@snovon/solast 0.2.0

package/dist/detectors/signature-replay.js

@@ -0,0 +1,367 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SignatureReplayDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'signature-replay';
+const PATTERN = `${RULE_ID}/missing-replay-binding`;
+const RECOVER_NAMES = new Set(['ecrecover', 'recover']);
+const TEMPORAL_NAME = /^(deadline|expiry|expires|expiration|expiresAt|validUntil|validBefore|notAfter)$/i;
+class SignatureReplayDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const returnInitializers = this.collectReturnInitializers(contract);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition' || !fn.body)
+                    continue;
+                if (!this.isExternallyCallable(fn))
+                    continue;
+                const functionFindings = this.analyzeFunction(contract, fn, file, returnInitializers);
+                findings.push(...functionFindings);
+            }
+        }
+        return findings;
+    }
+    analyzeFunction(contract, fn, file, returnInitializers) {
+        const facts = {
+            initializers: new Map(),
+            returnInitializers,
+            temporalChecks: new Set(),
+        };
+        this.collectFunctionFacts(fn.body, facts);
+        const findings = [];
+        const seen = new Set();
+        for (const verification of this.findSignatureVerifications(fn.body, facts)) {
+            const digestFacts = this.digestFacts(verification.digest, facts, new Set());
+            const missing = this.missingBindings(digestFacts, facts.temporalChecks);
+            if (missing.length === 0)
+                continue;
+            const key = `${verification.loc.line}:${verification.loc.column}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            findings.push(this.makeFinding(contract, fn, file, verification.loc, missing));
+        }
+        return findings;
+    }
+    collectReturnInitializers(contract) {
+        const returns = new Map();
+        for (const fn of contract.subNodes || []) {
+            if (fn?.type !== 'FunctionDefinition' || !fn.body || !fn.name)
+                continue;
+            if (this.functionParamCount(fn) !== 0)
+                continue;
+            const returned = this.singleReturnedExpression(fn.body);
+            if (returned)
+                returns.set(fn.name, returned);
+        }
+        return returns;
+    }
+    collectFunctionFacts(node, facts) {
+        this.walk(node, current => {
+            if (current?.type === 'VariableDeclarationStatement') {
+                const initialValue = current.initialValue;
+                for (const variable of current.variables || []) {
+                    if (variable?.name && initialValue)
+                        facts.initializers.set(variable.name, initialValue);
+                }
+            }
+            if (current?.type === 'FunctionCall' && this.directCallName(current.expression) === 'require') {
+                this.collectTemporalChecks(current.arguments?.[0], facts.temporalChecks);
+            }
+            if (current?.type === 'IfStatement' && this.bodyBlocks(current)) {
+                this.collectTemporalChecks(current.condition, facts.temporalChecks);
+            }
+        });
+    }
+    findSignatureVerifications(node, facts) {
+        const verifications = [];
+        this.walk(node, current => {
+            if (current?.type !== 'FunctionCall' || this.directCallName(current.expression) !== 'require')
+                return;
+            const condition = current.arguments?.[0];
+            if (!condition)
+                return;
+            const digest = this.digestFromSignerComparison(condition, facts);
+            if (digest)
+                verifications.push({ digest, loc: this.locOf(condition) });
+        });
+        return verifications;
+    }
+    digestFromSignerComparison(expr, facts) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type === 'BinaryOperation' && ['==', '!=', '===', '!=='].includes(expr.operator)) {
+            const left = this.resolveLocalExpression(expr.left, facts, new Set());
+            const right = this.resolveLocalExpression(expr.right, facts, new Set());
+            const leftDigest = this.recoverDigest(left);
+            const rightDigest = this.recoverDigest(right);
+            if (leftDigest && this.looksLikeSigner(expr.right, facts))
+                return leftDigest;
+            if (rightDigest && this.looksLikeSigner(expr.left, facts))
+                return rightDigest;
+        }
+        for (const child of this.childNodes(expr)) {
+            const found = this.digestFromSignerComparison(child, facts);
+            if (found)
+                return found;
+        }
+        return null;
+    }
+    resolveLocalExpression(expr, facts, seen) {
+        let current = expr;
+        while (current?.type === 'Identifier') {
+            const key = `local:${current.name}`;
+            if (seen.has(key))
+                return current;
+            seen.add(key);
+            const initializer = facts.initializers.get(current.name);
+            if (!initializer)
+                return current;
+            current = initializer;
+        }
+        return current;
+    }
+    recoverDigest(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type === 'FunctionCall') {
+            const callName = this.directCallName(expr.expression);
+            if (callName && RECOVER_NAMES.has(callName)) {
+                if (callName === 'ecrecover')
+                    return expr.arguments?.[0] || null;
+                if (expr.expression?.type === 'MemberAccess') {
+                    if ((expr.arguments?.length ?? 0) >= 2)
+                        return expr.arguments?.[0] || null;
+                    return expr.expression.expression || null;
+                }
+                return expr.arguments?.[0] || null;
+            }
+        }
+        return null;
+    }
+    looksLikeSigner(expr, facts) {
+        let found = false;
+        this.walkResolved(expr, facts, new Set(), current => {
+            if (current?.type === 'Identifier' && /^(signer|owner|account|authorizer|from)$/i.test(current.name))
+                found = true;
+            if (current?.type === 'MemberAccess' && /^(signer|owner|account|authorizer|from)$/i.test(current.memberName))
+                found = true;
+        });
+        return found;
+    }
+    digestFacts(node, facts, seen) {
+        const digestFacts = {
+            nonce: false,
+            chainid: false,
+            contract: false,
+            signedTemporal: new Set(),
+        };
+        this.walkResolved(node, facts, seen, current => {
+            if (!current || typeof current !== 'object')
+                return;
+            if (current.type === 'FunctionCall' && this.directCallName(current.expression) === '_hashTypedDataV4') {
+                digestFacts.chainid = true;
+                digestFacts.contract = true;
+            }
+            if (current.type === 'FunctionCall' && this.directCallName(current.expression) === 'address') {
+                if (current.arguments?.[0]?.type === 'Identifier' && current.arguments[0].name === 'this') {
+                    digestFacts.contract = true;
+                }
+            }
+            if (current.type === 'MemberAccess' &&
+                current.memberName === 'chainid' &&
+                current.expression?.type === 'Identifier' &&
+                current.expression.name === 'block') {
+                digestFacts.chainid = true;
+            }
+            if (current.type === 'IndexAccess' && this.indexRootName(current).toLowerCase().includes('nonce')) {
+                digestFacts.nonce = true;
+            }
+            if (current.type === 'Identifier' && TEMPORAL_NAME.test(current.name)) {
+                digestFacts.signedTemporal.add(current.name);
+            }
+            if (current.type === 'MemberAccess' && TEMPORAL_NAME.test(current.memberName)) {
+                digestFacts.signedTemporal.add(current.memberName);
+            }
+        });
+        return digestFacts;
+    }
+    missingBindings(digestFacts, temporalChecks) {
+        const missing = [];
+        if (!digestFacts.nonce)
+            missing.push('nonce');
+        if (!digestFacts.chainid)
+            missing.push('chainid');
+        if (!digestFacts.contract)
+            missing.push('contract');
+        let hasCheckedSignedDeadline = false;
+        for (const checked of temporalChecks) {
+            for (const signed of digestFacts.signedTemporal) {
+                if (checked.toLowerCase() === signed.toLowerCase())
+                    hasCheckedSignedDeadline = true;
+            }
+        }
+        if (!hasCheckedSignedDeadline)
+            missing.push('deadline');
+        return missing;
+    }
+    collectTemporalChecks(expr, out) {
+        if (!expr || !this.containsTimestamp(expr))
+            return;
+        this.walk(expr, current => {
+            if (current?.type === 'Identifier' && TEMPORAL_NAME.test(current.name))
+                out.add(current.name);
+            if (current?.type === 'MemberAccess' && TEMPORAL_NAME.test(current.memberName))
+                out.add(current.memberName);
+        });
+    }
+    containsTimestamp(node) {
+        let found = false;
+        this.walk(node, current => {
+            if (current?.type === 'Identifier' && current.name === 'now')
+                found = true;
+            if (current?.type === 'MemberAccess' &&
+                current.memberName === 'timestamp' &&
+                current.expression?.type === 'Identifier' &&
+                current.expression.name === 'block') {
+                found = true;
+            }
+        });
+        return found;
+    }
+    bodyBlocks(node) {
+        const body = node.trueBody || node.falseBody;
+        if (!body)
+            return false;
+        let blocks = false;
+        this.walk(body, current => {
+            if (current?.type === 'RevertStatement' || current?.type === 'ReturnStatement')
+                blocks = true;
+            if (current?.type === 'FunctionCall' && this.directCallName(current.expression) === 'revert')
+                blocks = true;
+        });
+        return blocks;
+    }
+    singleReturnedExpression(body) {
+        let returned = null;
+        this.walk(body, current => {
+            if (!returned && current?.type === 'ReturnStatement')
+                returned = current.expression || null;
+        });
+        return returned;
+    }
+    walkResolved(node, facts, seen, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        if (node.type === 'Identifier') {
+            const initializer = facts.initializers.get(node.name);
+            if (initializer && !seen.has(`local:${node.name}`)) {
+                seen.add(`local:${node.name}`);
+                this.walkResolved(initializer, facts, seen, visit);
+            }
+        }
+        if (node.type === 'FunctionCall' && node.expression?.type === 'Identifier') {
+            const returned = facts.returnInitializers.get(node.expression.name);
+            if (returned && !seen.has(`return:${node.expression.name}`)) {
+                seen.add(`return:${node.expression.name}`);
+                this.walkResolved(returned, facts, seen, visit);
+            }
+        }
+        for (const child of this.childNodes(node))
+            this.walkResolved(child, facts, seen, visit);
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.childNodes(node))
+            this.walk(child, visit);
+    }
+    childNodes(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        const children = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    if (item && typeof item === 'object')
+                        children.push(item);
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+    directCallName(expr) {
+        if (expr?.type === 'Identifier')
+            return expr.name;
+        if (expr?.type === 'MemberAccess')
+            return expr.memberName;
+        return null;
+    }
+    indexRootName(node) {
+        let current = node;
+        while (current?.type === 'IndexAccess')
+            current = current.base;
+        if (current?.type === 'Identifier')
+            return current.name || '';
+        if (current?.type === 'MemberAccess')
+            return current.memberName || '';
+        return '';
+    }
+    functionParamCount(fn) {
+        const params = fn.parameters?.parameters || fn.parameters || [];
+        return Array.isArray(params) ? params.length : 0;
+    }
+    isExternallyCallable(fn) {
+        const kind = String(fn.kind || (fn.isConstructor ? 'constructor' : '') || 'function').toLowerCase();
+        if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+            return false;
+        const visibility = String(fn.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external';
+    }
+    locOf(node) {
+        const { line, column } = (0, ast_1.assertLoc)(node);
+        return { line, column };
+    }
+    makeFinding(contract, fn, file, loc, missing) {
+        const contractName = contract.name || '<anonymous>';
+        const functionName = fn.name || '<anonymous>';
+        const missingText = missing.join(', ');
+        return {
+            file,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            column: loc.column,
+            pattern: PATTERN,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Signature verification in '${contractName}.${functionName}' omits replay binding: ${missingText}.`,
+            rationale: 'ECDSA authorization can be replayed when the signed digest does not bind a signer nonce, chain id, contract instance, and checked expiry/deadline.',
+            suggestedFix: 'Include a consumed per-signer nonce, block.chainid, address(this), and a deadline or expiry checked against block.timestamp in the signed payload or EIP-712 domain.',
+            contractName,
+            functionName,
+            sourceLocation: loc,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.SignatureReplayDetector = SignatureReplayDetector;
+//# sourceMappingURL=signature-replay.js.map

package/dist/detectors/simpleswap-unverified-approval.d.ts

@@ -0,0 +1,27 @@
+import type { ScanResult } from '../index';
+export declare class SimpleswapUnverifiedApprovalDetector {
+    readonly id = "simpleswap-unverified-approval";
+    readonly supportedAstKinds: "parser"[];
+    private findings;
+    private file;
+    private currentContract;
+    private currentFunction;
+    private isAccessControlled;
+    private stateVars;
+    private taintedVars;
+    private validatedVars;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    IfStatement(node: any): void;
+    private extractValidations;
+    private unwrapCasts;
+    private isTaintedExpr;
+    FunctionCall(node: any): void;
+}

package/dist/detectors/simpleswap-unverified-approval.js

@@ -0,0 +1,198 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SimpleswapUnverifiedApprovalDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+class SimpleswapUnverifiedApprovalDetector {
+    id = 'simpleswap-unverified-approval';
+    supportedAstKinds = ['parser'];
+    findings = [];
+    file = '';
+    currentContract = '';
+    currentFunction = '';
+    isAccessControlled = false;
+    stateVars = new Set();
+    taintedVars = new Set();
+    validatedVars = new Set();
+    setFile(file) {
+        this.file = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.currentFunction = '';
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '';
+        this.stateVars.clear();
+    }
+    ContractDefinition_post() {
+        this.currentContract = '';
+        this.stateVars.clear();
+    }
+    StateVariableDeclaration(node) {
+        for (const v of node.variables || []) {
+            if (v && v.name)
+                this.stateVars.add(v.name);
+        }
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = node.name || '';
+        this.taintedVars.clear();
+        this.validatedVars.clear();
+        this.isAccessControlled = (0, access_control_1.hasRecognisedAccessControlModifier)(node);
+        for (const p of node.parameters || []) {
+            if (p && p.name)
+                this.taintedVars.add(p.name);
+        }
+    }
+    FunctionDefinition_post() {
+        this.currentFunction = '';
+        this.taintedVars.clear();
+        this.validatedVars.clear();
+    }
+    VariableDeclarationStatement(node) {
+        const init = node.initialValue;
+        if (init && this.isTaintedExpr(init)) {
+            for (const v of node.variables || []) {
+                if (v && v.name) {
+                    this.taintedVars.add(v.name);
+                }
+            }
+        }
+    }
+    ExpressionStatement(node) {
+        const expr = node.expression;
+        if ((0, ast_1.isNode)(expr, 'Assignment')) {
+            if (this.isTaintedExpr(expr.right || expr.rightExpression)) {
+                const left = expr.left || expr.leftExpression;
+                if ((0, ast_1.isNode)(left, 'Identifier')) {
+                    this.taintedVars.add(left.name);
+                }
+            }
+        }
+        else if ((0, ast_1.isNode)(expr, 'FunctionCall') && (0, ast_1.isNode)(expr.expression, 'Identifier') && expr.expression.name === 'require') {
+            const condition = expr.arguments?.[0];
+            this.extractValidations(condition);
+        }
+    }
+    IfStatement(node) {
+        this.extractValidations(node.condition);
+    }
+    extractValidations(expr) {
+        if (!expr)
+            return;
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation') && (expr.operator === '==' || expr.operator === '===')) {
+            const left = expr.left || expr.leftExpression;
+            const right = expr.right || expr.rightExpression;
+            const lName = (0, ast_1.isNode)(left, 'Identifier') ? left.name : null;
+            const rName = (0, ast_1.isNode)(right, 'Identifier') ? right.name : null;
+            if (lName && rName) {
+                if (this.stateVars.has(lName))
+                    this.validatedVars.add(rName);
+                if (this.stateVars.has(rName))
+                    this.validatedVars.add(lName);
+            }
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const callee = expr.expression;
+            if ((0, ast_1.isNode)(callee, 'MemberAccess')) {
+                const member = String(callee.memberName || '').toLowerCase();
+                if (/whitelist|allow|trust|valid|approved|approval/i.test(member)) {
+                    const arg = expr.arguments?.[0];
+                    if ((0, ast_1.isNode)(arg, 'Identifier'))
+                        this.validatedVars.add(arg.name);
+                }
+            }
+        }
+        if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+            const base = expr.base || expr.baseExpression;
+            const index = expr.index || expr.indexExpression;
+            if ((0, ast_1.isNode)(base, 'Identifier') && /allow|trust|valid|approve/i.test(base.name)) {
+                if ((0, ast_1.isNode)(index, 'Identifier'))
+                    this.validatedVars.add(index.name);
+            }
+        }
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation') && expr.operator === '&&') {
+            this.extractValidations(expr.left || expr.leftExpression);
+            this.extractValidations(expr.right || expr.rightExpression);
+        }
+    }
+    unwrapCasts(expr) {
+        if (!expr)
+            return expr;
+        if ((0, ast_1.isNode)(expr, 'FunctionCall') && (0, ast_1.isNode)(expr.expression, 'Identifier')) {
+            if (expr.arguments && expr.arguments.length === 1) {
+                return this.unwrapCasts(expr.arguments[0]);
+            }
+        }
+        return expr;
+    }
+    isTaintedExpr(expr) {
+        if (!expr)
+            return false;
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            if (this.validatedVars.has(expr.name))
+                return false;
+            if (this.taintedVars.has(expr.name))
+                return true;
+            if (this.stateVars.has(expr.name))
+                return false;
+            return false;
+        }
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            return this.isTaintedExpr(expr.expression);
+        }
+        if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+            return this.isTaintedExpr(expr.base || expr.baseExpression);
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const callee = expr.expression;
+            if ((0, ast_1.isNode)(callee, 'MemberAccess')) {
+                const member = callee.memberName;
+                if (member === 'decode' && (0, ast_1.isNode)(callee.expression, 'Identifier') && callee.expression.name === 'abi') {
+                    return true;
+                }
+            }
+            return false;
+        }
+        return false;
+    }
+    FunctionCall(node) {
+        if (this.isAccessControlled)
+            return;
+        let isApprove = false;
+        let tokenExpr = null;
+        let spenderExpr = null;
+        const callee = node.expression;
+        if ((0, ast_1.isNode)(callee, 'MemberAccess')) {
+            const member = callee.memberName;
+            if (member === 'approve' || member === 'safeApprove') {
+                isApprove = true;
+                tokenExpr = callee.expression;
+                spenderExpr = node.arguments?.[0];
+            }
+        }
+        if (isApprove && tokenExpr && spenderExpr) {
+            const tokenInner = this.unwrapCasts(tokenExpr);
+            const spenderInner = this.unwrapCasts(spenderExpr);
+            const tokenTainted = this.isTaintedExpr(tokenInner);
+            const spenderTainted = this.isTaintedExpr(spenderInner);
+            if (tokenTainted || spenderTainted) {
+                this.findings.push({
+                    ruleId: this.id,
+                    severity: 'high',
+                    message: `Approval of unverified token or to unverified spender: ${tokenTainted ? 'token' : 'spender'} is caller-controlled without validation.`,
+                    file: this.file,
+                    contractName: this.currentContract,
+                    functionName: this.currentFunction,
+                    ...(0, ast_1.assertLoc)(node),
+                    pattern: this.id,
+                });
+            }
+        }
+    }
+}
+exports.SimpleswapUnverifiedApprovalDetector = SimpleswapUnverifiedApprovalDetector;
+//# sourceMappingURL=simpleswap-unverified-approval.js.map

package/dist/detectors/single-spot-oracle-collateral-valuation.d.ts

@@ -0,0 +1,22 @@
+import type { ScanResult } from '../index';
+export declare class SingleSpotOracleCollateralValuationDetector {
+    readonly id = "single-spot-oracle-collateral-valuation";
+    readonly patternKey = "single-spot-oracle-collateral-valuation";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private currentContract;
+    private currentFunction;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(): void;
+    VariableDeclarationStatement(node: any): void;
+    BinaryOperation(node: any): void;
+    FunctionCall(node: any): void;
+    IfStatement(node: any): void;
+    private markProtection;
+    private handleGate;
+}