@snovon/solast 0.2.0

package/dist/detectors/arbitrary-address-spoofing-attack.js

@@ -0,0 +1,444 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ArbitraryAddressSpoofingAttackDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const source_text_1 = require("./_common/source-text");
+const RULE_ID = 'arbitrary-address-spoofing-attack';
+const SOURCE = 'x-20231206-time-arbitrary-address-spoofing-attack';
+class ArbitraryAddressSpoofingAttackDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object' || !sourceText)
+            return [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const contracts = collectContracts(ast);
+        const byName = new Map(contracts.map(contract => [contract.name, contract]));
+        const findings = [];
+        for (const contract of contracts) {
+            if (!contract.name || isInterfaceLike(contract.node))
+                continue;
+            const closure = collectContractClosure(contract, byName);
+            const functions = closure.flatMap(c => c.functions.map(fn => toFunctionInfo(fn, sourceText)));
+            const modifiers = closure.flatMap(c => c.modifiers);
+            const ownerGuardModifiers = collectOwnerGuardModifiers(modifiers, sourceText);
+            const spoofExtractors = collectSpoofExtractors(functions);
+            if (!hasSensitiveSpoofedSenderUse(functions, spoofExtractors))
+                continue;
+            for (const fn of functions) {
+                if (!isExternallyCallable(fn))
+                    continue;
+                if (hasOwnerGuard(fn, ownerGuardModifiers))
+                    continue;
+                if (!isUserControlledSelfDelegatecallEntrypoint(fn, functions))
+                    continue;
+                const loc = getLoc(fn.node, lineOffsets) || { line: 0, column: 0 };
+                findings.push(makeFinding(file, contract.name, fn.name, loc));
+            }
+        }
+        return dedupeFindings(findings);
+    }
+}
+exports.ArbitraryAddressSpoofingAttackDetector = ArbitraryAddressSpoofingAttackDetector;
+function makeFinding(file, contractName, fnName, loc) {
+    return {
+        file,
+        contract: contractName,
+        'function': fnName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'error',
+        message: `Arbitrary address spoofing risk in '${contractName}.${fnName}': ERC2771-style sender suffix extraction is combined with user-controlled self-delegatecall batching, allowing subcalls to spoof the address consumed as the trusted sender.`,
+        rationale: 'The TIME 2023-12-06 exploit class appears when a trusted-forwarder context reads the final 20 calldata bytes for _msgSender() while a public multicall delegates arbitrary caller-supplied calldata to address(this). Each subcall can choose its own suffix, so authorization/accounting that trusts the extracted sender can be bypassed.',
+        suggestedFix: 'Use the patched ERC2771Context/Multicall pattern that appends the original context suffix to each delegated subcall, remove public self-delegatecall batching, or restrict the batching entrypoint with real access control.',
+        contractName,
+        functionName: fnName,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+        source: SOURCE,
+    };
+}
+function collectSpoofExtractors(functions) {
+    const names = new Set();
+    for (const fn of functions) {
+        if (hasTrustedForwarderSuffixExtraction(fn.source) && fn.name) {
+            names.add(fn.name);
+        }
+    }
+    return names;
+}
+function hasSensitiveSpoofedSenderUse(functions, spoofExtractors) {
+    for (const fn of functions) {
+        if (!isExternallyCallable(fn))
+            continue;
+        if (isLikelyBatchFunction(fn))
+            continue;
+        if (!usesSpoofedSender(fn.source, spoofExtractors))
+            continue;
+        if (hasPrivilegedSenderSink(fn.source, spoofExtractors))
+            return true;
+    }
+    return false;
+}
+function usesSpoofedSender(source, spoofExtractors) {
+    if (hasTrustedForwarderSuffixExtraction(source))
+        return true;
+    for (const name of spoofExtractors) {
+        if (new RegExp(`\\b${escapeRegExp(name)}\\s*\\(`).test(source))
+            return true;
+    }
+    return false;
+}
+function hasPrivilegedSenderSink(source, spoofExtractors) {
+    const extractorCall = [...spoofExtractors].map(escapeRegExp).join('|') || '_msgSender';
+    const senderExpr = `(?:sender|${extractorCall}\\s*\\(\\s*\\))`;
+    const patterns = [
+        new RegExp(`\\brequire\\s*\\([^;]*${senderExpr}`),
+        /\b_mint\s*\(/,
+        /\b_burn\s*\(/,
+        /\btransferFrom\s*\(/,
+        new RegExp(`\\[[^\\]]*${senderExpr}[^\\]]*\\]`),
+    ];
+    return patterns.some(pattern => pattern.test(source));
+}
+function isUserControlledSelfDelegatecallEntrypoint(fn, functions) {
+    if (!fn.params.length || isLikelyPatchedContextMulticall(fn.source))
+        return false;
+    if (containsUnsafeSelfDelegatecall(fn.source, fn.params))
+        return true;
+    for (const helper of functions) {
+        if (helper === fn || !helper.name || !helper.params.length)
+            continue;
+        if (!containsUnsafeSelfDelegatecall(helper.source, helper.params))
+            continue;
+        if (callsHelperWithControlledArg(fn.source, helper.name, fn.params))
+            return true;
+    }
+    return false;
+}
+function containsUnsafeSelfDelegatecall(source, controlledNames) {
+    const controlled = controlledNames.map(escapeRegExp).join('|');
+    if (!controlled)
+        return false;
+    const directControlledArg = `(?:${controlled})(?:\\s*\\[[^\\]]+\\])?`;
+    const directPattern = new RegExp(`\\baddress\\s*\\(\\s*this\\s*\\)\\s*\\.\\s*delegatecall\\s*\\(\\s*${directControlledArg}\\s*\\)`);
+    if (directPattern.test(source))
+        return true;
+    const wrapperPattern = new RegExp(`\\bfunctionDelegateCall\\s*\\(\\s*address\\s*\\(\\s*this\\s*\\)\\s*,\\s*${directControlledArg}\\s*[,)]`);
+    return wrapperPattern.test(source);
+}
+function callsHelperWithControlledArg(source, helperName, controlledNames) {
+    const callPattern = new RegExp(`\\b${escapeRegExp(helperName)}\\s*\\(([^;{}]*)\\)`, 'g');
+    let match;
+    while ((match = callPattern.exec(source)) !== null) {
+        const args = splitArgs(match[1]).map(arg => arg.trim());
+        if (args.some(arg => controlledNames.includes(arg)))
+            return true;
+    }
+    return false;
+}
+function isLikelyPatchedContextMulticall(source) {
+    return /\b_contextSuffixLength\s*\(/.test(source) && /\bbytes\s*\.\s*concat\s*\(/.test(source);
+}
+function hasTrustedForwarderSuffixExtraction(source) {
+    return /\bmsg\s*\.\s*sender\b/.test(source)
+        && /\b(?:trustedForwarder|isTrustedForwarder)\b/.test(source)
+        && /\bcalldataload\s*\(\s*sub\s*\(\s*calldatasize\s*\(\s*\)\s*,\s*20\s*\)\s*\)/.test(source);
+}
+function collectOwnerGuardModifiers(modifiers, sourceText) {
+    const guarded = new Set();
+    for (const modifier of modifiers) {
+        const name = getName(modifier);
+        if (!name)
+            continue;
+        if (modifierBodyChecksOwnerOrAdmin(modifier)) {
+            guarded.add(name);
+            continue;
+        }
+        // Fallback: source-text scan for AST shapes the structural predicate
+        // doesn't yet recognize. Strings and comments are stripped first so
+        // a literal `"msg.sender == owner"` can't masquerade as a guard.
+        const source = (0, source_text_1.stripCommentsAndStrings)(getNodeSource(modifier, sourceText));
+        if (/\bmsg\s*\.\s*sender\s*==\s*(?:owner|admin)\b/.test(source) || /\b(?:owner|admin)\s*==\s*msg\s*\.\s*sender\b/.test(source)) {
+            guarded.add(name);
+        }
+    }
+    return guarded;
+}
+/**
+ * Structural predicate: does the modifier body assert that msg.sender
+ * equals the storage-level `owner` / `admin` (in either operand order)?
+ * Walking the AST avoids the formatting brittleness of the regex
+ * fallback above and rules out string/comment-laundered matches.
+ */
+function modifierBodyChecksOwnerOrAdmin(modifier) {
+    const body = modifier?.body;
+    if (!body)
+        return false;
+    let found = false;
+    walkAll(body, node => {
+        if (found)
+            return;
+        if (!isNode(node, 'BinaryOperation'))
+            return;
+        if (node.operator !== '==')
+            return;
+        const left = node.left || node.leftExpression;
+        const right = node.right || node.rightExpression;
+        if ((isMsgSenderExpr(left) && isOwnerOrAdminIdentifier(right))
+            || (isMsgSenderExpr(right) && isOwnerOrAdminIdentifier(left))) {
+            found = true;
+        }
+    });
+    return found;
+}
+// Local file-scope wrapper preserved so existing call sites don't
+// need a wider edit. Delegates to the canonical shared predicate
+// in `_common/access-control.ts`.
+function isMsgSenderExpr(expr) {
+    return (0, access_control_1.isMsgSenderExpr)(expr);
+}
+function isOwnerOrAdminIdentifier(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '').toLowerCase();
+        return name === 'owner' || name === 'admin';
+    }
+    if (isNode(expr, 'MemberAccess')) {
+        const member = String(expr.memberName || '').toLowerCase();
+        return member === 'owner' || member === 'admin';
+    }
+    return false;
+}
+function hasOwnerGuard(fn, ownerGuardModifiers) {
+    if (!ownerGuardModifiers.size)
+        return false;
+    return getModifierNames(fn.node).some(name => ownerGuardModifiers.has(name));
+}
+function isExternallyCallable(fn) {
+    return fn.visibility === 'public' || fn.visibility === 'external' || fn.visibility === '';
+}
+function isLikelyBatchFunction(fn) {
+    return /\bdelegatecall\s*\(/.test(fn.source) || /\bmulticall\b|\bbatch\b/.test(fn.name.toLowerCase());
+}
+function toFunctionInfo(fn, sourceText) {
+    return {
+        node: fn,
+        name: functionDisplayName(fn),
+        // Strip comments AND string literals before pattern matching.
+        // Without the string strip, a literal like
+        //     string memory msg = "msg.sender == owner";
+        // would fool every regex below into believing the function had a
+        // privileged-sender comparison. Comments alone aren't enough.
+        source: (0, source_text_1.stripCommentsAndStrings)(getNodeSource(fn, sourceText)),
+        params: getFunctionParameters(fn)
+            .map(param => String(param?.name || ''))
+            .filter(Boolean),
+        visibility: String(fn.visibility || ''),
+    };
+}
+function collectContracts(ast) {
+    const contracts = [];
+    walkAll(ast, node => {
+        if (!isNode(node, 'ContractDefinition'))
+            return;
+        contracts.push({
+            node,
+            name: getName(node),
+            bases: getBaseContractNames(node),
+            functions: getContractFunctions(node),
+            modifiers: getContractModifiers(node),
+        });
+    });
+    return contracts;
+}
+function collectContractClosure(contract, byName) {
+    const result = [];
+    const seen = new Set();
+    function visit(current) {
+        const key = current.name || String(result.length);
+        if (seen.has(key))
+            return;
+        seen.add(key);
+        result.push(current);
+        for (const baseName of current.bases) {
+            const base = byName.get(baseName);
+            if (base)
+                visit(base);
+        }
+    }
+    visit(contract);
+    return result;
+}
+function getContractFunctions(contract) {
+    const children = getChildren(contract);
+    return children.filter(child => isNode(child, 'FunctionDefinition') && getFunctionBody(child));
+}
+function getContractModifiers(contract) {
+    const children = getChildren(contract);
+    return children.filter(child => isNode(child, 'ModifierDefinition'));
+}
+function getChildren(node) {
+    return (node?.subNodes || node?.nodes || []).filter((child) => child && typeof child === 'object');
+}
+function getFunctionParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function getBaseContractNames(contract) {
+    const bases = contract?.baseContracts || [];
+    return bases
+        .map((base) => {
+        const baseName = base?.baseName;
+        return String(baseName?.namePath || baseName?.name || baseName?.referencedDeclaration || '');
+    })
+        .filter((name) => name && !/^\d+$/.test(name));
+}
+function getModifierNames(fn) {
+    const modifiers = fn?.modifiers || [];
+    return modifiers
+        .map((modifier) => {
+        const name = modifier?.name || modifier?.modifierName;
+        if (typeof name === 'string')
+            return name;
+        return String(name?.name || name?.namePath || '');
+    })
+        .filter(Boolean);
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface';
+}
+function functionDisplayName(fn) {
+    const name = getName(fn);
+    if (name)
+        return name;
+    const kind = String(fn?.kind || '').toLowerCase();
+    if (kind === 'constructor')
+        return 'constructor';
+    if (kind === 'fallback')
+        return 'fallback';
+    if (kind === 'receive')
+        return 'receive';
+    return '<anonymous>';
+}
+function getName(node) {
+    return String(node?.name || '');
+}
+function getNodeSource(node, sourceText) {
+    if (!sourceText)
+        return '';
+    if (Array.isArray(node?.range) && node.range.length >= 2) {
+        return sourceText.slice(node.range[0], node.range[1] + 1);
+    }
+    if (typeof node?.src === 'string') {
+        const [startRaw, lengthRaw] = node.src.split(':');
+        const start = Number(startRaw);
+        const length = Number(lengthRaw);
+        if (Number.isFinite(start) && Number.isFinite(length)) {
+            return sourceText.slice(start, start + length);
+        }
+    }
+    return '';
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start) {
+        return { line: node.loc.start.line, column: node.loc.start.column };
+    }
+    if (typeof node?.src === 'string') {
+        const start = Number(node.src.split(':')[0]);
+        if (Number.isFinite(start))
+            return offsetToLineColumn(start, lineOffsets);
+    }
+    return null;
+}
+function buildLineOffsets(sourceText) {
+    if (!sourceText)
+        return [0];
+    const offsets = [0];
+    for (let i = 0; i < sourceText.length; i++) {
+        if (sourceText[i] === '\n')
+            offsets.push(i + 1);
+    }
+    return offsets;
+}
+function offsetToLineColumn(offset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= offset)
+            low = mid + 1;
+        else
+            high = mid - 1;
+    }
+    const lineIndex = Math.max(0, high);
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+function stripComments(source) {
+    return source
+        .replace(/\/\*[\s\S]*?\*\//g, '')
+        .replace(/\/\/[^\n\r]*/g, '');
+}
+function splitArgs(argsText) {
+    const args = [];
+    let depth = 0;
+    let start = 0;
+    for (let i = 0; i < argsText.length; i++) {
+        const ch = argsText[i];
+        if (ch === '(' || ch === '[' || ch === '{')
+            depth++;
+        else if (ch === ')' || ch === ']' || ch === '}')
+            depth = Math.max(0, depth - 1);
+        else if (ch === ',' && depth === 0) {
+            args.push(argsText.slice(start, i));
+            start = i + 1;
+        }
+    }
+    args.push(argsText.slice(start));
+    return args;
+}
+function dedupeFindings(findings) {
+    const seen = new Set();
+    return findings.filter(finding => {
+        const key = `${finding.contractName}:${finding.functionName}:${finding.line}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+function isNode(node, kind) {
+    return !!node && typeof node === 'object' && (node.type === kind || node.nodeType === kind);
+}
+function walkAll(node, cb) {
+    if (!node || typeof node !== 'object')
+        return;
+    cb(node);
+    for (const value of Object.values(node)) {
+        if (Array.isArray(value)) {
+            for (const child of value)
+                walkAll(child, cb);
+        }
+        else if (value && typeof value === 'object') {
+            walkAll(value, cb);
+        }
+    }
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+//# sourceMappingURL=arbitrary-address-spoofing-attack.js.map

package/dist/detectors/arbitrary-address-spoofing.d.ts

@@ -0,0 +1,9 @@
+import type { ScanResult } from '../index';
+export declare class ArbitraryAddressSpoofingDetector {
+    readonly id = "arbitrary-address-spoofing";
+    readonly patternKey = "arbitrary-address-spoofing";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private findSpoofingSink;
+    private recordSpoofableLocals;
+}