@snovon/solast 0.2.0

package/dist/detectors/proxy-storage-slot-collision.js

@@ -0,0 +1,135 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProxyStorageSlotCollisionDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'proxy-storage-slot-collision';
+const EIP1967_SLOT_LITERALS = [
+    '0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc',
+    '0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103',
+    '0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50',
+];
+const EIP1967_SLOT_FORMULAS = [
+    'eip1967.proxy.implementation',
+    'eip1967.proxy.admin',
+    'eip1967.proxy.beacon',
+];
+class ProxyStorageSlotCollisionDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText = '') {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const child of ast.children || []) {
+            if (child?.type !== 'ContractDefinition')
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            const slots = collectEip1967SlotConstants(child, sourceText);
+            if (slots.length === 0)
+                continue;
+            const mutableStorage = collectMutableStorage(child);
+            if (mutableStorage.length === 0)
+                continue;
+            findings.push(makeFinding(file, child, slots[0], mutableStorage[0]));
+        }
+        return findings;
+    }
+}
+exports.ProxyStorageSlotCollisionDetector = ProxyStorageSlotCollisionDetector;
+function collectEip1967SlotConstants(contractNode, sourceText) {
+    const slots = [];
+    for (const sub of contractNode.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            const name = String(variable?.name || '');
+            if (!name)
+                continue;
+            const isConst = isConstantVariable(sub, variable);
+            if (!isConst)
+                continue;
+            const snippet = sourceSnippet(sourceText, sub) || sourceSnippet(sourceText, variable);
+            if (!isEip1967Slot(snippet))
+                continue;
+            slots.push({ name, loc: locOf(variable) || locOf(sub) });
+        }
+    }
+    return slots;
+}
+function collectMutableStorage(contractNode) {
+    const storage = [];
+    for (const sub of contractNode.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            const name = String(variable?.name || '');
+            if (!name)
+                continue;
+            if (isConstantVariable(sub, variable))
+                continue;
+            if (isGapStorage(variable))
+                continue;
+            storage.push({ name, loc: locOf(variable) || locOf(sub) });
+        }
+    }
+    return storage;
+}
+function isEip1967Slot(snippet) {
+    const compact = snippet.replace(/\s+/g, '').toLowerCase();
+    if (EIP1967_SLOT_LITERALS.some(slot => compact.includes(slot)))
+        return true;
+    return EIP1967_SLOT_FORMULAS.some(label => (compact.includes(`keccak256("${label}")`) || compact.includes(`keccak256('${label}')`)) && /-\s*1/.test(compact));
+}
+function isConstantVariable(declaration, variable) {
+    return variable?.isDeclaredConst === true ||
+        variable?.isImmutable === true ||
+        declaration?.isDeclaredConst === true ||
+        declaration?.isImmutable === true;
+}
+function isGapStorage(variable) {
+    const name = String(variable?.name || '');
+    if (!/^__gap\d*$/i.test(name))
+        return false;
+    return containsArrayType(variable?.typeName);
+}
+function containsArrayType(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    if (typeName.type === 'ArrayTypeName')
+        return true;
+    return containsArrayType(typeName.baseTypeName) || containsArrayType(typeName.typeName);
+}
+function makeFinding(file, contractNode, slot, storage) {
+    const contractName = String(contractNode.name || '<anonymous>');
+    const loc = slot.loc || locOf(contractNode);
+    return {
+        file,
+        contract: contractName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'medium',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Contract '${contractName}' declares EIP-1967 slot '${slot.name}' alongside mutable storage '${storage.name}', which may collide with upgradeable proxy storage layout.`,
+        rationale: 'EIP-1967 proxy slots are intended to live in an unstructured-storage region. Adjacent ordinary state variables in the proxy contract can occupy low slots and create Yearn-style layout collision risk under delegatecall.',
+        suggestedFix: 'Keep proxy state in EIP-1967/unstructured storage and reserve future layout with gap arrays, or move mutable implementation state out of the proxy shell.',
+        contractName,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+    };
+}
+function sourceSnippet(sourceText, node) {
+    if (!sourceText || !Array.isArray(node?.range))
+        return '';
+    return sourceText.slice(node.range[0], node.range[1]);
+}
+function locOf(node) {
+    const { line, column } = (0, ast_1.assertLoc)(node);
+    return { line, column };
+}
+//# sourceMappingURL=proxy-storage-slot-collision.js.map

package/dist/detectors/public-internal-function.d.ts

@@ -0,0 +1,39 @@
+import type { ScanResult } from '../index';
+export declare class PublicInternalFunctionDetector {
+    readonly id = "public-internal-function";
+    readonly patternKey = "public-internal-function";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private sourceText;
+    private findings;
+    private currentContractName;
+    private currentContractConcrete;
+    private stateVariables;
+    private fn;
+    setFile(file: string): void;
+    setSourceText(sourceText?: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(node: any): void;
+    FunctionCall(node: any): void;
+    Assignment(node: any): void;
+    BinaryOperation(node: any): void;
+    UnaryOperation(node: any): void;
+    private observeStateMutation;
+    private isConcreteContract;
+    private isSpecialEntrypoint;
+    private isOverride;
+    private hasInternalIntentSignal;
+    private precedingNatSpecMarksInternalUse;
+    private referencesStateVariable;
+    private makeFinding;
+}

package/dist/detectors/public-internal-function.js

@@ -0,0 +1,233 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PublicInternalFunctionDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'public-internal-function';
+const PATTERN = `${RULE_ID}/exposed-internal-helper`;
+const EXTERNALLY_CALLABLE = new Set(['public', 'external']);
+const ASSIGNMENT_OPERATORS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>=']);
+const MUTATING_UNARY_OPERATORS = new Set(['++', '--', 'delete']);
+class PublicInternalFunctionDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Externally callable internal-intent helper mutates state without access control.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Make internal-use helper functions internal/private, or add recognized access control before state mutation.',
+    };
+    currentFile = '';
+    sourceText = '';
+    findings = [];
+    currentContractName = '';
+    currentContractConcrete = false;
+    stateVariables = new Set();
+    fn = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.sourceText = '';
+        this.findings = [];
+        this.currentContractName = '';
+        this.currentContractConcrete = false;
+        this.stateVariables = new Set();
+        this.fn = null;
+    }
+    setSourceText(sourceText) {
+        this.sourceText = sourceText || '';
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContractName = String(node?.name || '<anonymous>');
+        this.currentContractConcrete = this.isConcreteContract(node);
+        this.stateVariables = new Set();
+        if (!this.currentContractConcrete)
+            return;
+        for (const sub of node?.subNodes || []) {
+            if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+                continue;
+            for (const variable of sub?.variables || []) {
+                if (variable?.name)
+                    this.stateVariables.add(String(variable.name));
+            }
+        }
+    }
+    ContractDefinition_post() {
+        this.currentContractName = '';
+        this.currentContractConcrete = false;
+        this.stateVariables = new Set();
+        this.fn = null;
+    }
+    FunctionDefinition(node) {
+        this.fn = null;
+        if (!this.currentContractConcrete)
+            return;
+        if (!node?.body)
+            return;
+        if (node?.isConstructor || String(node?.kind || '').toLowerCase() === 'constructor')
+            return;
+        const name = String(node?.name || '');
+        if (!name)
+            return;
+        if (this.isSpecialEntrypoint(node))
+            return;
+        if (this.isOverride(node))
+            return;
+        const visibility = String(node?.visibility || '').toLowerCase();
+        if (!EXTERNALLY_CALLABLE.has(visibility))
+            return;
+        const mutability = String(node?.stateMutability || '').toLowerCase();
+        if (mutability === 'view' || mutability === 'pure')
+            return;
+        if (!this.hasInternalIntentSignal(node, name))
+            return;
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node))
+            return;
+        this.fn = {
+            node,
+            name,
+            sawInlineAccessControl: false,
+            firstUnguardedStateMutation: null,
+        };
+    }
+    FunctionDefinition_post(node) {
+        const state = this.fn;
+        if (!state || state.node !== node)
+            return;
+        if (state.firstUnguardedStateMutation) {
+            this.findings.push(this.makeFinding(state, state.firstUnguardedStateMutation));
+        }
+        this.fn = null;
+    }
+    FunctionCall(node) {
+        if (!this.fn || this.fn.firstUnguardedStateMutation)
+            return;
+        const callee = (0, access_control_1.getCalleeNameDefault)(node).toLowerCase();
+        const tail = callee.includes('.') ? callee.split('.').pop() || callee : callee;
+        if (tail !== 'require' && tail !== 'assert')
+            return;
+        const condition = node?.arguments?.[0];
+        if ((0, access_control_1.requireExpressesAccessControl)(condition, access_control_1.isPrivilegedIdentifier, access_control_1.getCalleeNameDefault)) {
+            this.fn.sawInlineAccessControl = true;
+        }
+    }
+    Assignment(node) {
+        this.observeStateMutation(node, node?.left || node?.leftExpression);
+    }
+    BinaryOperation(node) {
+        const operator = String(node?.operator || '');
+        if (!ASSIGNMENT_OPERATORS.has(operator))
+            return;
+        this.observeStateMutation(node, node?.left || node?.leftExpression);
+    }
+    UnaryOperation(node) {
+        const operator = String(node?.operator || '');
+        if (!MUTATING_UNARY_OPERATORS.has(operator))
+            return;
+        this.observeStateMutation(node, node?.subExpression);
+    }
+    observeStateMutation(node, target) {
+        if (!this.fn || this.fn.firstUnguardedStateMutation)
+            return;
+        if (!this.referencesStateVariable(target))
+            return;
+        if (this.fn.sawInlineAccessControl)
+            return;
+        this.fn.firstUnguardedStateMutation = node;
+    }
+    isConcreteContract(node) {
+        const kind = String(node?.kind || '').toLowerCase();
+        if (kind === 'interface' || kind === 'library')
+            return false;
+        if (node?.abstract === true || node?.isAbstract === true)
+            return false;
+        return true;
+    }
+    isSpecialEntrypoint(node) {
+        const kind = String(node?.kind || '').toLowerCase();
+        return kind === 'fallback' || kind === 'receive' || node?.isFallback === true || node?.isReceiveEther === true;
+    }
+    isOverride(node) {
+        if (node?.override || node?.overrideSpecifier || node?.isOverride)
+            return true;
+        const range = node?.range;
+        if (!Array.isArray(range) || typeof range[0] !== 'number' || typeof range[1] !== 'number')
+            return false;
+        const bodyStart = this.sourceText.indexOf('{', range[0]);
+        const headerEnd = bodyStart >= 0 && bodyStart < range[1] ? bodyStart : range[1];
+        return /\boverride\b/.test(this.sourceText.slice(range[0], headerEnd));
+    }
+    hasInternalIntentSignal(node, name) {
+        if (name.startsWith('_'))
+            return true;
+        if (/internal$/i.test(name))
+            return true;
+        return this.precedingNatSpecMarksInternalUse(node);
+    }
+    precedingNatSpecMarksInternalUse(node) {
+        const range = node?.range;
+        if (!this.sourceText || !Array.isArray(range) || typeof range[0] !== 'number')
+            return false;
+        const before = this.sourceText.slice(Math.max(0, range[0] - 500), range[0]);
+        const comments = before.match(/(?:\/\/\/[^\n]*(?:\n\s*\/\/\/[^\n]*)*|\/\*\*[\s\S]*?\*\/)\s*$/);
+        if (!comments)
+            return false;
+        const text = comments[0].toLowerCase();
+        return /\binternal\s+(use|only|helper|worker)\b/.test(text)
+            || /\binternal-use-only\b/.test(text)
+            || /\bonly\s+(for\s+)?internal\s+use\b/.test(text)
+            || /\bcallers?\s+should\s+go\s+through\b/.test(text);
+    }
+    referencesStateVariable(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return this.stateVariables.has(String(node.name || ''));
+        if ((0, ast_1.isNode)(node, 'IndexAccess')) {
+            return this.referencesStateVariable(node.base || node.baseExpression);
+        }
+        if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+            return this.referencesStateVariable(node.expression);
+        }
+        if ((0, ast_1.isNode)(node, 'TupleExpression')) {
+            return (node.components || []).some((component) => this.referencesStateVariable(component));
+        }
+        return false;
+    }
+    makeFinding(state, _node) {
+        const loc = (0, ast_1.assertLoc)(state.node);
+        const contractName = this.currentContractName || '<anonymous>';
+        const functionName = state.name;
+        return {
+            file: this.currentFile,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'high',
+            confidence: 'medium',
+            category: 'logic-flaw',
+            message: `Public internal function exposure in '${contractName}.${functionName}': an internal-intent helper is externally callable and mutates state without access control.`,
+            rationale: 'Internal helper naming or NatSpec combined with public/external visibility can let attackers bypass a guarded wrapper and call the state transition directly.',
+            suggestedFix: 'Change the helper visibility to internal/private, or add a recognized access-control modifier or inline caller authorization before state mutation.',
+            findingId: '',
+            contractHash: '',
+            contractName,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+        };
+    }
+}
+exports.PublicInternalFunctionDetector = PublicInternalFunctionDetector;
+const proto = PublicInternalFunctionDetector.prototype;
+proto['ContractDefinition:exit'] = proto.ContractDefinition_post;
+proto['FunctionDefinition:exit'] = proto.FunctionDefinition_post;
+//# sourceMappingURL=public-internal-function.js.map

package/dist/detectors/quote-silent-zero.d.ts

@@ -0,0 +1,25 @@
+import type { ScanResult } from '../index';
+export declare class QuoteSilentZeroDetector {
+    readonly id = "quote-silent-zero";
+    readonly patternKey = "quote-silent-zero";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+    };
+    private findings;
+    private currentFile;
+    private currentFunctionNode;
+    private currentFunctionHasLowLevelCall;
+    private candidateIfs;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(node: any): void;
+    MemberAccess(node: any): void;
+    IfStatement(node: any): void;
+    CatchClause(node: any): void;
+    private addFinding;
+}

package/dist/detectors/quote-silent-zero.js

@@ -0,0 +1,156 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.QuoteSilentZeroDetector = void 0;
+const ast_1 = require("./_common/ast");
+function isZero(node) {
+    if (!node)
+        return false;
+    if (node.type === 'NumberLiteral' && node.number === '0')
+        return true;
+    if (node.type === 'FunctionCall' && node.arguments?.length === 1 && isZero(node.arguments[0]))
+        return true;
+    if (node.type === 'TupleExpression' && node.components?.length === 1 && isZero(node.components[0]))
+        return true;
+    if (node.type === 'TypeConversion' && isZero(node.arguments?.[0]))
+        return true;
+    return false;
+}
+function yieldsZero(node) {
+    if (!node)
+        return false;
+    if (node.type === 'ReturnStatement') {
+        if (isZero(node.expression))
+            return true;
+    }
+    if (node.type === 'ExpressionStatement' && node.expression?.type === 'BinaryOperation' && node.expression.operator === '=') {
+        if (isZero(node.expression.right))
+            return true;
+    }
+    if (node.type === 'Block') {
+        for (const stmt of node.statements || []) {
+            if (yieldsZero(stmt))
+                return true;
+        }
+    }
+    if (node.type === 'IfStatement') {
+        if (yieldsZero(node.trueBody))
+            return true;
+        if (yieldsZero(node.falseBody))
+            return true;
+    }
+    return false;
+}
+function isFailureCondition(node) {
+    if (!node)
+        return false;
+    if (node.type === 'UnaryOperation' && node.operator === '!')
+        return true;
+    if (node.type === 'BinaryOperation' && node.operator === '==') {
+        if (node.left?.type === 'BooleanLiteral' && node.left?.value === false)
+            return true;
+        if (node.right?.type === 'BooleanLiteral' && node.right?.value === false)
+            return true;
+    }
+    return false;
+}
+class QuoteSilentZeroDetector {
+    id = 'quote-silent-zero';
+    patternKey = 'quote-silent-zero';
+    supportedAstKinds = ['parser'];
+    // As requested in the plan: "add a SARIF rule descriptor only if the detector cannot carry an in-detector descriptor field"
+    // and "SARIF ambiguity is moot: src/formatters/sarif.ts:447 already reads descriptors from detector instances"
+    descriptor = {
+        id: 'quote-silent-zero',
+        shortDescription: 'Quote helper silently yields zero on internal failure.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium'
+    };
+    findings = [];
+    currentFile = '';
+    currentFunctionNode = null;
+    currentFunctionHasLowLevelCall = false;
+    candidateIfs = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentFunctionNode = null;
+        this.currentFunctionHasLowLevelCall = false;
+        this.candidateIfs = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    FunctionDefinition(node) {
+        this.currentFunctionNode = null;
+        if (node.visibility !== 'public' && node.visibility !== 'external' && node.visibility !== 'default') {
+            return;
+        }
+        if (!/^(quote|getAmountOut)/i.test(node.name)) {
+            return;
+        }
+        const hasBoolReturn = (node.returnParameters || []).some((p) => p.typeName?.type === 'ElementaryTypeName' && p.typeName.name === 'bool');
+        if (hasBoolReturn) {
+            return;
+        }
+        this.currentFunctionNode = node;
+        this.currentFunctionHasLowLevelCall = false;
+        this.candidateIfs = [];
+    }
+    FunctionDefinition_post(node) {
+        if (this.currentFunctionNode === node) {
+            if (this.currentFunctionHasLowLevelCall) {
+                for (const ifNode of this.candidateIfs) {
+                    if (yieldsZero(ifNode.trueBody)) {
+                        this.addFinding(ifNode, 'medium');
+                    }
+                }
+            }
+            this.currentFunctionNode = null;
+            this.candidateIfs = [];
+            this.currentFunctionHasLowLevelCall = false;
+        }
+    }
+    MemberAccess(node) {
+        if (this.currentFunctionNode && ['call', 'staticcall', 'delegatecall'].includes(node.memberName)) {
+            this.currentFunctionHasLowLevelCall = true;
+        }
+    }
+    IfStatement(node) {
+        if (this.currentFunctionNode && isFailureCondition(node.condition)) {
+            this.candidateIfs.push(node);
+        }
+    }
+    CatchClause(node) {
+        if (this.currentFunctionNode && yieldsZero(node.body)) {
+            this.addFinding(node, 'medium');
+        }
+    }
+    addFinding(node, severity) {
+        // tryLoc throws if missing loc
+        let locInfo;
+        try {
+            locInfo = (0, ast_1.tryLoc)(node, this.currentFunctionNode);
+            if (!locInfo)
+                return; // Skip if locInfo is null
+        }
+        catch {
+            return; // Skip if malformed AST lacks location data
+        }
+        this.findings.push({
+            findingId: '',
+            contractHash: '',
+            ruleId: this.id,
+            file: this.currentFile,
+            severity,
+            confidence: 'medium',
+            message: 'Quote helper silently returns zero on failure instead of propagating revert.',
+            line: locInfo.line,
+            endLine: locInfo.endLine,
+            column: locInfo.column,
+            endColumn: locInfo.endColumn
+        });
+    }
+}
+exports.QuoteSilentZeroDetector = QuoteSilentZeroDetector;
+QuoteSilentZeroDetector.prototype['FunctionDefinition:exit'] = QuoteSilentZeroDetector.prototype.FunctionDefinition_post;
+//# sourceMappingURL=quote-silent-zero.js.map

package/dist/detectors/readonly-reentrancy.d.ts

@@ -0,0 +1,9 @@
+import type { ScanResult } from '../index';
+export declare class ReadOnlyReentrancyDetector {
+    private findings;
+    private currentFile;
+    scanAst(ast: any, file: string): ScanResult[];
+    getFindings(): ScanResult[];
+    private isConfirmed;
+    private toFinding;
+}