@snovon/solast 0.2.0

package/dist/detectors/storage-collision-malicious-proposal.js

@@ -0,0 +1,386 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StorageCollisionMaliciousProposalDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'storage-collision-malicious-proposal';
+const PROVENANCE = 'x-20220723-audius-storage-collision-malicious-proposal';
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const UNARY_MUTATORS = new Set(['++', '--', 'delete']);
+const CONTROL_VAR = /^(admin|owner|implementation|governance|governor|management|pendingGovernance|pendingGovernor|timelock|guardian|quorum)$/i;
+const CRITICAL_CONTROL_VAR = /admin|owner|implementation|governance|governor|pendingGovernance|pendingGovernor|timelock/i;
+const PROPOSAL_ROOT = /proposal|queued|passed/i;
+const TARGET_MEMBER = /target|to|destination|callee/i;
+const DATA_MEMBER = /data|calldata|payload|callData/i;
+class StorageCollisionMaliciousProposalDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText = '') {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const contracts = this.collectContracts(ast);
+        const layouts = new Map();
+        for (const contract of contracts.values()) {
+            layouts.set(contract.name, this.computeLayout(contract, contracts, new Set()));
+        }
+        const findings = [];
+        for (const proxy of contracts.values()) {
+            if (proxy.kind === 'interface' || proxy.kind === 'library')
+                continue;
+            const proxyLayout = layouts.get(proxy.name);
+            if (!proxyLayout)
+                continue;
+            const controlSlots = proxyLayout.variables.filter(v => CONTROL_VAR.test(v.variableName));
+            if (controlSlots.length === 0)
+                continue;
+            for (const path of this.collectDelegatecallPaths(proxy, sourceText)) {
+                if (!this.isProposalControlledDelegatecall(path))
+                    continue;
+                const finding = this.firstCollisionFinding(file, path, controlSlots, contracts, layouts);
+                if (finding)
+                    findings.push(finding);
+            }
+        }
+        return findings;
+    }
+    firstCollisionFinding(file, path, controlSlots, contracts, layouts) {
+        const proxyName = String(path.contract.name || '<anonymous>');
+        const fnName = path.fn.name || '<anonymous>';
+        for (const candidate of contracts.values()) {
+            if (candidate.name === proxyName)
+                continue;
+            if (candidate.kind === 'interface' || candidate.kind === 'library')
+                continue;
+            const layout = layouts.get(candidate.name);
+            if (!layout || layout.hasComplexState)
+                continue;
+            const writableSlots = this.collectWritableSlots(candidate, layout);
+            for (const write of writableSlots) {
+                const control = controlSlots.find(slot => slot.slot === write.slot);
+                if (!control)
+                    continue;
+                const loc = this.locOf(path.call);
+                const severity = CRITICAL_CONTROL_VAR.test(control.variableName) ? 'critical' : 'high';
+                const affectedVariables = `${control.qualifiedName} and ${write.qualifiedName}`;
+                const message = `Storage collision through delegatecall in '${proxyName}.${fnName}': slot ${write.slot} ` +
+                    `is used by ${control.qualifiedName} and can be written by ${write.qualifiedName} via ${path.path}.`;
+                return {
+                    file,
+                    contract: proxyName,
+                    'function': fnName,
+                    line: loc.line,
+                    endLine: loc.endLine,
+                    column: loc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity,
+                    message,
+                    rationale: `Delegatecall executes the target logic in ${proxyName}'s storage context. ` +
+                        `The recoverable write to slot ${write.slot} collides with privileged state ${control.qualifiedName}.`,
+                    suggestedFix: 'Do not delegatecall proposal-controlled targets. Use EIP-1967 hashed slots, ERC-7201/namespaced storage, ' +
+                        'or an unstructured storage pattern for proxy/governance control state, and require reviewed storage gaps for implementations.',
+                    contractName: proxyName,
+                    functionName: fnName,
+                    sourceLocation: loc,
+                    delegateTarget: this.expressionToString(path.target),
+                    operationType: 'delegatecall',
+                    trace: path.path,
+                    externalCallNode: path.call,
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                    collidingSlot: write.slot,
+                    affectedVariables,
+                    callPath: path.path,
+                    storageCollision: {
+                        slot: write.slot,
+                        proxyVariable: control.qualifiedName,
+                        implementationVariable: write.qualifiedName,
+                        callPath: path.path,
+                    },
+                };
+            }
+        }
+        return null;
+    }
+    collectContracts(ast) {
+        const contracts = new Map();
+        for (const child of ast.children || []) {
+            if (child?.type === 'ContractDefinition' && child.name)
+                contracts.set(child.name, child);
+        }
+        return contracts;
+    }
+    computeLayout(contract, contracts, seen) {
+        if (!contract || seen.has(contract.name))
+            return { variables: [], hasComplexState: false };
+        seen.add(contract.name);
+        let slot = 0;
+        let used = 0;
+        let hasComplexState = false;
+        const variables = [];
+        for (const base of contract.baseContracts || []) {
+            const baseName = base?.baseName?.namePath;
+            const baseContract = baseName ? contracts.get(baseName) : null;
+            if (!baseContract)
+                continue;
+            const baseLayout = this.computeLayout(baseContract, contracts, seen);
+            variables.push(...baseLayout.variables);
+            hasComplexState = hasComplexState || baseLayout.hasComplexState;
+            const nextSlot = variables.length === 0 ? 0 : Math.max(...variables.map(v => v.slot)) + 1;
+            slot = Math.max(slot, nextSlot);
+            used = 0;
+        }
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of sub.variables || []) {
+                if (!variable?.name || variable.isDeclaredConst || variable.isImmutable)
+                    continue;
+                const size = this.typeSize(variable.typeName);
+                if (size.complex)
+                    hasComplexState = true;
+                if (size.bytes >= 32 || size.complex) {
+                    if (used > 0) {
+                        slot += 1;
+                        used = 0;
+                    }
+                    variables.push({
+                        contractName: contract.name,
+                        variableName: variable.name,
+                        qualifiedName: `${contract.name}.${variable.name}`,
+                        slot,
+                        bytes: 32,
+                        complex: size.complex,
+                    });
+                    slot += 1;
+                    used = 0;
+                    continue;
+                }
+                if (used + size.bytes > 32) {
+                    slot += 1;
+                    used = 0;
+                }
+                variables.push({
+                    contractName: contract.name,
+                    variableName: variable.name,
+                    qualifiedName: `${contract.name}.${variable.name}`,
+                    slot,
+                    bytes: size.bytes,
+                    complex: false,
+                });
+                used += size.bytes;
+                if (used === 32) {
+                    slot += 1;
+                    used = 0;
+                }
+            }
+        }
+        return { variables, hasComplexState };
+    }
+    typeSize(typeName) {
+        if (!typeName)
+            return { bytes: 32, complex: true };
+        if (typeName.type === 'Mapping' || typeName.type === 'ArrayTypeName')
+            return { bytes: 32, complex: true };
+        if (typeName.type === 'UserDefinedTypeName')
+            return { bytes: 32, complex: true };
+        if (typeName.type !== 'ElementaryTypeName')
+            return { bytes: 32, complex: true };
+        const name = String(typeName.name || '').toLowerCase();
+        if (name === 'bool')
+            return { bytes: 1, complex: false };
+        if (name === 'address' || name === 'address payable')
+            return { bytes: 20, complex: false };
+        const bytesMatch = /^bytes([1-9]|[12][0-9]|3[0-2])$/.exec(name);
+        if (bytesMatch)
+            return { bytes: Number(bytesMatch[1]), complex: false };
+        const intMatch = /^(u?int)([0-9]*)$/.exec(name);
+        if (intMatch)
+            return { bytes: intMatch[2] ? Number(intMatch[2]) / 8 : 32, complex: false };
+        if (name === 'bytes' || name === 'string')
+            return { bytes: 32, complex: true };
+        return { bytes: 32, complex: false };
+    }
+    collectWritableSlots(contract, layout) {
+        const byName = new Map(layout.variables.map(v => [v.variableName, v]));
+        const writes = new Map();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'FunctionDefinition' || !sub.body)
+                continue;
+            if (sub.isConstructor === true || sub.kind === 'constructor')
+                continue;
+            this.walk(sub.body, node => {
+                const name = this.writtenRoot(node);
+                const entry = name ? byName.get(name) : null;
+                if (entry)
+                    writes.set(entry.qualifiedName, entry);
+            });
+        }
+        return Array.from(writes.values());
+    }
+    writtenRoot(node) {
+        if (node?.type === 'BinaryOperation' && ASSIGN_OPS.has(node.operator)) {
+            return this.rootIdentifier(node.left);
+        }
+        if (node?.type === 'UnaryOperation' && UNARY_MUTATORS.has(node.operator)) {
+            return this.rootIdentifier(node.subExpression);
+        }
+        return '';
+    }
+    collectDelegatecallPaths(contract, sourceText) {
+        const paths = [];
+        for (const fn of contract.subNodes || []) {
+            if (fn?.type !== 'FunctionDefinition' || !fn.body || !this.isExternallyCallable(fn))
+                continue;
+            this.walk(fn.body, node => {
+                const call = this.delegatecall(node);
+                if (!call)
+                    return;
+                const fnName = fn.name || '<anonymous>';
+                const snippet = this.sourceSnippet(sourceText, call.node) || this.callToString(call.node);
+                paths.push({
+                    contract,
+                    fn,
+                    call: call.node,
+                    target: call.target,
+                    args: call.args,
+                    path: `${contract.name}.${fnName} -> ${snippet}`,
+                });
+            });
+        }
+        return paths;
+    }
+    isExternallyCallable(fn) {
+        if (fn.isConstructor || fn.kind === 'constructor')
+            return false;
+        const visibility = String(fn.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external' || visibility === '';
+    }
+    isProposalControlledDelegatecall(path) {
+        if (path.args.length === 0)
+            return false;
+        const storageAliases = this.collectStorageAliases(path.fn);
+        const params = new Set();
+        for (const param of path.fn.parameters || []) {
+            if (param?.name)
+                params.add(String(param.name));
+        }
+        const targetControlled = this.containsParam(path.target, params) || this.isProposalMember(path.target, storageAliases, TARGET_MEMBER);
+        const dataControlled = path.args.some(arg => this.containsParam(arg, params) || this.isProposalMember(arg, storageAliases, DATA_MEMBER));
+        return targetControlled && dataControlled;
+    }
+    collectStorageAliases(fn) {
+        const aliases = new Set();
+        this.walk(fn.body, node => {
+            if (node?.type !== 'VariableDeclarationStatement')
+                return;
+            if (!this.isProposalLikeStorageRead(node.initialValue))
+                return;
+            for (const variable of node.variables || []) {
+                if (variable?.name && variable.storageLocation === 'storage')
+                    aliases.add(String(variable.name));
+            }
+        });
+        return aliases;
+    }
+    delegatecall(node) {
+        if (node?.type !== 'FunctionCall')
+            return null;
+        let callee = node.expression;
+        if (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions')
+            callee = callee.expression;
+        if (callee?.type !== 'MemberAccess')
+            return null;
+        if (String(callee.memberName || '').toLowerCase() !== 'delegatecall')
+            return null;
+        return {
+            node,
+            target: callee.expression,
+            args: Array.isArray(node.arguments) ? node.arguments : [],
+        };
+    }
+    isProposalMember(expr, storageAliases, memberPattern) {
+        if (expr?.type !== 'MemberAccess')
+            return false;
+        if (!memberPattern.test(String(expr.memberName || '')))
+            return false;
+        const root = this.rootIdentifier(expr.expression);
+        return !!root && storageAliases.has(root);
+    }
+    isProposalLikeStorageRead(expr) {
+        const root = this.rootIdentifier(expr);
+        return !!root && PROPOSAL_ROOT.test(root);
+    }
+    containsParam(expr, params) {
+        let found = false;
+        this.walk(expr, node => {
+            if (node?.type === 'Identifier' && params.has(String(node.name || '')))
+                found = true;
+        });
+        return found;
+    }
+    rootIdentifier(expr) {
+        let current = expr;
+        while (current) {
+            if (current.type === 'Identifier')
+                return String(current.name || '');
+            if (current.type === 'MemberAccess') {
+                current = current.expression;
+                continue;
+            }
+            if (current.type === 'IndexAccess') {
+                current = current.base;
+                continue;
+            }
+            return '';
+        }
+        return '';
+    }
+    expressionToString(expr) {
+        if (!expr)
+            return '';
+        if (expr.type === 'Identifier')
+            return String(expr.name || '');
+        if (expr.type === 'MemberAccess') {
+            const base = this.expressionToString(expr.expression);
+            return base ? `${base}.${expr.memberName || ''}` : String(expr.memberName || '');
+        }
+        if (expr.type === 'IndexAccess')
+            return this.expressionToString(expr.base);
+        return expr.type || '';
+    }
+    callToString(call) {
+        const target = this.delegatecall(call)?.target;
+        const arg = Array.isArray(call?.arguments) && call.arguments[0] ? this.expressionToString(call.arguments[0]) : '';
+        return `${this.expressionToString(target)}.delegatecall(${arg})`;
+    }
+    sourceSnippet(sourceText, node) {
+        if (!sourceText || !Array.isArray(node?.range))
+            return '';
+        const snippet = sourceText.slice(node.range[0], node.range[1]).replace(/\s+/g, ' ').trim();
+        return snippet.includes('delegatecall') && !snippet.endsWith(')') ? `${snippet})` : snippet;
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const value of Object.values(node)) {
+            if (Array.isArray(value)) {
+                for (const child of value)
+                    this.walk(child, visit);
+            }
+            else if (value && typeof value === 'object') {
+                this.walk(value, visit);
+            }
+        }
+    }
+    locOf(node) {
+        const { line, column, endLine } = (0, ast_1.assertLoc)(node);
+        return { line, column, endLine };
+    }
+}
+exports.StorageCollisionMaliciousProposalDetector = StorageCollisionMaliciousProposalDetector;
+//# sourceMappingURL=storage-collision-malicious-proposal.js.map

package/dist/detectors/timestamp-manipulation.d.ts

@@ -0,0 +1,49 @@
+import type { ScanResult } from '../index';
+export declare class TimestampManipulationDetector {
+    readonly id = "timestamp-manipulation";
+    readonly patternKey = "timestamp-manipulation";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    private findings;
+    private currentFile;
+    private currentContract;
+    private currentFunction;
+    private currentFunctionMutability;
+    private currentFunctionHasFundFlow;
+    private constants;
+    private timestampTaintedLocals;
+    private seen;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    IfStatement(node: any): void;
+    Conditional(node: any): void;
+    FunctionCall(node: any): void;
+    private shouldReportCondition;
+    private addFinding;
+    private isReadOnlyFunction;
+    private isRequireOrAssert;
+    private isRandomnessCall;
+    private containsTimestampOrTaint;
+    private containsDirectTimestampOrTaint;
+    private containsLegacyNow;
+    private hasModulo;
+    private hasNarrowTimeWindow;
+    private hasTimestampEquality;
+    private literalSeconds;
+    private trackAssignmentTaint;
+    private containsFundFlow;
+    private findFundFlowValue;
+    private isFundFlowCall;
+    private getFundFlowValue;
+    private getCalleeName;
+    private getNodeName;
+    private isTimestampLikeMemberName;
+    private anyChild;
+    private children;
+}