@snovon/solast 0.2.0

package/dist/detectors/missing-zk-proof-verification.js

@@ -0,0 +1,547 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MissingZkProofVerificationDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+function tryLoc(node) {
+    return node?.loc || node?.range
+        ? { line: node.loc?.start?.line || 0, column: node.loc?.start?.column || 0, endLine: node.loc?.end?.line || 0 }
+        : { line: 0, column: 0, endLine: 0 };
+}
+class MissingZkProofVerificationDetector {
+    id = 'missing-zk-proof-verification';
+    patternKey = 'missing-zk-proof-verification';
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: 'missing-zk-proof-verification',
+        shortDescription: 'Missing or unchecked proof verification in ZK-rollup bridge contracts.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    findings = [];
+    currentFile = '';
+    isLibraryOrInterface = false;
+    currentFunction = null;
+    isBridgeFunction = false;
+    hasProofParam = false;
+    hasVerifierCall = false;
+    // Verifier-like declaration return shapes, keyed by `<owner>.<fn>#<arity>`.
+    // `true` => returns bool, `false` => non-bool / no return.
+    functionReturnShapes = new Map();
+    // State variable types per contract, keyed by contract name.
+    contractStateVarTypes = new Map();
+    // State variable types for the contract currently being walked.
+    stateVarTypes = new Map();
+    // Parameter / local variable types for the function currently being walked.
+    localVarTypes = new Map();
+    currentContractName = '';
+    // Track assigned variables to see if they are checked
+    assignedBooleanVars = new Map();
+    checkedVars = new Set();
+    // Storage keys
+    mutableVerifierStorage = new Set();
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.functionReturnShapes.clear();
+        this.contractStateVarTypes.clear();
+        this.stateVarTypes = new Map();
+        this.localVarTypes.clear();
+        this.mutableVerifierStorage.clear();
+        this.isLibraryOrInterface = false;
+        this.isBridgeFunction = false;
+        this.hasProofParam = false;
+        this.hasVerifierCall = false;
+        this.currentFunction = null;
+        this.currentContractName = '';
+    }
+    getFindings() {
+        return this.findings;
+    }
+    // Pre-pass: collect verifier-like declaration return shapes and state
+    // variable types for every contract/interface/library in the file before
+    // any call site is analysed. This makes return-shape suppression
+    // declaration-aware instead of relying on a bare function name.
+    SourceUnit(node) {
+        this.functionReturnShapes.clear();
+        this.contractStateVarTypes.clear();
+        for (const child of node.children || []) {
+            if (!(0, ast_1.isNode)(child, 'ContractDefinition'))
+                continue;
+            const owner = child.name || '';
+            const stateTypes = new Map();
+            for (const sub of child.subNodes || []) {
+                if ((0, ast_1.isNode)(sub, 'FunctionDefinition')) {
+                    const arity = (sub.parameters || []).length;
+                    this.functionReturnShapes.set(`${owner}.${sub.name || ''}#${arity}`, this.returnsBool(sub));
+                }
+                else if ((0, ast_1.isNode)(sub, 'StateVariableDeclaration')) {
+                    for (const v of sub.variables || []) {
+                        const t = this.typeNameString(v?.typeName);
+                        if (v?.name && t)
+                            stateTypes.set(v.name, t);
+                    }
+                }
+            }
+            this.contractStateVarTypes.set(owner, stateTypes);
+        }
+    }
+    ContractDefinition(node) {
+        this.isLibraryOrInterface = node.kind === 'library' || node.kind === 'interface';
+        this.currentContractName = node.name || '';
+        this.stateVarTypes = this.contractStateVarTypes.get(this.currentContractName) || new Map();
+        if (!this.isLibraryOrInterface) {
+            this.mutableVerifierStorage.clear();
+        }
+    }
+    ContractDefinition_post(node) {
+        this.isLibraryOrInterface = false;
+        this.currentContractName = '';
+    }
+    StateVariableDeclaration(node) {
+        if (this.isLibraryOrInterface)
+            return;
+        for (const v of node.variables || []) {
+            if (v.isDeclaredConst || v.isImmutable)
+                continue;
+            const name = v.name || '';
+            if (/verifier|verificationkey|^vk$|^vkey$|vkhash|vk_hash/i.test(name)) {
+                this.mutableVerifierStorage.add(name);
+            }
+        }
+    }
+    FunctionDefinition(node) {
+        if (this.isLibraryOrInterface || !node.body || node.isConstructor)
+            return;
+        this.currentFunction = node;
+        const name = node.name || '';
+        this.isBridgeFunction = /finalize|claim|withdraw/i.test(name);
+        this.hasProofParam = (node.parameters || []).some((p) => /proof/i.test(p.name || ''));
+        this.hasVerifierCall = false;
+        this.assignedBooleanVars.clear();
+        this.checkedVars.clear();
+        // Track parameter types so member calls like `verifier.verifyProof(...)`
+        // can be resolved to a specific declared callee for return-shape lookup.
+        this.localVarTypes.clear();
+        for (const p of node.parameters || []) {
+            const t = this.typeNameString(p?.typeName);
+            if (p?.name && t)
+                this.localVarTypes.set(p.name, t);
+        }
+    }
+    FunctionDefinition_post(node) {
+        if (this.isLibraryOrInterface || !node.body || node.isConstructor)
+            return;
+        if (this.isBridgeFunction && this.hasProofParam && !this.hasVerifierCall) {
+            this.findings.push({
+                file: this.currentFile,
+                ruleId: this.id,
+                severity: 'high',
+                pattern: 'Missing verifier call in bridge finalization flow',
+                ...tryLoc(node),
+                contractName: '',
+                functionName: node.name,
+                message: 'Missing verifier call in bridge finalization flow',
+                findingId: '',
+                contractHash: '',
+            });
+        }
+        // Check if any boolean vars from verifiers were assigned but not checked
+        if (this.isBridgeFunction) {
+            for (const [v, locNode] of this.assignedBooleanVars.entries()) {
+                if (!this.checkedVars.has(v)) {
+                    this.findings.push({
+                        file: this.currentFile,
+                        ruleId: this.id,
+                        severity: 'high',
+                        pattern: 'Verifier return value assigned but unchecked',
+                        ...tryLoc(locNode),
+                        contractName: '',
+                        functionName: node.name,
+                        message: 'Verifier return value assigned but unchecked',
+                        findingId: '',
+                        contractHash: '',
+                    });
+                }
+            }
+        }
+        this.currentFunction = null;
+    }
+    BinaryOperation(node) {
+        if (!this.currentFunction)
+            return;
+        if (node.operator === '=') {
+            // Check if setting mutable verifier storage
+            const leftName = this.getIdentifierName(node.left);
+            if (leftName && this.mutableVerifierStorage.has(leftName)) {
+                // Internal/private helpers are not externally reachable; access
+                // control belongs on the public/external wrapper that calls them.
+                // Only externally reachable setter entry points are reported here.
+                const visibility = this.currentFunction.visibility;
+                if (visibility === 'internal' || visibility === 'private') {
+                    return;
+                }
+                if (!this.hasAccessControl(this.currentFunction)) {
+                    this.findings.push({
+                        file: this.currentFile,
+                        ruleId: this.id,
+                        severity: 'high',
+                        pattern: 'Unprotected setter for verifier or verification key',
+                        ...tryLoc(node),
+                        contractName: '',
+                        functionName: this.currentFunction.name,
+                        message: 'Unprotected setter for verifier or verification key',
+                        findingId: '',
+                        contractHash: '',
+                    });
+                    // Remove from set to avoid duplicate findings in same function
+                    this.mutableVerifierStorage.delete(leftName);
+                }
+            }
+        }
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.currentFunction)
+            return;
+        // Record local variable types for receiver resolution.
+        for (const v of node.variables || []) {
+            if (v?.name) {
+                const t = this.typeNameString(v.typeName);
+                if (t)
+                    this.localVarTypes.set(v.name, t);
+            }
+        }
+        if (!this.isBridgeFunction)
+            return;
+        if (node.initialValue && (0, ast_1.isNode)(node.initialValue, 'FunctionCall')) {
+            const callName = this.getCallName(node.initialValue);
+            if (/verify/i.test(callName)) {
+                this.hasVerifierCall = true;
+                // if assigned to a var, track it
+                if (node.variables && node.variables.length > 0) {
+                    const vName = node.variables[0]?.name;
+                    if (vName) {
+                        this.assignedBooleanVars.set(vName, node);
+                    }
+                }
+            }
+        }
+    }
+    ExpressionStatement(node) {
+        if (!this.currentFunction || !this.isBridgeFunction)
+            return;
+        if ((0, ast_1.isNode)(node.expression, 'BinaryOperation') && node.expression.operator === '=') {
+            const assignment = node.expression;
+            if ((0, ast_1.isNode)(assignment.right, 'FunctionCall')) {
+                const callName = this.getCallName(assignment.right);
+                if (/verify/i.test(callName)) {
+                    this.hasVerifierCall = true;
+                    const vName = this.getIdentifierName(assignment.left);
+                    if (vName) {
+                        this.assignedBooleanVars.set(vName, node);
+                    }
+                }
+            }
+        }
+        else if ((0, ast_1.isNode)(node.expression, 'FunctionCall')) {
+            const call = node.expression;
+            const callName = this.getCallName(call);
+            if (/verify/i.test(callName)) {
+                this.hasVerifierCall = true;
+                // Suppress only when the call resolves to a specific declaration
+                // that does not return a bool. Unresolved or imported callees are
+                // treated conservatively as potentially bool-returning.
+                if (!this.resolvesToNonBoolVerifier(call)) {
+                    this.findings.push({
+                        file: this.currentFile,
+                        ruleId: this.id,
+                        severity: 'high',
+                        pattern: 'Verifier return value assigned but unchecked',
+                        ...tryLoc(node),
+                        contractName: '',
+                        functionName: this.currentFunction.name,
+                        message: 'Verifier return value assigned but unchecked',
+                        findingId: '',
+                        contractHash: '',
+                    });
+                }
+            }
+        }
+    }
+    FunctionCall(node) {
+        if (!this.currentFunction)
+            return;
+        const callName = this.getCallName(node);
+        if (/verify/i.test(callName)) {
+            this.hasVerifierCall = true;
+        }
+    }
+    IfStatement(node) {
+        if (!this.currentFunction)
+            return;
+        for (const v of this.assignedBooleanVars.keys()) {
+            const polarity = this.conditionPolarityForVariable(node.condition, v);
+            const failureBranchHalts = (polarity === 'failure' && this.branchHalts(node.trueBody)) ||
+                (polarity === 'success' && this.branchHalts(node.falseBody));
+            if (failureBranchHalts) {
+                this.checkedVars.add(v);
+            }
+        }
+        if (this.isBridgeFunction) {
+            const inlineVerifierPolarity = this.conditionPolarityForVerifierCall(node.condition);
+            if (inlineVerifierPolarity !== 'ambiguous') {
+                this.hasVerifierCall = true;
+                const failureBranchHalts = (inlineVerifierPolarity === 'failure' && this.branchHalts(node.trueBody)) ||
+                    (inlineVerifierPolarity === 'success' && this.branchHalts(node.falseBody));
+                if (!failureBranchHalts) {
+                    this.pushUncheckedVerifierResult(node);
+                }
+            }
+        }
+    }
+    FunctionCall_post(node) {
+        if (!this.currentFunction)
+            return;
+        const callName = this.getCallName(node);
+        if (callName === 'require' || callName === 'assert') {
+            for (const arg of node.arguments || []) {
+                for (const v of this.assignedBooleanVars.keys()) {
+                    if (this.isVariableUsedInExpression(arg, v)) {
+                        this.checkedVars.add(v);
+                    }
+                }
+            }
+        }
+    }
+    hasAccessControl(fnNode) {
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(fnNode))
+            return true;
+        let protectedByInline = false;
+        const isPrivileged = (n) => /owner|admin|role|auth/i.test(n);
+        for (const stmt of fnNode.body?.statements || []) {
+            if ((0, ast_1.isNode)(stmt, 'ExpressionStatement') && (0, ast_1.isNode)(stmt.expression, 'FunctionCall')) {
+                const callName = this.getCallName(stmt.expression);
+                if (callName === 'require') {
+                    const arg = stmt.expression.arguments?.[0];
+                    if ((0, access_control_1.requireExpressesAccessControl)(arg, isPrivileged)) {
+                        protectedByInline = true;
+                        break;
+                    }
+                }
+            }
+            else if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+                if ((0, access_control_1.requireExpressesAccessControl)(stmt.condition, isPrivileged)) {
+                    protectedByInline = true;
+                    break;
+                }
+            }
+        }
+        return protectedByInline;
+    }
+    getCallName(node) {
+        if ((0, ast_1.isNode)(node.expression, 'Identifier'))
+            return node.expression.name;
+        if ((0, ast_1.isNode)(node.expression, 'MemberAccess'))
+            return node.expression.memberName;
+        return '';
+    }
+    getIdentifierName(node) {
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node.name;
+        if ((0, ast_1.isNode)(node, 'MemberAccess'))
+            return node.memberName;
+        return '';
+    }
+    isVariableUsedInExpression(expr, varName) {
+        if (!expr)
+            return false;
+        if ((0, ast_1.isNode)(expr, 'Identifier') && expr.name === varName)
+            return true;
+        if ((0, ast_1.isNode)(expr, 'UnaryOperation'))
+            return this.isVariableUsedInExpression(expr.subExpression, varName);
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+            return this.isVariableUsedInExpression(expr.left, varName) || this.isVariableUsedInExpression(expr.right, varName);
+        }
+        if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+            return (expr.components || []).some((c) => this.isVariableUsedInExpression(c, varName));
+        }
+        return false;
+    }
+    conditionPolarityForVariable(expr, varName) {
+        if (!expr)
+            return 'ambiguous';
+        if ((0, ast_1.isNode)(expr, 'Identifier') && expr.name === varName)
+            return 'success';
+        if ((0, ast_1.isNode)(expr, 'UnaryOperation') && expr.operator === '!') {
+            const inner = this.conditionPolarityForVariable(expr.subExpression, varName);
+            if (inner === 'success')
+                return 'failure';
+            if (inner === 'failure')
+                return 'success';
+            return 'ambiguous';
+        }
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+            const leftVar = (0, ast_1.isNode)(expr.left, 'Identifier') && expr.left.name === varName;
+            const rightVar = (0, ast_1.isNode)(expr.right, 'Identifier') && expr.right.name === varName;
+            const leftBool = this.booleanLiteralValue(expr.left);
+            const rightBool = this.booleanLiteralValue(expr.right);
+            if (leftVar && rightBool !== null)
+                return this.booleanComparisonPolarity(expr.operator, rightBool);
+            if (rightVar && leftBool !== null)
+                return this.booleanComparisonPolarity(expr.operator, leftBool);
+        }
+        return 'ambiguous';
+    }
+    booleanComparisonPolarity(operator, value) {
+        if (operator === '==')
+            return value ? 'success' : 'failure';
+        if (operator === '!=')
+            return value ? 'failure' : 'success';
+        return 'ambiguous';
+    }
+    booleanLiteralValue(expr) {
+        if (!(0, ast_1.isNode)(expr, 'BooleanLiteral'))
+            return null;
+        return expr.value === true;
+    }
+    conditionPolarityForVerifierCall(expr) {
+        if (!expr)
+            return 'ambiguous';
+        if ((0, ast_1.isNode)(expr, 'FunctionCall') && this.isVerifierCall(expr))
+            return 'success';
+        if ((0, ast_1.isNode)(expr, 'UnaryOperation') && expr.operator === '!') {
+            const inner = this.conditionPolarityForVerifierCall(expr.subExpression);
+            if (inner === 'success')
+                return 'failure';
+            if (inner === 'failure')
+                return 'success';
+            return 'ambiguous';
+        }
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+            const leftPolarity = this.conditionPolarityForVerifierCall(expr.left);
+            const rightPolarity = this.conditionPolarityForVerifierCall(expr.right);
+            const leftBool = this.booleanLiteralValue(expr.left);
+            const rightBool = this.booleanLiteralValue(expr.right);
+            if (leftPolarity !== 'ambiguous' && rightBool !== null) {
+                return this.applyBooleanComparisonToPolarity(leftPolarity, expr.operator, rightBool);
+            }
+            if (rightPolarity !== 'ambiguous' && leftBool !== null) {
+                return this.applyBooleanComparisonToPolarity(rightPolarity, expr.operator, leftBool);
+            }
+        }
+        return 'ambiguous';
+    }
+    applyBooleanComparisonToPolarity(polarity, operator, value) {
+        const comparisonPolarity = this.booleanComparisonPolarity(operator, value);
+        if (comparisonPolarity === 'ambiguous')
+            return 'ambiguous';
+        if (polarity === 'success')
+            return comparisonPolarity;
+        return comparisonPolarity === 'success' ? 'failure' : 'success';
+    }
+    isVerifierCall(call) {
+        return /verify/i.test(this.getCallName(call));
+    }
+    returnsBool(fn) {
+        const rp = fn?.returnParameters;
+        if (!rp || rp.length === 0)
+            return false;
+        return rp[0]?.typeName?.name === 'bool';
+    }
+    typeNameString(typeName) {
+        if (!typeName)
+            return '';
+        if ((0, ast_1.isNode)(typeName, 'UserDefinedTypeName'))
+            return typeName.namePath || '';
+        if ((0, ast_1.isNode)(typeName, 'ElementaryTypeName'))
+            return typeName.name || '';
+        return '';
+    }
+    resolveVarType(name) {
+        return this.localVarTypes.get(name) || this.stateVarTypes.get(name) || '';
+    }
+    // Build a `<owner>.<method>#<arity>` key for a call site, resolving the
+    // receiver type for member calls. Returns null when the callee cannot be
+    // resolved to a specific declaration.
+    resolveCalleeKey(call) {
+        const callee = call?.expression;
+        const arity = (call?.arguments || []).length;
+        if ((0, ast_1.isNode)(callee, 'MemberAccess')) {
+            const recv = callee.expression;
+            if ((0, ast_1.isNode)(recv, 'Identifier')) {
+                const ownerType = recv.name === 'this' ? this.currentContractName : this.resolveVarType(recv.name);
+                if (ownerType)
+                    return `${ownerType}.${callee.memberName}#${arity}`;
+            }
+            return null;
+        }
+        if ((0, ast_1.isNode)(callee, 'Identifier')) {
+            if (!this.currentContractName)
+                return null;
+            return `${this.currentContractName}.${callee.name}#${arity}`;
+        }
+        return null;
+    }
+    // True only when the call site resolves to a specific declaration that
+    // does not return a bool. Unresolved/imported callees return false so
+    // their ignored verifier results are still reported.
+    resolvesToNonBoolVerifier(call) {
+        const key = this.resolveCalleeKey(call);
+        if (!key)
+            return false;
+        const shape = this.functionReturnShapes.get(key);
+        if (shape === undefined)
+            return false;
+        return shape === false;
+    }
+    pushUncheckedVerifierResult(node) {
+        this.findings.push({
+            file: this.currentFile,
+            ruleId: this.id,
+            severity: 'high',
+            pattern: 'Verifier return value assigned but unchecked',
+            ...tryLoc(node),
+            contractName: '',
+            functionName: this.currentFunction.name,
+            message: 'Verifier return value assigned but unchecked',
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    branchHalts(body) {
+        if (!body || typeof body !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(body, 'Block')) {
+            return (body.statements || []).some((stmt) => this.statementHalts(stmt));
+        }
+        return this.statementHalts(body);
+    }
+    statementHalts(stmt) {
+        if (!stmt || typeof stmt !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(stmt, 'ThrowStatement') || (0, ast_1.isNode)(stmt, 'RevertStatement'))
+            return true;
+        if ((0, ast_1.isNode)(stmt, 'ExpressionStatement') && (0, ast_1.isNode)(stmt.expression, 'FunctionCall')) {
+            return this.isHaltingCall(stmt.expression);
+        }
+        if ((0, ast_1.isNode)(stmt, 'Block'))
+            return this.branchHalts(stmt);
+        if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+            return this.branchHalts(stmt.trueBody) && !!stmt.falseBody && this.branchHalts(stmt.falseBody);
+        }
+        return false;
+    }
+    isHaltingCall(call) {
+        const callName = this.getCallName(call);
+        if (callName === 'revert')
+            return true;
+        if (callName !== 'require')
+            return false;
+        const firstArg = call.arguments?.[0];
+        return this.booleanLiteralValue(firstArg) === false;
+    }
+}
+exports.MissingZkProofVerificationDetector = MissingZkProofVerificationDetector;
+MissingZkProofVerificationDetector.prototype['FunctionDefinition:exit'] = MissingZkProofVerificationDetector.prototype.FunctionDefinition_post;
+MissingZkProofVerificationDetector.prototype['ContractDefinition:exit'] = MissingZkProofVerificationDetector.prototype.ContractDefinition_post;
+//# sourceMappingURL=missing-zk-proof-verification.js.map

package/dist/detectors/my-experience-with-yearn-finance.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class MyExperienceWithYearnFinanceDetector {
+    readonly id = "my-experience-with-yearn-finance";
+    readonly patternKey = "my-experience-with-yearn-finance";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}