@snovon/solast 0.2.0

package/dist/detectors/network-underflow.js

@@ -0,0 +1,517 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkUnderflowDetector = void 0;
+const index_1 = require("../index");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'network-underflow';
+const ASSIGNMENT_OPS = new Set(['=', '-=']);
+const BOOKKEEPING_NAME_RE = /(balance|account|credit|deposit|pool|network)/i;
+class NetworkUnderflowDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    // Parser AST only (roadmap 2.D.3 / review E.2). The original
+    // implementation accepted solc-compact-AST and re-parsed the
+    // source text — violating the inner-loop "no parser.parse in
+    // detectors" rule and adding a per-file reparse cost. Declaring
+    // parser-only lets the registry skip dispatching this detector
+    // on solc input, which is consistent with this detector's
+    // parser-AST scope (solc-AST findings are out of scope). Extending
+    // `solc-walker.ts` to expose the AST shapes this detector walks
+    // is the other option (roadmap option 2) and is bigger than this
+    // slice.
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, _sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        if (Object.keys(ast).length === 0)
+            return [];
+        if (ast.type !== 'SourceUnit')
+            return [];
+        const parserAst = ast;
+        const isPre08 = sourceUnitAllowsPre08(parserAst);
+        const findings = [];
+        for (const child of parserAst.children || []) {
+            if (!isNode(child, 'ContractDefinition'))
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            const tracked = collectTrackedState(child);
+            if (tracked.size === 0)
+                continue;
+            const contractName = String(child.name || '<anonymous>');
+            for (const sub of child.subNodes || []) {
+                if (!isNode(sub, 'FunctionDefinition'))
+                    continue;
+                if (!sub.body)
+                    continue;
+                const finding = analyzeFunction(file, contractName, sub, tracked, isPre08);
+                if (finding)
+                    findings.push(finding);
+            }
+        }
+        return findings;
+    }
+}
+exports.NetworkUnderflowDetector = NetworkUnderflowDetector;
+function analyzeFunction(file, contractName, fn, tracked, isPre08) {
+    const fnName = String(fn.name || (fn.isConstructor ? '<constructor>' : '<anonymous>'));
+    const aliases = new Map();
+    const guards = [];
+    let firstSite = null;
+    function walk(node, uncheckedDepth) {
+        if (firstSite || !node || typeof node !== 'object')
+            return;
+        if (isNode(node, 'UncheckedStatement')) {
+            walk(node.block, uncheckedDepth + 1);
+            return;
+        }
+        rememberSlotAlias(node, tracked, aliases);
+        if (isNode(node, 'FunctionCall') && isRequireOrAssert(node)) {
+            for (const guard of extractRequireGuards(node.arguments?.[0], tracked, aliases)) {
+                guards.push(guard);
+            }
+        }
+        if (isNode(node, 'IfStatement')) {
+            const guard = extractRevertingIfGuard(node, tracked, aliases);
+            if (guard)
+                guards.push(guard);
+        }
+        const vulnerableContext = isPre08 || uncheckedDepth > 0;
+        if (vulnerableContext) {
+            const site = debitSite(node, tracked, aliases);
+            if (site && !guards.some(guard => guardProtectsDebit(guard, site))) {
+                firstSite = site.loc;
+                return;
+            }
+        }
+        if (isNode(node, 'IfStatement')) {
+            if (node.condition)
+                walk(node.condition, uncheckedDepth);
+            if (firstSite)
+                return;
+            {
+                const saved = guards.length;
+                if (node.trueBody)
+                    walk(node.trueBody, uncheckedDepth);
+                guards.length = saved;
+            }
+            if (firstSite)
+                return;
+            if (node.falseBody) {
+                const saved = guards.length;
+                walk(node.falseBody, uncheckedDepth);
+                guards.length = saved;
+            }
+            return;
+        }
+        if (isNode(node, 'ForStatement')) {
+            if (node.initExpression)
+                walk(node.initExpression, uncheckedDepth);
+            if (firstSite)
+                return;
+            if (node.conditionExpression)
+                walk(node.conditionExpression, uncheckedDepth);
+            if (firstSite)
+                return;
+            {
+                const saved = guards.length;
+                if (node.body)
+                    walk(node.body, uncheckedDepth);
+                guards.length = saved;
+            }
+            if (firstSite)
+                return;
+            if (node.loopExpression)
+                walk(node.loopExpression, uncheckedDepth);
+            return;
+        }
+        if (isNode(node, 'WhileStatement')) {
+            if (node.condition)
+                walk(node.condition, uncheckedDepth);
+            if (firstSite)
+                return;
+            {
+                const saved = guards.length;
+                if (node.body)
+                    walk(node.body, uncheckedDepth);
+                guards.length = saved;
+            }
+            return;
+        }
+        if (isNode(node, 'DoWhileStatement')) {
+            {
+                const saved = guards.length;
+                if (node.body)
+                    walk(node.body, uncheckedDepth);
+                guards.length = saved;
+            }
+            if (firstSite)
+                return;
+            if (node.condition)
+                walk(node.condition, uncheckedDepth);
+            return;
+        }
+        for (const child of children(node)) {
+            walk(child, uncheckedDepth);
+            if (firstSite)
+                return;
+        }
+    }
+    walk(fn.body, 0);
+    return firstSite ? makeFinding(file, contractName, fnName, firstSite) : null;
+}
+function debitSite(node, tracked, aliases) {
+    if (isNode(node, 'UnaryOperation') && String(node.operator || '') === '--') {
+        const slotKey = slotKeyForExpression(node.subExpression, tracked, aliases);
+        return slotKey ? { loc: locOf(node), slotKey, valueKey: '1' } : null;
+    }
+    if (!isAssignmentNode(node))
+        return null;
+    const op = operatorOf(node);
+    const left = assignmentLeft(node);
+    const right = assignmentRight(node);
+    const slotKey = slotKeyForExpression(left, tracked, aliases);
+    if (!slotKey)
+        return null;
+    if (op === '-=') {
+        return { loc: locOf(node), slotKey, valueKey: canonicalExpressionKey(right) };
+    }
+    if (op !== '=')
+        return null;
+    const subtraction = findSubtraction(right);
+    if (!subtraction)
+        return null;
+    if (slotKeyForExpression(subtraction.left, tracked, aliases) !== slotKey)
+        return null;
+    return { loc: locOf(node), slotKey, valueKey: canonicalExpressionKey(subtraction.right) };
+}
+function rememberSlotAlias(node, tracked, aliases) {
+    if (isNode(node, 'VariableDeclarationStatement')) {
+        const name = variableDeclarationName(node);
+        if (!name)
+            return;
+        const slotKey = slotKeyForExpression(node.initialValue, tracked, aliases);
+        if (slotKey)
+            aliases.set(name, slotKey);
+        else
+            aliases.delete(name);
+        return;
+    }
+    if (!isAssignmentNode(node) || operatorOf(node) !== '=')
+        return;
+    const left = assignmentLeft(node);
+    if (!isNode(left, 'Identifier'))
+        return;
+    const name = String(left.name || '');
+    const slotKey = slotKeyForExpression(assignmentRight(node), tracked, aliases);
+    if (slotKey)
+        aliases.set(name, slotKey);
+    else
+        aliases.delete(name);
+}
+function extractRequireGuards(condition, tracked, aliases) {
+    const out = [];
+    const seen = new Set();
+    for (const pair of collectGuaranteedLowerBounds(condition)) {
+        const guard = guardFor(pair.slotExpr, pair.valueExpr, tracked, aliases);
+        if (!guard)
+            continue;
+        const key = `${guard.slotKey}|${guard.valueKey}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push(guard);
+    }
+    return out;
+}
+function extractRevertingIfGuard(node, tracked, aliases) {
+    if (!statementAlwaysReverts(node.trueBody))
+        return null;
+    const inverted = invertLowerBoundFailure(node.condition);
+    if (!inverted)
+        return null;
+    return guardFor(inverted.slotExpr, inverted.valueExpr, tracked, aliases);
+}
+function guardFor(slotExpr, valueExpr, tracked, aliases) {
+    const slotKey = slotKeyForExpression(slotExpr, tracked, aliases);
+    if (!slotKey)
+        return null;
+    const valueKey = canonicalExpressionKey(valueExpr);
+    return valueKey ? { slotKey, valueKey } : null;
+}
+function guardProtectsDebit(guard, site) {
+    return !!guard.slotKey &&
+        guard.slotKey === site.slotKey &&
+        !!guard.valueKey &&
+        guard.valueKey === site.valueKey;
+}
+function collectGuaranteedLowerBounds(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if (isNode(node, 'TupleExpression')) {
+        const components = Array.isArray(node.components) ? node.components : [];
+        if (components.length === 1)
+            return collectGuaranteedLowerBounds(components[0]);
+        return [];
+    }
+    if (isNode(node, 'BinaryOperation')) {
+        const op = String(node.operator || '');
+        if (op === '&&') {
+            return [...collectGuaranteedLowerBounds(node.left), ...collectGuaranteedLowerBounds(node.right)];
+        }
+        if (op === '||') {
+            const left = collectGuaranteedLowerBounds(node.left);
+            if (left.length === 0)
+                return [];
+            const right = collectGuaranteedLowerBounds(node.right);
+            if (right.length === 0)
+                return [];
+            return intersectLowerBoundPairs(left, right);
+        }
+        if (op === '>=' || op === '>')
+            return [{ slotExpr: node.left, valueExpr: node.right }];
+        if (op === '<=' || op === '<')
+            return [{ slotExpr: node.right, valueExpr: node.left }];
+        return [];
+    }
+    return [];
+}
+function intersectLowerBoundPairs(a, b) {
+    const keysA = new Set();
+    for (const pair of a) {
+        const key = lowerBoundPairKey(pair);
+        if (key)
+            keysA.add(key);
+    }
+    if (keysA.size === 0)
+        return [];
+    const out = [];
+    const seen = new Set();
+    for (const pair of b) {
+        const key = lowerBoundPairKey(pair);
+        if (!key || !keysA.has(key) || seen.has(key))
+            continue;
+        seen.add(key);
+        out.push(pair);
+    }
+    return out;
+}
+function lowerBoundPairKey(pair) {
+    const slot = canonicalExpressionKey(pair.slotExpr);
+    const value = canonicalExpressionKey(pair.valueExpr);
+    return slot && value ? `${slot}|${value}` : null;
+}
+function invertLowerBoundFailure(node) {
+    if (!isNode(node, 'BinaryOperation'))
+        return null;
+    const op = String(node.operator || '');
+    if (op === '<' || op === '<=')
+        return { slotExpr: node.left, valueExpr: node.right };
+    if (op === '>' || op === '>=')
+        return { slotExpr: node.right, valueExpr: node.left };
+    return null;
+}
+function statementAlwaysReverts(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'ThrowStatement') || isNode(node, 'RevertStatement'))
+        return true;
+    if (isNode(node, 'FunctionCall'))
+        return isRevertCall(node);
+    if (isNode(node, 'ExpressionStatement'))
+        return statementAlwaysReverts(node.expression);
+    const statements = Array.isArray(node.statements) ? node.statements : Array.isArray(node.body) ? node.body : null;
+    return Array.isArray(statements) && statements.some(statementAlwaysReverts);
+}
+function isRevertCall(call) {
+    const callee = call.expression;
+    if (isNode(callee, 'Identifier') && String(callee.name || '') === 'revert')
+        return true;
+    if (isNode(callee, 'MemberAccess') && String(callee.memberName || '') === 'revert')
+        return true;
+    return false;
+}
+function isAssignmentNode(node) {
+    return (isNode(node, 'BinaryOperation') || isNode(node, 'Assignment')) && ASSIGNMENT_OPS.has(operatorOf(node));
+}
+function operatorOf(node) {
+    return String(node?.operator || '');
+}
+function assignmentLeft(node) {
+    return node?.left || node?.leftHandSide || node?.leftExpression;
+}
+function assignmentRight(node) {
+    return node?.right || node?.rightHandSide || node?.rightExpression;
+}
+function findSubtraction(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (isNode(node, 'BinaryOperation') && String(node.operator || '') === '-')
+        return node;
+    for (const child of children(node)) {
+        const found = findSubtraction(child);
+        if (found)
+            return found;
+    }
+    return null;
+}
+function isRequireOrAssert(call) {
+    const callee = call?.expression;
+    return isNode(callee, 'Identifier') &&
+        (String(callee.name || '') === 'require' || String(callee.name || '') === 'assert') &&
+        Array.isArray(call.arguments) &&
+        call.arguments.length > 0;
+}
+function variableDeclarationName(node) {
+    for (const variable of node?.variables || []) {
+        const name = variable?.name;
+        if (typeof name === 'string' && name)
+            return name;
+    }
+    return null;
+}
+function slotKeyForExpression(expr, tracked, aliases) {
+    const direct = canonicalTrackedSlotKey(expr, tracked);
+    if (direct)
+        return direct;
+    if (isNode(expr, 'Identifier'))
+        return aliases.get(String(expr.name || '')) || null;
+    return null;
+}
+function canonicalTrackedSlotKey(expr, tracked) {
+    if (!isNode(expr, 'IndexAccess'))
+        return null;
+    const baseName = indexAccessBaseName(expr);
+    if (!baseName || !tracked.has(baseName))
+        return null;
+    return canonicalExpressionKey(expr);
+}
+function indexAccessBaseName(node) {
+    let current = node;
+    while (isNode(current, 'IndexAccess'))
+        current = current.base;
+    return isNode(current, 'Identifier') ? String(current.name || '') || null : null;
+}
+function canonicalExpressionKey(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'NumberLiteral'))
+        return String(expr.number || expr.value || '');
+    if (isNode(expr, 'StringLiteral'))
+        return JSON.stringify(String(expr.value || ''));
+    if (isNode(expr, 'BooleanLiteral'))
+        return String(expr.value);
+    if (isNode(expr, 'MemberAccess')) {
+        const base = canonicalExpressionKey(expr.expression);
+        return base ? `${base}.${String(expr.memberName || '')}` : null;
+    }
+    if (isNode(expr, 'IndexAccess')) {
+        const base = canonicalExpressionKey(expr.base);
+        const index = canonicalExpressionKey(expr.index);
+        return base && index ? `${base}[${index}]` : null;
+    }
+    if (isNode(expr, 'TupleExpression')) {
+        const keys = (expr.components || []).map(canonicalExpressionKey);
+        return keys.every(Boolean) ? `(${keys.join(',')})` : null;
+    }
+    return null;
+}
+function collectTrackedState(contract) {
+    const tracked = new Set();
+    for (const sub of contract.subNodes || []) {
+        if (!isNode(sub, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of sub.variables || []) {
+            const name = String(variable?.name || '');
+            if (!name || !BOOKKEEPING_NAME_RE.test(name))
+                continue;
+            if (isUintMapping(variable.typeName))
+                tracked.add(name);
+        }
+    }
+    return tracked;
+}
+function isUintMapping(typeName) {
+    if (!isNode(typeName, 'Mapping'))
+        return false;
+    let valueType = typeName.valueType;
+    while (isNode(valueType, 'Mapping'))
+        valueType = valueType.valueType;
+    return isUintType(valueType);
+}
+function isUintType(typeName) {
+    return isNode(typeName, 'ElementaryTypeName') && /^uint\d*$/i.test(String(typeName.name || ''));
+}
+function sourceUnitAllowsPre08(ast) {
+    let sawPragma = false;
+    let allows = false;
+    for (const child of ast.children || []) {
+        if (!isNode(child, 'PragmaDirective'))
+            continue;
+        if (String(child.name || '').toLowerCase() !== 'solidity')
+            continue;
+        const value = typeof child.value === 'string'
+            ? child.value
+            : Array.isArray(child.literals)
+                ? child.literals.slice(1).join('')
+                : '';
+        if (!value)
+            continue;
+        sawPragma = true;
+        if ((0, index_1.pragmaAllowsPre080)(value))
+            allows = true;
+    }
+    return sawPragma ? allows : true;
+}
+function children(node) {
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'typeName')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, type) {
+    return !!node && typeof node === 'object' && node.type === type;
+}
+function locOf(node) {
+    const info = (0, ast_1.tryLoc)(node);
+    if (info)
+        return { line: info.line || 1, column: info.column };
+    return { line: 1, column: 0 };
+}
+function makeFinding(file, contractName, functionName, loc) {
+    return {
+        file,
+        contract: contractName,
+        'function': functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        category: 'vulnerability',
+        ruleId: RULE_ID,
+        severity: 'medium',
+        message: `Network underflow risk in '${contractName}.${functionName}': balance-like bookkeeping is debited without a matching lower-bound guard.`,
+        rationale: 'Umbrella-style legacy or unchecked arithmetic can underflow per-account bookkeeping when a balance-like storage slot is reduced without a dominating `balance >= amount` check.',
+        suggestedFix: 'Use Solidity checked arithmetic, remove `unchecked`, or add a dominating lower-bound guard on the exact credited balance slot before debiting it.',
+        contractName,
+        functionName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+    };
+}
+//# sourceMappingURL=network-underflow.js.map

package/dist/detectors/nft-denial-of-service.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class NftDenialOfServiceDetector {
+    readonly id = "nft-denial-of-service";
+    readonly patternKey = "nft-denial-of-service";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}