@snovon/solast 0.2.0

package/dist/detectors/solana-evm-bridge-truncation.js

@@ -0,0 +1,638 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SolanaEvmBridgeTruncationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'solana-evm-bridge-truncation';
+const PATTERN = `${RULE_ID}/unguarded-payload-read`;
+const RECEIVER_NAME = /^(receiveMessage|executeMessage|handle|onMessageReceived|lzReceive|_lzReceive|_nonblockingLzReceive|ccipReceive|xReceive|receivePayload)$/i;
+class SolanaEvmBridgeTruncationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition')
+                    continue;
+                if (!fn.body)
+                    continue;
+                if (!isBridgeReceiver(fn))
+                    continue;
+                const payloadRoots = collectBytesPayloadParams(fn);
+                if (payloadRoots.size === 0)
+                    continue;
+                const ctx = {
+                    file,
+                    contractName: contract.name || '<anonymous>',
+                    functionName: fn.name || '<anonymous>',
+                    payloadRoots,
+                    aliases: new Map(),
+                    guards: new Map(),
+                };
+                const unsafe = findFirstUnguardedReadInBlock(fn.body, ctx);
+                if (unsafe)
+                    findings.push(makeFinding(ctx, unsafe));
+            }
+        }
+        return findings;
+    }
+}
+exports.SolanaEvmBridgeTruncationDetector = SolanaEvmBridgeTruncationDetector;
+function isBridgeReceiver(fn) {
+    const name = String(fn?.name || '');
+    if (!RECEIVER_NAME.test(name))
+        return false;
+    return collectBytesPayloadParams(fn).size > 0;
+}
+function collectBytesPayloadParams(fn) {
+    const names = new Set();
+    for (const param of fn.parameters || []) {
+        if (!param?.name)
+            continue;
+        if (isVariableBytesType(param.typeName))
+            names.add(String(param.name));
+    }
+    return names;
+}
+function isVariableBytesType(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    const name = String(typeName.name || typeName.typeDescriptions?.typeString || '');
+    return name === 'bytes' || /^bytes\s/.test(name);
+}
+function findFirstUnguardedReadInBlock(block, ctx) {
+    for (const stmt of block?.statements || []) {
+        const unsafe = findFirstUnguardedReadInStatement(stmt, ctx);
+        if (unsafe)
+            return unsafe;
+    }
+    return null;
+}
+function findFirstUnguardedReadInStatement(stmt, ctx) {
+    if (!stmt || typeof stmt !== 'object')
+        return null;
+    if (recordLengthGuard(stmt, ctx))
+        return null;
+    recordSimpleAlias(stmt, ctx);
+    if (stmt.type === 'IfStatement') {
+        const unsafeCondition = findFirstUnguardedRead(stmt.condition, ctx);
+        if (unsafeCondition)
+            return unsafeCondition;
+        const trueCtx = cloneCtx(ctx);
+        const falseCtx = cloneCtx(ctx);
+        applyBranchLocalGuard(stmt.condition, trueCtx, falseCtx);
+        const trueUnsafe = findFirstUnguardedReadInStatement(stmt.trueBody, trueCtx);
+        if (trueUnsafe)
+            return trueUnsafe;
+        const falseUnsafe = findFirstUnguardedReadInStatement(stmt.falseBody, falseCtx);
+        if (falseUnsafe)
+            return falseUnsafe;
+        return null;
+    }
+    if (stmt.type === 'Block')
+        return findFirstUnguardedReadInBlock(stmt, ctx);
+    return findFirstUnguardedRead(stmt, ctx);
+}
+function recordSimpleAlias(stmt, ctx) {
+    if (stmt?.type !== 'VariableDeclarationStatement')
+        return;
+    const root = rootPayloadName(stmt.initialValue, ctx);
+    if (!root)
+        return;
+    for (const variable of stmt.variables || []) {
+        if (variable?.name && isVariableBytesType(variable.typeName)) {
+            ctx.aliases.set(String(variable.name), root);
+        }
+    }
+}
+function recordLengthGuard(stmt, ctx) {
+    const expr = stmt?.type === 'ExpressionStatement' ? stmt.expression : stmt;
+    if (isRequireOrAssert(expr)) {
+        for (const [root, guard] of extractRequireGuards(expr.arguments?.[0], ctx)) {
+            mergeGuard(ctx, root, guard);
+        }
+        return true;
+    }
+    if (stmt?.type === 'IfStatement' && bodyReverts(stmt.trueBody)) {
+        const guards = extractRevertGuards(stmt.condition, ctx);
+        for (const [root, guard] of guards) {
+            mergeGuard(ctx, root, guard);
+        }
+        if (guards.length > 0)
+            return true;
+    }
+    return false;
+}
+function isRequireOrAssert(node) {
+    if (node?.type !== 'FunctionCall')
+        return false;
+    const callee = node.expression;
+    return callee?.type === 'Identifier' && (callee.name === 'require' || callee.name === 'assert');
+}
+function mergeGuard(ctx, root, g) {
+    const cur = ctx.guards.get(root);
+    if (!cur) {
+        ctx.guards.set(root, { min: g.min, hasExact: g.hasExact });
+        return;
+    }
+    ctx.guards.set(root, {
+        min: Math.max(cur.min, g.min),
+        hasExact: cur.hasExact || g.hasExact,
+    });
+}
+function applyBranchLocalGuard(cond, trueCtx, falseCtx) {
+    const branchGuard = extractBranchLocalGuard(cond, trueCtx);
+    if (!branchGuard)
+        return;
+    const target = branchGuard.branch === 'true' ? trueCtx : falseCtx;
+    mergeGuard(target, branchGuard.root, branchGuard.guard);
+}
+function extractBranchLocalGuard(cond, ctx) {
+    if (cond?.type !== 'BinaryOperation')
+        return null;
+    const op = String(cond.operator || '');
+    const leftRoot = payloadLengthRoot(cond.left, ctx);
+    if (leftRoot) {
+        const rhs = evaluateNumericLiteral(cond.right);
+        if (rhs === null)
+            return null;
+        const branchGuard = branchGuardFromOp(op, rhs, true);
+        return branchGuard ? { ...branchGuard, root: leftRoot } : null;
+    }
+    const rightRoot = payloadLengthRoot(cond.right, ctx);
+    if (rightRoot) {
+        const lhs = evaluateNumericLiteral(cond.left);
+        if (lhs === null)
+            return null;
+        const branchGuard = branchGuardFromOp(op, lhs, false);
+        return branchGuard ? { ...branchGuard, root: rightRoot } : null;
+    }
+    return null;
+}
+function branchGuardFromOp(op, n, lengthOnLeft) {
+    if (lengthOnLeft) {
+        if (op === '>=')
+            return { branch: 'true', guard: { min: n, hasExact: false } };
+        if (op === '>')
+            return { branch: 'true', guard: { min: n + 1, hasExact: false } };
+        if (op === '==')
+            return { branch: 'true', guard: { min: n, hasExact: true } };
+        if (op === '<')
+            return { branch: 'false', guard: { min: n, hasExact: false } };
+        return null;
+    }
+    if (op === '<=')
+        return { branch: 'true', guard: { min: n, hasExact: false } };
+    if (op === '<')
+        return { branch: 'true', guard: { min: n + 1, hasExact: false } };
+    if (op === '==')
+        return { branch: 'true', guard: { min: n, hasExact: true } };
+    if (op === '>')
+        return { branch: 'false', guard: { min: n, hasExact: false } };
+    return null;
+}
+function extractRequireGuards(cond, ctx) {
+    const out = [];
+    walk(cond, node => {
+        if (node?.type !== 'BinaryOperation')
+            return;
+        const op = String(node.operator || '');
+        const leftRoot = payloadLengthRoot(node.left, ctx);
+        if (leftRoot) {
+            const rhs = evaluateNumericLiteral(node.right);
+            if (rhs !== null) {
+                const guard = guardFromRequireOp(op, rhs, true);
+                if (guard)
+                    out.push([leftRoot, guard]);
+            }
+        }
+        const rightRoot = payloadLengthRoot(node.right, ctx);
+        if (rightRoot) {
+            const lhs = evaluateNumericLiteral(node.left);
+            if (lhs !== null) {
+                const guard = guardFromRequireOp(op, lhs, false);
+                if (guard)
+                    out.push([rightRoot, guard]);
+            }
+        }
+    });
+    return out;
+}
+function guardFromRequireOp(op, n, lengthOnLeft) {
+    if (lengthOnLeft) {
+        if (op === '>=')
+            return { min: n, hasExact: false };
+        if (op === '>')
+            return { min: n + 1, hasExact: false };
+        if (op === '==')
+            return { min: n, hasExact: true };
+        return null;
+    }
+    if (op === '<=')
+        return { min: n, hasExact: false };
+    if (op === '<')
+        return { min: n + 1, hasExact: false };
+    if (op === '==')
+        return { min: n, hasExact: true };
+    return null;
+}
+function extractRevertGuards(cond, ctx) {
+    const out = [];
+    walk(cond, node => {
+        if (node?.type !== 'BinaryOperation')
+            return;
+        const op = String(node.operator || '');
+        const leftRoot = payloadLengthRoot(node.left, ctx);
+        if (leftRoot) {
+            const rhs = evaluateNumericLiteral(node.right);
+            if (rhs !== null) {
+                const guard = guardFromRevertOp(op, rhs, true);
+                if (guard)
+                    out.push([leftRoot, guard]);
+            }
+        }
+        const rightRoot = payloadLengthRoot(node.right, ctx);
+        if (rightRoot) {
+            const lhs = evaluateNumericLiteral(node.left);
+            if (lhs !== null) {
+                const guard = guardFromRevertOp(op, lhs, false);
+                if (guard)
+                    out.push([rightRoot, guard]);
+            }
+        }
+    });
+    return out;
+}
+function guardFromRevertOp(op, n, lengthOnLeft) {
+    if (lengthOnLeft) {
+        if (op === '<')
+            return { min: n, hasExact: false };
+        if (op === '<=')
+            return { min: n + 1, hasExact: false };
+        if (op === '!=')
+            return { min: n, hasExact: true };
+        return null;
+    }
+    if (op === '>')
+        return { min: n, hasExact: false };
+    if (op === '>=')
+        return { min: n + 1, hasExact: false };
+    if (op === '!=')
+        return { min: n, hasExact: true };
+    return null;
+}
+function bodyReverts(body) {
+    if (!body)
+        return false;
+    if (body.type === 'RevertStatement')
+        return true;
+    if (body.type === 'ExpressionStatement')
+        return isRevertCall(body.expression);
+    if (body.type === 'Block') {
+        const statements = body.statements || [];
+        return statements.some((stmt) => stmt?.type === 'RevertStatement' || (stmt?.type === 'ExpressionStatement' && isRevertCall(stmt.expression)));
+    }
+    return false;
+}
+function isRevertCall(node) {
+    if (node?.type !== 'FunctionCall')
+        return false;
+    const callee = node.expression;
+    return callee?.type === 'Identifier' && callee.name === 'revert';
+}
+function findFirstUnguardedRead(node, ctx) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (isAbiDecodeOfPayload(node, ctx)) {
+        const root = rootPayloadName(node.arguments?.[0], ctx);
+        if (root) {
+            const requiredMin = decodeRequiredMin(node);
+            if (!isReadSuppressed(ctx, root, requiredMin))
+                return node;
+        }
+    }
+    if (node.type === 'IndexRangeAccess' && isPayloadAccess(node, ctx)) {
+        const root = rootPayloadName(node.base || node.baseExpression, ctx);
+        if (root) {
+            const requiredMin = sliceRequiredMin(node);
+            if (!isReadSuppressed(ctx, root, requiredMin))
+                return node;
+        }
+    }
+    if (node.type === 'IndexAccess' && isPayloadAccess(node, ctx)) {
+        const root = rootPayloadName(node.base || node.baseExpression, ctx);
+        if (root) {
+            const requiredMin = indexRequiredMin(node);
+            if (!isReadSuppressed(ctx, root, requiredMin))
+                return node;
+        }
+    }
+    if (isAssemblyLoadFromPayload(node, ctx)) {
+        const offsetExpr = node.arguments?.[0];
+        const info = assemblyPayloadOffset(offsetExpr, ctx);
+        const requiredMin = info ? info.offset + 32 : null;
+        const root = info?.root || assemblyPayloadRoot(offsetExpr, ctx);
+        if (root && !isReadSuppressed(ctx, root, requiredMin))
+            return node;
+    }
+    for (const child of childNodes(node)) {
+        const found = findFirstUnguardedRead(child, ctx);
+        if (found)
+            return found;
+    }
+    return null;
+}
+function isReadSuppressed(ctx, root, requiredMin) {
+    const g = ctx.guards.get(root);
+    if (!g)
+        return false;
+    if (requiredMin === null)
+        return g.hasExact;
+    return g.min >= requiredMin;
+}
+function decodeRequiredMin(node) {
+    const args = node.arguments || [];
+    if (args.length < 2)
+        return null;
+    const firstArg = args[0];
+    if (firstArg && firstArg.type === 'IndexRangeAccess') {
+        return sliceRequiredMin(firstArg);
+    }
+    const typeArg = args[1];
+    if (!typeArg)
+        return null;
+    const components = typeArg.type === 'TupleExpression' ? (typeArg.components || []) : [typeArg];
+    if (components.length === 0)
+        return null;
+    let total = 0;
+    for (const c of components) {
+        const sz = componentHeadSize(c);
+        if (sz === null)
+            return null;
+        total += sz;
+    }
+    return total;
+}
+function componentHeadSize(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'Identifier')
+        return 32;
+    if (node.type === 'ElementaryTypeName') {
+        const name = String(node.name || '');
+        if (name === 'address' || name === 'address payable')
+            return 32;
+        if (name === 'bool')
+            return 32;
+        if (/^u?int\d*$/.test(name))
+            return 32;
+        if (/^bytes(\d+)?$/.test(name))
+            return 32;
+        if (name === 'string')
+            return 32;
+        return 32;
+    }
+    if (node.type === 'UserDefinedTypeName')
+        return 32;
+    if (node.type === 'ArrayTypeName')
+        return 32;
+    return null;
+}
+function sliceRequiredMin(node) {
+    if (!node)
+        return null;
+    if (node.indexEnd)
+        return evaluateNumericLiteral(node.indexEnd);
+    if (node.indexStart)
+        return evaluateNumericLiteral(node.indexStart);
+    return null;
+}
+function indexRequiredMin(node) {
+    const i = evaluateNumericLiteral(node.index);
+    if (i === null)
+        return null;
+    return i + 1;
+}
+function evaluateNumericLiteral(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'NumberLiteral') {
+        if (node.subdenomination)
+            return null;
+        const num = String(node.number || '');
+        if (/^0x/i.test(num)) {
+            const n = parseInt(num, 16);
+            return Number.isFinite(n) ? n : null;
+        }
+        const n = Number(num);
+        return Number.isFinite(n) ? n : null;
+    }
+    if (node.type === 'BinaryOperation') {
+        const l = evaluateNumericLiteral(node.left);
+        const r = evaluateNumericLiteral(node.right);
+        if (l === null || r === null)
+            return null;
+        switch (node.operator) {
+            case '+': return l + r;
+            case '-': return l - r;
+            case '*': return l * r;
+            default: return null;
+        }
+    }
+    if (node.type === 'TupleExpression') {
+        const components = node.components || [];
+        if (components.length === 1)
+            return evaluateNumericLiteral(components[0]);
+    }
+    return null;
+}
+function readAssemblyLiteral(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'DecimalNumber') {
+        const n = Number(String(node.value || ''));
+        return Number.isFinite(n) ? n : null;
+    }
+    if (node.type === 'HexNumber') {
+        const n = parseInt(String(node.value || ''), 16);
+        return Number.isFinite(n) ? n : null;
+    }
+    if (node.type === 'NumberLiteral')
+        return evaluateNumericLiteral(node);
+    return null;
+}
+function isAbiDecodeOfPayload(node, ctx) {
+    if (node?.type !== 'FunctionCall')
+        return false;
+    const callee = node.expression;
+    if (callee?.type !== 'MemberAccess' || callee.memberName !== 'decode')
+        return false;
+    if (callee.expression?.type !== 'Identifier' || callee.expression.name !== 'abi')
+        return false;
+    return !!rootPayloadName(node.arguments?.[0], ctx);
+}
+function isPayloadAccess(node, ctx) {
+    return !!rootPayloadName(node.base || node.baseExpression, ctx);
+}
+function rootPayloadName(node, ctx) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'Identifier') {
+        const name = String(node.name || '');
+        if (ctx.payloadRoots.has(name))
+            return name;
+        return ctx.aliases.get(name) || null;
+    }
+    if (node.type === 'IndexAccess' || node.type === 'IndexRangeAccess') {
+        return rootPayloadName(node.base || node.baseExpression, ctx);
+    }
+    return null;
+}
+function isAssemblyLoadFromPayload(node, ctx) {
+    if (node?.type !== 'AssemblyCall')
+        return false;
+    const fn = String(node.functionName || '').toLowerCase();
+    if (fn !== 'mload' && fn !== 'calldataload')
+        return false;
+    return !!assemblyPayloadRoot(node.arguments?.[0], ctx);
+}
+function assemblyPayloadRoot(node, ctx) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'Identifier')
+        return rootPayloadName(node, ctx);
+    if (node.type === 'AssemblyMemberAccess') {
+        const member = assemblyMemberName(node);
+        if (member !== 'offset')
+            return null;
+        return rootPayloadName(node.expression, ctx);
+    }
+    if (node.type === 'AssemblyCall' && String(node.functionName || '').toLowerCase() === 'add') {
+        for (const arg of node.arguments || []) {
+            const root = assemblyPayloadRoot(arg, ctx);
+            if (root)
+                return root;
+        }
+    }
+    return null;
+}
+function assemblyPayloadOffset(node, ctx) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'Identifier') {
+        const r = rootPayloadName(node, ctx);
+        if (r)
+            return { root: r, offset: 0 };
+        return null;
+    }
+    if (node.type === 'AssemblyMemberAccess') {
+        const member = assemblyMemberName(node);
+        if (member !== 'offset')
+            return null;
+        const r = rootPayloadName(node.expression, ctx);
+        if (r)
+            return { root: r, offset: 0 };
+        return null;
+    }
+    if (node.type === 'AssemblyCall' && String(node.functionName || '').toLowerCase() === 'add') {
+        const args = node.arguments || [];
+        if (args.length !== 2)
+            return null;
+        const inner0 = assemblyPayloadOffset(args[0], ctx);
+        const lit1 = readAssemblyLiteral(args[1]);
+        if (inner0 && lit1 !== null)
+            return { root: inner0.root, offset: inner0.offset + lit1 };
+        const inner1 = assemblyPayloadOffset(args[1], ctx);
+        const lit0 = readAssemblyLiteral(args[0]);
+        if (inner1 && lit0 !== null)
+            return { root: inner1.root, offset: inner1.offset + lit0 };
+        return null;
+    }
+    return null;
+}
+function assemblyMemberName(node) {
+    const member = node?.memberName;
+    if (typeof member === 'string')
+        return member;
+    if (member && typeof member === 'object')
+        return String(member.name || '');
+    return '';
+}
+function payloadLengthRoot(node, ctx) {
+    if (node?.type !== 'MemberAccess' || node.memberName !== 'length')
+        return null;
+    return rootPayloadName(node.expression, ctx);
+}
+function cloneCtx(ctx) {
+    const guardsCopy = new Map();
+    for (const [k, v] of ctx.guards)
+        guardsCopy.set(k, { min: v.min, hasExact: v.hasExact });
+    return {
+        ...ctx,
+        aliases: new Map(ctx.aliases),
+        guards: guardsCopy,
+    };
+}
+function makeFinding(ctx, node) {
+    const loc = locOf(node);
+    return {
+        file: ctx.file,
+        contract: ctx.contractName,
+        'function': ctx.functionName,
+        line: loc.line,
+        endLine: loc.endLine,
+        column: loc.column,
+        endColumn: loc.endColumn,
+        pattern: PATTERN,
+        confidence: 'medium',
+        category: 'vulnerability',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Bridge receiver '${ctx.contractName}.${ctx.functionName}' reads an externally supplied bytes payload before an explicit length guard.`,
+        rationale: 'Externally supplied bridge message bytes are decoded or read by offset before a same-path length check, which can allow truncation, silent data loss, or message-shape confusion.',
+        suggestedFix: 'Check payload.length with require/assert or an if-revert guard before abi.decode, slicing, indexed reads, or assembly loads.',
+        contractName: ctx.contractName,
+        functionName: ctx.functionName,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+    };
+}
+function locOf(node) {
+    const { line, column, endLine, endColumn } = (0, ast_1.assertLoc)(node);
+    return { line, column, endLine, endColumn };
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node))
+        walk(child, visit);
+}
+function childNodes(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'src')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=solana-evm-bridge-truncation.js.map