@snovon/solast 0.2.0

package/dist/detectors/parameter-access-control.js

@@ -0,0 +1,511 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ParameterAccessControlDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'parameter-access-control';
+const PRIVILEGED_KEYWORDS = Object.freeze([
+    ...access_control_1.DEFAULT_PRIVILEGED_KEYWORDS,
+    'auth',
+    'authority',
+    'authorized',
+    'manager',
+    'migrator',
+]);
+const SWAP_SINKS = new Set([
+    'swap',
+    'swapexacttokensfortokens',
+    'swapexacttokensforeth',
+    'swapexactethfortokens',
+    'swapexacttokensfortokenssupportingfeeontransfertokens',
+]);
+const DIRECT_VALUE_SINKS = new Set(['transfer', 'safetransfer']);
+const ALLOWANCE_SINKS = new Set(['approve', 'safeapprove', 'forceapprove']);
+const PAIR_SINKS = new Set(['skim']);
+class ParameterAccessControlDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Externally callable function lets caller-supplied parameters steer contract-owned token or pool value movement.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    currentContract = '';
+    executableContract = true;
+    contractStack = [];
+    executableStack = [];
+    modifierBodies = new Map();
+    modifierStack = [];
+    findings = [];
+    fn = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.executableContract = true;
+        this.contractStack = [];
+        this.executableStack = [];
+        this.modifierBodies.clear();
+        this.modifierStack = [];
+        this.findings = [];
+        this.fn = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.contractStack.push(this.currentContract);
+        this.executableStack.push(this.executableContract);
+        this.modifierStack.push(this.modifierBodies);
+        this.currentContract = String(node?.name || '<anonymous>');
+        const kind = String(node?.kind || '').toLowerCase();
+        this.executableContract = kind !== 'interface' && kind !== 'library';
+        this.modifierBodies = collectModifierBodies(node);
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = this.contractStack.pop() || '';
+        this.executableContract = this.executableStack.pop() ?? true;
+        this.modifierBodies = this.modifierStack.pop() || new Map();
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.fn = null;
+        if (!this.executableContract || !node?.body)
+            return;
+        const visibility = String(node?.visibility || '').toLowerCase();
+        const reachable = !node?.isConstructor && (visibility === 'public' || visibility === 'external');
+        const mutability = String(node?.stateMutability || '').toLowerCase();
+        const readOnly = mutability === 'view' || mutability === 'pure';
+        if (!reachable || readOnly)
+            return;
+        this.fn = {
+            node,
+            name: functionDisplayName(node),
+            reachable,
+            readOnly,
+            accessControlled: (0, access_control_1.hasRecognisedAccessControlModifier)(node) || this.hasStructuralModifierGuard(node),
+            params: collectParameterNames(node),
+            paramAliases: new Map(),
+            balanceAliases: new Set(),
+            userFundedAmounts: new Set(),
+            senderBoundParams: new Set(),
+            callerAccountedAmounts: new Set(),
+            emitted: false,
+        };
+    }
+    FunctionDefinition_post(_node) {
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.fn)
+            return;
+        const name = singleDeclaredName(node);
+        if (!name)
+            return;
+        const initialValue = node?.initialValue;
+        const param = this.resolveParam(initialValue);
+        if (param) {
+            this.fn.paramAliases.set(name, param);
+            return;
+        }
+        if (this.isContractBalanceExpr(initialValue)) {
+            this.fn.balanceAliases.add(name);
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.fn || !isAssignmentOperator(node?.operator))
+            return;
+        const leftName = (0, ast_1.isNode)(node?.left, 'Identifier') ? String(node.left.name || '') : '';
+        if (!leftName)
+            return;
+        const rightParam = this.resolveParam(node?.right);
+        if (rightParam) {
+            this.fn.paramAliases.set(leftName, rightParam);
+            return;
+        }
+        if (this.isContractBalanceExpr(node?.right)) {
+            this.fn.balanceAliases.add(leftName);
+        }
+    }
+    FunctionCall(node) {
+        if (!this.fn)
+            return;
+        const callee = (0, access_control_1.getCalleeNameDefault)(node).toLowerCase();
+        const tail = calleeTail(callee);
+        if ((tail === 'require' || tail === 'assert') && node?.arguments?.[0]) {
+            this.recordGuard(node.arguments[0]);
+            return;
+        }
+        if (this.isUserFundingTransferFrom(node, tail)) {
+            const amountParam = this.resolveParam(node.arguments?.[2]);
+            if (amountParam)
+                this.fn.userFundedAmounts.add(amountParam);
+            return;
+        }
+        if (this.fn.accessControlled || this.fn.emitted)
+            return;
+        if (this.isVulnerableSink(node, tail)) {
+            this.findings.push(this.makeFinding(node));
+            this.fn.emitted = true;
+        }
+    }
+    hasStructuralModifierGuard(fn) {
+        for (const modifier of fn?.modifiers || []) {
+            const name = extractModifierName(modifier);
+            const body = name ? this.modifierBodies.get(name) : null;
+            if (body && blockContainsAccessControlGuard(body))
+                return true;
+        }
+        return false;
+    }
+    recordGuard(expr) {
+        if (!this.fn)
+            return;
+        if ((0, access_control_1.requireExpressesAccessControl)(expr, isPrivilegedName)) {
+            this.fn.accessControlled = true;
+            return;
+        }
+        this.recordSenderBinding(expr);
+        this.recordCallerAccounting(expr);
+    }
+    recordSenderBinding(expr) {
+        if (!expr || typeof expr !== 'object')
+            return;
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation') && String(expr.operator || '') === '&&') {
+            this.recordSenderBinding(expr.left || expr.leftExpression);
+            this.recordSenderBinding(expr.right || expr.rightExpression);
+            return;
+        }
+        if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+            for (const child of expr.components || [])
+                this.recordSenderBinding(child);
+            return;
+        }
+        const comparison = comparisonOperands(expr);
+        if (!comparison)
+            return;
+        const leftParam = this.resolveParam(comparison.left);
+        const rightParam = this.resolveParam(comparison.right);
+        if (leftParam && (0, access_control_1.isMsgSenderExpr)(comparison.right))
+            this.fn?.senderBoundParams.add(leftParam);
+        if (rightParam && (0, access_control_1.isMsgSenderExpr)(comparison.left))
+            this.fn?.senderBoundParams.add(rightParam);
+    }
+    recordCallerAccounting(expr) {
+        if (!this.fn || !expr || typeof expr !== 'object')
+            return;
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+            const op = String(expr.operator || '');
+            const left = expr.left || expr.leftExpression;
+            const right = expr.right || expr.rightExpression;
+            if (op === '&&') {
+                this.recordCallerAccounting(left);
+                this.recordCallerAccounting(right);
+                return;
+            }
+            if (op === '||') {
+                return;
+            }
+            const leftParam = this.resolveParam(left);
+            const rightParam = this.resolveParam(right);
+            if (leftParam && expressionUsesMsgSenderAccounting(right))
+                this.fn.callerAccountedAmounts.add(leftParam);
+            if (rightParam && expressionUsesMsgSenderAccounting(left))
+                this.fn.callerAccountedAmounts.add(rightParam);
+            return;
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall') || (0, ast_1.isNode)(expr, 'TupleExpression')) {
+            for (const child of expr.arguments || expr.components || [])
+                this.recordCallerAccounting(child);
+        }
+    }
+    isVulnerableSink(call, tail) {
+        if (!this.fn || !(0, ast_1.isNode)(call?.expression, 'MemberAccess'))
+            return false;
+        if (ALLOWANCE_SINKS.has(tail)) {
+            return this.isUnsafeApproval(call);
+        }
+        if (DIRECT_VALUE_SINKS.has(tail)) {
+            return this.isUnsafeDirectTransfer(call);
+        }
+        if (SWAP_SINKS.has(tail)) {
+            return this.isUnsafeSwap(call);
+        }
+        if (PAIR_SINKS.has(tail)) {
+            return this.expressionHasParam(call.expression.expression) && (call.arguments || []).some((arg) => this.expressionHasParam(arg));
+        }
+        return false;
+    }
+    isUnsafeApproval(call) {
+        const args = call.arguments || [];
+        const tokenIsParam = this.expressionHasParam(call.expression.expression);
+        const spenderIsParam = this.expressionHasParam(args[0]);
+        const amountParam = this.resolveParam(args[1]);
+        const amountIsContractOwned = this.isContractOwnedAmount(args[1]);
+        if (!tokenIsParam && !spenderIsParam)
+            return false;
+        if (spenderIsParam)
+            return true;
+        if (amountParam && !this.fn?.userFundedAmounts.has(amountParam))
+            return true;
+        return amountIsContractOwned;
+    }
+    isUnsafeDirectTransfer(call) {
+        const args = call.arguments || [];
+        const tokenIsParam = this.expressionHasParam(call.expression.expression);
+        const recipientParam = this.resolveParam(args[0]);
+        const recipientIsSender = (0, access_control_1.isMsgSenderExpr)(args[0]);
+        const amountParam = this.resolveParam(args[1]);
+        const amountIsContractOwned = this.isContractOwnedAmount(args[1]);
+        if (!tokenIsParam && !recipientParam && !amountParam)
+            return false;
+        if (recipientParam && this.isSenderBoundWithdrawal(recipientParam, amountParam, args[1]))
+            return false;
+        if (recipientIsSender && amountParam && this.fn?.callerAccountedAmounts.has(amountParam))
+            return false;
+        if (amountParam && this.fn?.userFundedAmounts.has(amountParam))
+            return false;
+        return !!recipientParam || !!amountParam || amountIsContractOwned;
+    }
+    isUnsafeSwap(call) {
+        const args = call.arguments || [];
+        const amountParam = this.resolveParam(args[0]);
+        const amountContractOwned = this.isContractOwnedAmount(args[0]);
+        const recipient = args.length >= 4 ? args[3] : args[args.length - 2];
+        const recipientParam = this.resolveParam(recipient);
+        const recipientIsSender = (0, access_control_1.isMsgSenderExpr)(recipient);
+        const callerControlsEconomics = args.some((arg, index) => index !== 0 && this.expressionHasParam(arg));
+        if (!callerControlsEconomics)
+            return false;
+        if (amountParam && this.fn?.userFundedAmounts.has(amountParam) && recipientIsSender)
+            return false;
+        if (recipientParam && this.isSenderBoundWithdrawal(recipientParam, amountParam, args[0]))
+            return false;
+        return amountContractOwned || !amountParam || !this.fn?.userFundedAmounts.has(amountParam);
+    }
+    isUserFundingTransferFrom(call, tail) {
+        if (tail !== 'transferfrom' && tail !== 'safetransferfrom')
+            return false;
+        const args = call.arguments || [];
+        return (0, access_control_1.isMsgSenderExpr)(args[0]) && isAddressThisExpr(args[1]);
+    }
+    isSenderBoundWithdrawal(recipientParam, amountParam, amountExpr) {
+        if (!this.fn?.senderBoundParams.has(recipientParam))
+            return false;
+        if (this.isContractOwnedAmount(amountExpr))
+            return false;
+        if (!amountParam)
+            return false;
+        return this.fn.callerAccountedAmounts.has(amountParam);
+    }
+    isContractOwnedAmount(expr) {
+        if (!this.fn)
+            return false;
+        if (this.isContractBalanceExpr(expr))
+            return true;
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return this.fn.balanceAliases.has(String(expr.name || ''));
+        return false;
+    }
+    isContractBalanceExpr(expr) {
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            const member = String(expr.memberName || expr.member || '').toLowerCase();
+            return member === 'balance' && isAddressThisExpr(expr.expression);
+        }
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            return false;
+        const callee = (0, access_control_1.getCalleeNameDefault)(expr).toLowerCase();
+        if (calleeTail(callee) !== 'balanceof')
+            return false;
+        return (expr.arguments || []).some((arg) => isAddressThisExpr(arg));
+    }
+    expressionHasParam(expr) {
+        return !!this.resolveParam(expr) || expressionContainsParam(expr, (candidate) => !!this.resolveParam(candidate));
+    }
+    resolveParam(expr) {
+        if (!this.fn || !expr || typeof expr !== 'object')
+            return null;
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const name = String(expr.name || '');
+            if (this.fn.params.has(name))
+                return name;
+            return this.fn.paramAliases.get(name) || null;
+        }
+        if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+            return this.resolveParam(expr.base || expr.baseExpression);
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const args = expr.arguments || [];
+            if (args.length === 1)
+                return this.resolveParam(args[0]);
+        }
+        return null;
+    }
+    makeFinding(node) {
+        const state = this.fn;
+        const loc = (0, ast_1.assertLoc)(node, state.node);
+        const contractName = this.currentContract || '<anonymous>';
+        return {
+            file: this.currentFile,
+            contract: contractName,
+            'function': state.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            category: 'vulnerability',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Parameter access-control gap in '${contractName}.${state.name}': caller-supplied parameters steer contract-owned token or pool value movement without authorization.`,
+            rationale: 'BabySwap-style treasury operations become exploitable when an arbitrary caller controls token, route, amount, recipient, spender, or pair parameters used by the contract balance or authority.',
+            suggestedFix: 'Gate the function with recognized owner/role access control, bind recipient and amount to msg.sender-owned accounting, or require caller-funded transferFrom before the value-moving sink.',
+            contractName,
+            functionName: state.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.ParameterAccessControlDetector = ParameterAccessControlDetector;
+function collectParameterNames(fn) {
+    const names = new Set();
+    for (const param of fn?.parameters || []) {
+        const name = String(param?.name || '');
+        if (name)
+            names.add(name);
+    }
+    return names;
+}
+function collectModifierBodies(contractNode) {
+    const bodies = new Map();
+    for (const child of contractNode?.subNodes || contractNode?.nodes || []) {
+        if (!(0, ast_1.isNode)(child, 'ModifierDefinition'))
+            continue;
+        const name = String(child.name || '');
+        if (name && child.body)
+            bodies.set(name, child.body);
+    }
+    return bodies;
+}
+function blockContainsAccessControlGuard(block) {
+    for (const stmt of block?.statements || []) {
+        const expr = (0, ast_1.isNode)(stmt, 'ExpressionStatement') ? stmt.expression : stmt;
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            continue;
+        const callee = (0, access_control_1.getCalleeNameDefault)(expr).toLowerCase();
+        const tail = calleeTail(callee);
+        if (tail !== 'require' && tail !== 'assert')
+            continue;
+        if (expr.arguments?.[0] && (0, access_control_1.requireExpressesAccessControl)(expr.arguments[0], isPrivilegedName))
+            return true;
+    }
+    return false;
+}
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, { keywords: PRIVILEGED_KEYWORDS, mode: 'word-boundary' });
+}
+function singleDeclaredName(node) {
+    const variables = node?.variables || node?.declarations || [];
+    if (!Array.isArray(variables) || variables.length !== 1)
+        return '';
+    return String(variables[0]?.name || variables[0]?.identifier?.name || '');
+}
+function isAssignmentOperator(op) {
+    return typeof op === 'string' && ['=', '+=', '-=', '*=', '/='].includes(op);
+}
+function calleeTail(callee) {
+    const name = String(callee || '').toLowerCase();
+    return name.includes('.') ? name.split('.').pop() || name : name;
+}
+function functionDisplayName(fn) {
+    if (fn?.name)
+        return String(fn.name);
+    if (String(fn?.kind || '').toLowerCase() === 'receive')
+        return '<receive>';
+    return '<fallback>';
+}
+function isAddressThisExpr(expr) {
+    if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+        const callee = (0, access_control_1.getCalleeNameDefault)(expr).toLowerCase();
+        return calleeTail(callee) === 'address' && (expr.arguments || []).some((arg) => isThisExpr(arg));
+    }
+    return isThisExpr(expr);
+}
+function isThisExpr(expr) {
+    return (0, ast_1.isNode)(expr, 'Identifier') && String(expr.name || '') === 'this';
+}
+function comparisonOperands(expr) {
+    if (!(0, ast_1.isNode)(expr, 'BinaryOperation'))
+        return null;
+    const op = String(expr.operator || '');
+    if (op === '&&' || op === '||')
+        return null;
+    if (op !== '==' && op !== '===' && op !== '!=')
+        return null;
+    return { left: expr.left || expr.leftExpression, right: expr.right || expr.rightExpression };
+}
+function expressionUsesMsgSenderAccounting(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, access_control_1.isMsgSenderExpr)(expr))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        const index = expr.index || expr.indexExpression;
+        if ((0, access_control_1.isMsgSenderExpr)(index))
+            return true;
+        return expressionUsesMsgSenderAccounting(expr.base || expr.baseExpression) || expressionUsesMsgSenderAccounting(index);
+    }
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return expressionUsesMsgSenderAccounting(expr.expression);
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        return expressionUsesMsgSenderAccounting(expr.left || expr.leftExpression)
+            || expressionUsesMsgSenderAccounting(expr.right || expr.rightExpression);
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall') || (0, ast_1.isNode)(expr, 'TupleExpression')) {
+        return (expr.arguments || expr.components || []).some((child) => expressionUsesMsgSenderAccounting(child));
+    }
+    return false;
+}
+function expressionContainsParam(expr, isParam) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isParam(expr))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return expressionContainsParam(expr.expression, isParam);
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        return expressionContainsParam(expr.base || expr.baseExpression, isParam)
+            || expressionContainsParam(expr.index || expr.indexExpression, isParam);
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall') || (0, ast_1.isNode)(expr, 'TupleExpression')) {
+        return (expr.arguments || expr.components || []).some((child) => expressionContainsParam(child, isParam));
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        return expressionContainsParam(expr.left || expr.leftExpression, isParam)
+            || expressionContainsParam(expr.right || expr.rightExpression, isParam);
+    }
+    return false;
+}
+//# sourceMappingURL=parameter-access-control.js.map

package/dist/detectors/parameter-manipulation.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class ParameterManipulationDetector {
+    readonly id = "parameter-manipulation";
+    readonly patternKey = "parameter-manipulation";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}