tn = expr.typeName;
+        if (tn && typeof tn === 'object' && String(tn.name || '') === 'address')
+            return true;
+    }
+    if (isNode(expr, 'Identifier') && String(expr.name || '') === 'address')
+        return true;
+    return false;
+}
+function getIdentifierName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return String(node.name || '');
+    return '';
+}
+function collectParameterInfo(fn) {
+    const list = extractParameterList(fn?.parameters);
+    const out = [];
+    for (const p of list) {
+        if (!p || typeof p !== 'object')
+            continue;
+        const name = typeof p.name === 'string' ? p.name : '';
+        out.push({ name, isAddress: isAddressTypeName(p.typeName) });
+    }
+    return out;
+}
+function extractParameterList(params) {
+    if (!params)
+        return [];
+    if (Array.isArray(params))
+        return params;
+    if (Array.isArray(params.parameters))
+        return params.parameters;
+    return [];
+}
+function isAddressTypeName(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    if (!isNode(typeName, 'ElementaryTypeName'))
+        return false;
+    return String(typeName.name || '') === 'address';
+}
+function statementContainsNode(stmt, target) {
+    if (!stmt || !target)
+        return false;
+    let found = false;
+    walk(stmt, n => { if (n === target)
+        found = true; });
+    return found;
+}
+function statementHasInlineGuard(stmt) {
+    let isGuard = false;
+    walk(stmt, node => {
+        if (isGuard)
+            return;
+        if (!isFunctionCall(node))
+            return;
+        const calleeName = getCalleeIdentifierName(node).toLowerCase();
+        if (calleeName !== 'require' && calleeName !== 'assert')
+            return;
+        const condition = getCallArguments(node)[0];
+        if (!condition)
+            return;
+        if (containsMsgSender(condition))
+            isGuard = true;
+    });
+    return isGuard;
+}
+function containsMsgSender(node) {
+    return walkAny(node, n => isMsgSenderRef(n));
+}
+function isMsgSenderRef(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (!isNode(node, 'MemberAccess'))
+        return false;
+    const memberName = String(node.memberName || node.member || '');
+    if (memberName !== 'sender')
+        return false;
+    const base = node.expression;
+    if (!base || typeof base !== 'object')
+        return false;
+    if (!isNode(base, 'Identifier'))
+        return false;
+    return String(base.name || '') === 'msg';
+}
+function collectInternalCallNames(body) {
+    const out = new Set();
+    if (!body)
+        return out;
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (callee && isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name)
+                out.add(name);
+        }
+    });
+    return out;
+}
+function collectInternalCallSites(body) {
+    const out = [];
+    if (!body)
+        return out;
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (callee && isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name)
+                out.push({ name, arguments: getCallArguments(n) });
+        }
+    });
+    return out;
+}
+function buildArgumentBinding(paramNames, callArgs, parentBinding) {
+    const binding = new Map();
+    const n = Math.min(paramNames.length, callArgs.length);
+    for (let i = 0; i < n; i++) {
+        const name = paramNames[i];
+        if (!name)
+            continue;
+        let argExpr = callArgs[i];
+        if (parentBinding) {
+            const argName = getIdentifierName(argExpr);
+            if (argName && parentBinding.has(argName)) {
+                argExpr = parentBinding.get(argName);
+            }
+        }
+        binding.set(name, argExpr);
+    }
+    return binding;
+}
+function isTransferFromSinkBenignUnderBinding(sink, binding) {
+    if (!isFunctionCall(sink))
+        return false;
+    if (getCalleeMemberName(sink).toLowerCase() !== 'transferfrom')
+        return false;
+    const args = getCallArguments(sink);
+    if (args.length < 2)
+        return false;
+    const toArg = args[1];
+    const toName = getIdentifierName(toArg);
+    if (!toName)
+        return false;
+    if (!binding.has(toName))
+        return false;
+    const bound = binding.get(toName);
+    if (!bound)
+        return false;
+    return isAddressThisRef(bound) || isThisExpression(bound);
+}
+function isCalleeVulnerableUnderBinding(callee, binding, functions, visited) {
+    if (visited.has(callee.name))
+        return false;
+    visited.add(callee.name);
+    for (const sink of callee.sinkNodes) {
+        if (isTransferFromSinkBenignUnderBinding(sink, binding))
+            continue;
+        return true;
+    }
+    for (const cs of callee.internalCallSites) {
+        const sub = functions.get(cs.name);
+        if (!sub)
+            continue;
+        if (visited.has(sub.name))
+            continue;
+        const subBinding = buildArgumentBinding(sub.orderedParameterNames, cs.arguments, binding);
+        if (isCalleeVulnerableUnderBinding(sub, subBinding, functions, visited))
+            return true;
+    }
+    return false;
+}
+function getCalleeMemberName(call) {
+    const expr = call?.expression;
+    if (!expr)
+        return '';
+    if (isNode(expr, 'MemberAccess'))
+        return String(expr.memberName || expr.member || '');
+    return '';
+}
+function getCalleeIdentifierName(call) {
+    const expr = call?.expression;
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    return '';
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function hasRecognizedAccessControlModifier(fn) {
+    const modifiers = fn?.modifiers || [];
+    if (!Array.isArray(modifiers))
+        return false;
+    return modifiers.some((m) => ACCESS_CONTROL_MODIFIERS.has(getModifierName(m).toLowerCase()));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    return Array.isArray(body.statements) ? body.statements : [];
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(c => walkAny(c, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const c of childrenOf(node))
+        walk(c, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    return getName(fn) || '<anonymous>';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=missing-access-control-role-or-transferfrom.js.map

package/dist/detectors/missing-access-control.d.ts

@@ -0,0 +1,19 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class MissingAccessControlDetector {
+    readonly id = "missing-access-control";
+    readonly patternKey = "missing-access-control";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    private currentFile;
+    private sourceText;
+    private semantic;
+    private findings;
+    setFile(file: string): void;
+    setSourceText(sourceText?: string): void;
+    setSemanticModel(model: DetectorContext['semantic']): void;
+    getFindings(): ScanResult[];
+    SourceUnit(ast: any): void;
+    ContractDefinition(node: any): void;
+    scanAst(ast: any, file: string, sourceText?: string, ctxArg?: DetectorContext): ScanResult[];
+    private runAst;
+}