@snovon/solast 0.2.0

package/dist/detectors/network-bridge.js

@@ -0,0 +1,444 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkBridgeDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'network-bridge';
+const PATTERN = `${RULE_ID}/weak-release-authorization`;
+const SOURCE = 'x-20220329-ronin-network-bridge';
+const BRIDGE_CONTRACT_RE = /(bridge|gateway|ronin)/i;
+const EXPLICIT_BRIDGE_RELEASE_FN_RE = /(withdraw.*(erc|token|native)|executeWithdrawal|finalizeWithdrawal|processWithdrawal)/i;
+const ACCESS_MODIFIER_NAME_RE = /(owner|admin|operator|role|auth|permission|signer|validator|guardian|governance|manager|caller|controller|multisig)/i;
+const REENTRANCY_MODIFIER_RE = /(nonReentrant|reentrancyGuard)/i;
+const REPLAY_NAME_RE = /(processed|executed|used|claimed|consumed|receipt|replay)/i;
+const SIGNATURE_NAME_RE = /(sig|signature|validator|approv)/i;
+const THRESHOLD_NAME_RE = /(threshold|required|min|quorum|approv)/i;
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+class NetworkBridgeDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const contractName = contract.name || '<anonymous>';
+            const stateVars = collectStateVariables(contract);
+            const modifierGuards = collectModifierGuards(contract, stateVars);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition')
+                    continue;
+                if (!fn.body || fn.isConstructor || fn.kind === 'constructor')
+                    continue;
+                if (!isExternallyReachable(fn))
+                    continue;
+                if (!isBridgeReleaseContext(contractName, fn))
+                    continue;
+                const fnName = fn.name || '<anonymous>';
+                const state = {
+                    sawSink: false,
+                    sinkLoc: null,
+                    replayBeforeSink: false,
+                    replayAfterSink: false,
+                    accessBeforeSink: hasAccessModifier(fn),
+                    thresholdBeforeSink: false,
+                    validatorBeforeSink: false,
+                    uniquenessBeforeSink: false,
+                };
+                if (hasReentrancyModifier(fn)) {
+                    state.accessBeforeSink = state.accessBeforeSink || false;
+                }
+                walkSourceOrder(fn.body, node => {
+                    if (state.sawSink) {
+                        if (isReplayWrite(node, stateVars))
+                            state.replayAfterSink = true;
+                        return;
+                    }
+                    if (node?.type === 'ModifierInvocation')
+                        return;
+                    if (node?.type === 'FunctionCall') {
+                        if (isRequireLike(node)) {
+                            const condition = getCallArguments(node)[0];
+                            if (condition) {
+                                if (isAccessCheck(condition, stateVars))
+                                    state.accessBeforeSink = true;
+                                if (isReplayCheck(condition, stateVars))
+                                    state.replayBeforeSink = true;
+                                if (isThresholdCheck(condition))
+                                    state.thresholdBeforeSink = true;
+                                if (isValidatorCheck(condition, stateVars))
+                                    state.validatorBeforeSink = true;
+                                if (isUniquenessCheck(condition))
+                                    state.uniquenessBeforeSink = true;
+                            }
+                        }
+                        if (isAssetSink(node)) {
+                            state.sawSink = true;
+                            state.sinkLoc = locOf(node);
+                            return;
+                        }
+                    }
+                    if (isReplayWrite(node, stateVars))
+                        state.replayBeforeSink = true;
+                    if (isValidatorCheck(node, stateVars))
+                        state.validatorBeforeSink = true;
+                    if (isUniquenessCheck(node))
+                        state.uniquenessBeforeSink = true;
+                    if (node?.type === 'FunctionCall') {
+                        const callee = unwrapCallOptions(node.expression);
+                        if (callee?.type === 'Identifier') {
+                            const guard = modifierGuards.get(String(callee.name || ''));
+                            if (guard?.access)
+                                state.accessBeforeSink = true;
+                            if (guard?.replay)
+                                state.replayBeforeSink = true;
+                            if (guard?.threshold)
+                                state.thresholdBeforeSink = true;
+                            if (guard?.validator)
+                                state.validatorBeforeSink = true;
+                            if (guard?.unique)
+                                state.uniquenessBeforeSink = true;
+                        }
+                    }
+                });
+                if (!state.sawSink || !state.sinkLoc)
+                    continue;
+                const hasAdequateThreshold = state.thresholdBeforeSink && state.validatorBeforeSink && state.uniquenessBeforeSink && state.replayBeforeSink;
+                const hasAdequateAccess = state.accessBeforeSink && state.replayBeforeSink;
+                if ((hasAdequateAccess || hasAdequateThreshold) && !state.replayAfterSink)
+                    continue;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: state.sinkLoc.line,
+                    endLine: state.sinkLoc.line,
+                    column: state.sinkLoc.column,
+                    pattern: PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'critical',
+                    message: `Bridge release path '${contractName}.${fnName}' moves or mints assets before a complete authorization, threshold, and replay-protection pattern is visible.`,
+                    rationale: 'Ronin-like bridge release paths must authenticate the caller or validator quorum, prevent signer duplication, and mark receipts before releasing assets. This rule models the on-chain authorization weakness, not private-key compromise.',
+                    suggestedFix: 'Gate releases with a role or a validator threshold that verifies signer membership and uniqueness, require an unprocessed receipt, and mark the receipt before transfer, mint, or native-value send.',
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: state.sinkLoc.line, column: state.sinkLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                    source: SOURCE,
+                    provenance: SOURCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.NetworkBridgeDetector = NetworkBridgeDetector;
+function isExternallyReachable(fn) {
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public' || visibility === '';
+}
+function isBridgeReleaseContext(contractName, fn) {
+    const fnName = String(fn.name || '');
+    if (BRIDGE_CONTRACT_RE.test(contractName) && /(withdraw|release|execute|finalize|process|unlock|redeem)/i.test(fnName)) {
+        return true;
+    }
+    if (EXPLICIT_BRIDGE_RELEASE_FN_RE.test(fnName))
+        return true;
+    const params = getParameters(fn).map(p => String(p?.name || ''));
+    const hasReceipt = params.some(name => /receipt|withdrawal|message|nonce|hash/i.test(name));
+    const hasSignatures = params.some(name => SIGNATURE_NAME_RE.test(name));
+    return hasReceipt && hasSignatures;
+}
+function collectStateVariables(contract) {
+    const out = new Set();
+    for (const sub of contract.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                out.add(String(variable.name));
+        }
+    }
+    return out;
+}
+function collectModifierGuards(contract, stateVars) {
+    const out = new Map();
+    for (const sub of contract.subNodes || []) {
+        if (sub?.type !== 'ModifierDefinition' || !sub.name || !sub.body)
+            continue;
+        const guard = { access: isAccessModifierName(sub.name), replay: false, threshold: false, validator: false, unique: false };
+        walkSourceOrder(sub.body, node => {
+            if (node?.type !== 'FunctionCall' || !isRequireLike(node))
+                return;
+            const condition = getCallArguments(node)[0];
+            guard.access = guard.access || isAccessCheck(condition, stateVars);
+            guard.replay = guard.replay || isReplayCheck(condition, stateVars);
+            guard.threshold = guard.threshold || isThresholdCheck(condition);
+            guard.validator = guard.validator || isValidatorCheck(condition, stateVars);
+            guard.unique = guard.unique || isUniquenessCheck(condition);
+        });
+        out.set(sub.name, guard);
+    }
+    return out;
+}
+function hasAccessModifier(fn) {
+    return (fn.modifiers || []).some((modifier) => {
+        const name = modifierName(modifier);
+        return isAccessModifierName(name) && !REENTRANCY_MODIFIER_RE.test(name);
+    });
+}
+function isAccessModifierName(name) {
+    return ACCESS_MODIFIER_NAME_RE.test(name);
+}
+function hasReentrancyModifier(fn) {
+    return (fn.modifiers || []).some((modifier) => REENTRANCY_MODIFIER_RE.test(modifierName(modifier)));
+}
+function modifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (modifier.name)
+        return modifierName(modifier.name);
+    if (modifier.type === 'Identifier')
+        return String(modifier.name || '');
+    return '';
+}
+function isRequireLike(call) {
+    const expr = unwrapCallOptions(call?.expression);
+    return expr?.type === 'Identifier' && /^(require|assert)$/.test(String(expr.name || ''));
+}
+function isAssetSink(call) {
+    const expr = unwrapCallOptions(call?.expression);
+    if (!expr)
+        return false;
+    if (expr.type === 'MemberAccess') {
+        const member = String(expr.memberName || '');
+        if (/^(transfer|safeTransfer|mint|safeMint)$/.test(member))
+            return true;
+        if (/^(call|send)$/.test(member) && callHasValueOption(call))
+            return true;
+    }
+    return false;
+}
+function callHasValueOption(call) {
+    let expr = call?.expression;
+    while (expr) {
+        if (expr.type === 'NameValueExpression') {
+            const names = expr.names || [];
+            if (names.some((name) => String(name?.name || name || '').toLowerCase() === 'value'))
+                return true;
+            const argNames = expr.arguments?.names || [];
+            if (argNames.some((name) => String(name?.name || name || '').toLowerCase() === 'value'))
+                return true;
+        }
+        if (expr.type === 'FunctionCallOptions') {
+            const names = expr.names || [];
+            if (names.some((name) => String(name?.name || name || '').toLowerCase() === 'value'))
+                return true;
+        }
+        expr = expr.expression;
+    }
+    return false;
+}
+function isAccessCheck(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation') {
+        const op = String(node.operator || '');
+        const left = node.left;
+        const right = node.right;
+        if ((op === '==' || op === '!=') && containsMsgSender(node) && (containsStateVariable(left, stateVars) || containsStateVariable(right, stateVars) || containsRoleCall(node))) {
+            return true;
+        }
+    }
+    if (node.type === 'FunctionCall') {
+        const calleeName = calleeMemberName(node);
+        if (/^(hasRole|isOperator|isValidator|isSigner|isAuthorized)$/.test(calleeName) && containsMsgSender(node))
+            return true;
+    }
+    return walkAnyChild(node, child => child !== node && isAccessCheck(child, stateVars));
+}
+function isReplayCheck(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'IndexAccess' && isReplayBase(node.base, stateVars))
+        return true;
+    if (node.type === 'UnaryOperation' && String(node.operator || '') === '!' && isReplayCheck(node.subExpression, stateVars))
+        return true;
+    if (node.type === 'BinaryOperation' && (isReplayCheck(node.left, stateVars) || isReplayCheck(node.right, stateVars)))
+        return true;
+    return false;
+}
+function isReplayWrite(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation' && ASSIGN_OPS.has(String(node.operator || ''))) {
+        return isReplayReference(node.left, stateVars);
+    }
+    if (node.type === 'UnaryOperation' && /^(delete|\+\+|--)$/.test(String(node.operator || ''))) {
+        return isReplayReference(node.subExpression, stateVars);
+    }
+    return false;
+}
+function isReplayReference(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'Identifier')
+        return isReplayBase(node, stateVars);
+    if (node.type === 'IndexAccess')
+        return isReplayReference(node.base, stateVars);
+    if (node.type === 'MemberAccess')
+        return isReplayReference(node.expression, stateVars);
+    return false;
+}
+function isReplayBase(node, stateVars) {
+    return node?.type === 'Identifier' && stateVars.has(String(node.name || '')) && REPLAY_NAME_RE.test(String(node.name || ''));
+}
+function isThresholdCheck(node) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation') {
+        const op = String(node.operator || '');
+        if (/^(>=|>|==)$/.test(op) && (containsThresholdTerm(node.left) || containsThresholdTerm(node.right)))
+            return true;
+    }
+    return walkAnyChild(node, child => child !== node && isThresholdCheck(child));
+}
+function containsThresholdTerm(node) {
+    if (!node)
+        return false;
+    if (node.type === 'Identifier')
+        return THRESHOLD_NAME_RE.test(String(node.name || ''));
+    if (node.type === 'MemberAccess')
+        return String(node.memberName || '').toLowerCase() === 'length' || containsThresholdTerm(node.expression);
+    return walkAnyChild(node, child => child !== node && containsThresholdTerm(child));
+}
+function isValidatorCheck(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'IndexAccess') {
+        const base = rootIdentifierName(node.base);
+        if (base && /validator|signer|committee|operator/i.test(base))
+            return true;
+        if (base && stateVars.has(base) && /validator|signer|committee|operator/i.test(base))
+            return true;
+    }
+    if (node.type === 'FunctionCall' && /^(isValidator|isSigner|hasRole)$/.test(calleeMemberName(node)))
+        return true;
+    return walkAnyChild(node, child => child !== node && isValidatorCheck(child, stateVars));
+}
+function isUniquenessCheck(node) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation') {
+        const op = String(node.operator || '');
+        if (/^(>|<|!=)$/.test(op) && (containsSignerTerm(node.left) || containsSignerTerm(node.right)))
+            return true;
+    }
+    if (node.type === 'UnaryOperation' && String(node.operator || '') === '!' && isSeenMapping(node.subExpression))
+        return true;
+    if (isSeenMapping(node))
+        return true;
+    return walkAnyChild(node, child => child !== node && isUniquenessCheck(child));
+}
+function isSeenMapping(node) {
+    return node?.type === 'IndexAccess' && /seen|used|counted|signed|duplicate/i.test(rootIdentifierName(node.base));
+}
+function containsSignerTerm(node) {
+    if (!node)
+        return false;
+    if (node.type === 'Identifier')
+        return /signer|last|previous|seen/i.test(String(node.name || ''));
+    return walkAnyChild(node, child => child !== node && containsSignerTerm(child));
+}
+function containsMsgSender(node) {
+    return walkAny(node, child => child?.type === 'MemberAccess' &&
+        String(child.memberName || '') === 'sender' &&
+        child.expression?.type === 'Identifier' &&
+        String(child.expression.name || '') === 'msg');
+}
+function containsRoleCall(node) {
+    return walkAny(node, child => child?.type === 'FunctionCall' && /^(hasRole|isOperator|isValidator|isSigner|isAuthorized)$/.test(calleeMemberName(child)));
+}
+function containsStateVariable(node, stateVars) {
+    return walkAny(node, child => child?.type === 'Identifier' && stateVars.has(String(child.name || '')));
+}
+function calleeMemberName(call) {
+    const expr = unwrapCallOptions(call?.expression);
+    if (expr?.type === 'MemberAccess')
+        return String(expr.memberName || '');
+    if (expr?.type === 'Identifier')
+        return String(expr.name || '');
+    return '';
+}
+function rootIdentifierName(node) {
+    let cur = node;
+    while (cur && (cur.type === 'MemberAccess' || cur.type === 'IndexAccess')) {
+        cur = cur.type === 'MemberAccess' ? cur.expression : cur.base;
+    }
+    return cur?.type === 'Identifier' ? String(cur.name || '') : '';
+}
+function getParameters(fn) {
+    return Array.isArray(fn.parameters) ? fn.parameters : [];
+}
+function getCallArguments(call) {
+    return Array.isArray(call?.arguments) ? call.arguments : [];
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while (cur && (cur.type === 'NameValueExpression' || cur.type === 'FunctionCallOptions')) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function locOf(node) {
+    const { line, column } = (0, ast_1.assertLoc)(node);
+    return { line, column };
+}
+function walkSourceOrder(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walkSourceOrder(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return walkAnyChild(node, predicate);
+}
+function walkAnyChild(node, predicate) {
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'src')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=network-bridge.js.map

package/dist/detectors/network-underflow.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class NetworkUnderflowDetector {
+    readonly id = "network-underflow";
+    readonly patternKey = "network-underflow";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, _sourceText?: string): ScanResult[];
+}