@snovon/solast 0.2.0

package/dist/detectors/token-access-control.js

@@ -0,0 +1,544 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenAccessControlDetector = void 0;
+const RULE_ID = 'token-access-control';
+const PROVENANCE = 'x-20221017-uerii-token-access-control';
+const AUTH_MODIFIERS = /^(only(owner|admin|governance|governor|role|minter|operator|manager|guardian)|auth|authorized|requires?auth)$/i;
+const AUTH_STATE = /^(owner|admin|governance|governor|authority|guardian|operator|manager|minter|controller|treasury|roles?)s?$/i;
+const TOKEN_ACCOUNTING = /^(totalSupply|supply|balanceOf|balances|_balances|_totalSupply)$/i;
+const TOKEN_MINT_HELPERS = new Set(['_mint', 'mintto', '_mintto', '_issuetokens', '_issue']);
+const ADMIN_SINKS = new Set(['setminter', 'setminters', 'transferownership', 'setowner']);
+const ERC20_BASE_ALLOWLIST = new Set(['ERC20', 'IERC20', 'ERC20Upgradeable', 'ERC20Burnable']);
+class TokenAccessControlDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const index = buildContractIndex(ast);
+        walkContracts(ast, contract => {
+            if (isInterfaceOrLibrary(contract))
+                return;
+            const name = getName(contract) || '';
+            const surface = collectInheritedSurface(name, index);
+            const tokenShape = surfaceIsTokenShaped(surface);
+            const baseAllowlistHit = hasAllowlistedErc20Base(surface);
+            if (!tokenShape && !baseAllowlistHit)
+                return;
+            const ctx = {
+                contract,
+                name: name || '<anonymous>',
+                stateVars: surface.stateVars,
+                functionNames: surface.functionNames,
+                modifierBodies: surface.modifierBodies,
+            };
+            for (const fn of getContractMembers(contract, 'FunctionDefinition')) {
+                const functionName = getName(fn);
+                if (!functionName || !isExternallyCallable(fn) || isReadOnly(fn))
+                    continue;
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const sink = classifySink(functionName, body, ctx);
+                if (!sink)
+                    continue;
+                const params = collectParameterNames(fn);
+                if (hasAuthModifier(fn, ctx, params))
+                    continue;
+                if (hasInlineAuthBeforeSink(body, ctx, params))
+                    continue;
+                const loc = getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                findings.push(buildFinding(file, ctx.name, functionName, loc, sink));
+            }
+        });
+        return findings;
+    }
+}
+exports.TokenAccessControlDetector = TokenAccessControlDetector;
+function classifySink(functionName, body, ctx) {
+    const lname = functionName.toLowerCase();
+    if (lname === 'mint' || lname === 'mintto') {
+        if (containsTokenMintSink(body, ctx))
+            return 'unguarded-token-mint';
+    }
+    if (ADMIN_SINKS.has(lname)) {
+        const mutation = findStateMutationRoot(body, ctx);
+        if (!mutation)
+            return '';
+        if (lname.includes('minter') && /minter|role|operator|admin/i.test(mutation))
+            return 'unguarded-token-minter-admin';
+        if ((lname.includes('owner') || lname.includes('ownership')) && /owner|admin|authority|govern/i.test(mutation)) {
+            return 'unguarded-token-owner-admin';
+        }
+    }
+    return '';
+}
+function containsTokenMintSink(body, ctx) {
+    let found = false;
+    walk(body, node => {
+        if (found)
+            return;
+        if (isStateMutation(node, ctx)) {
+            const root = getReferenceRoot(getMutationTarget(node));
+            if (TOKEN_ACCOUNTING.test(root))
+                found = true;
+            return;
+        }
+        if (isNode(node, 'FunctionCall')) {
+            const callee = getCallExpressionName(node).toLowerCase();
+            if (TOKEN_MINT_HELPERS.has(callee) || callee.endsWith('._mint'))
+                found = true;
+        }
+    });
+    return found;
+}
+function hasAuthModifier(fn, ctx, params) {
+    const modifiers = Array.isArray(fn?.modifiers) ? fn.modifiers : [];
+    for (const modifier of modifiers) {
+        const name = getModifierName(modifier);
+        if (!name)
+            continue;
+        if (AUTH_MODIFIERS.test(name))
+            return true;
+        const body = ctx.modifierBodies.get(name);
+        if (body && containsAuthCheck(body, ctx, params))
+            return true;
+    }
+    return false;
+}
+function hasInlineAuthBeforeSink(body, ctx, params) {
+    let sawAuth = false;
+    for (const stmt of getStatementList(body)) {
+        if (containsAuthCheck(stmt, ctx, params))
+            sawAuth = true;
+        if (containsTokenMintSink(stmt, ctx) || findStateMutationRoot(stmt, ctx))
+            return sawAuth;
+    }
+    return false;
+}
+function containsAuthCheck(node, ctx, params) {
+    let found = false;
+    walk(node, current => {
+        if (found)
+            return;
+        if (isAuthCheck(current, ctx, params))
+            found = true;
+    });
+    return found;
+}
+function isAuthCheck(node, ctx, params) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = getCallExpressionName(node).toLowerCase();
+    const args = getCallArguments(node);
+    if (callee === 'require' || callee === 'assert') {
+        return args.some(arg => isPrivilegedSenderEquality(arg, ctx, params) || isRoleCheckOnSender(arg));
+    }
+    if (callee === '_checkrole' || callee === 'checkrole' || callee.endsWith('._checkrole')) {
+        return args.length === 0 || args.some(isMsgSender);
+    }
+    return false;
+}
+function isPrivilegedSenderEquality(expr, ctx, params) {
+    if (!isNode(expr, 'BinaryOperation'))
+        return false;
+    const operator = getOperator(expr);
+    if (operator !== '==' && operator !== '===')
+        return false;
+    const left = expr.left ?? expr.leftExpression;
+    const right = expr.right ?? expr.rightExpression;
+    if (isMsgSender(left))
+        return isAuthorityStateRef(right, ctx, params);
+    if (isMsgSender(right))
+        return isAuthorityStateRef(left, ctx, params);
+    return false;
+}
+function isAuthorityStateRef(expr, ctx, params) {
+    const root = getReferenceRoot(expr);
+    if (!root || params.has(root) || !ctx.stateVars.has(root))
+        return false;
+    return AUTH_STATE.test(root) || /owner|admin|role|minter|operator|govern/i.test(root);
+}
+function isRoleCheckOnSender(expr) {
+    if (!isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = getCallExpressionName(expr).toLowerCase();
+    if (callee !== 'hasrole' && !callee.endsWith('.hasrole'))
+        return false;
+    return getCallArguments(expr).some(isMsgSender);
+}
+function buildContractIndex(ast) {
+    const map = new Map();
+    walkContracts(ast, contract => {
+        const name = getName(contract);
+        if (!name)
+            return;
+        map.set(name, {
+            contract,
+            stateVars: collectStateVariables(contract),
+            functionNames: collectFunctionNames(contract),
+            modifierBodies: collectModifierBodies(contract),
+            baseNames: getBaseContractNames(contract),
+            hasErc20Transfer: hasErc20Transfer(contract),
+        });
+    });
+    return map;
+}
+function collectInheritedSurface(name, index) {
+    const surface = {
+        stateVars: new Set(),
+        functionNames: new Set(),
+        modifierBodies: new Map(),
+        resolvedBaseNames: new Set(),
+        unresolvedBaseNames: new Set(),
+        hasErc20Transfer: false,
+    };
+    const visited = new Set();
+    const queue = [name];
+    while (queue.length) {
+        const current = queue.shift();
+        if (!current || visited.has(current))
+            continue;
+        visited.add(current);
+        const info = index.get(current);
+        if (!info) {
+            surface.unresolvedBaseNames.add(current);
+            continue;
+        }
+        if (current !== name)
+            surface.resolvedBaseNames.add(current);
+        for (const v of info.stateVars)
+            surface.stateVars.add(v);
+        for (const fn of info.functionNames)
+            surface.functionNames.add(fn);
+        for (const [k, v] of info.modifierBodies) {
+            if (!surface.modifierBodies.has(k))
+                surface.modifierBodies.set(k, v);
+        }
+        if (info.hasErc20Transfer)
+            surface.hasErc20Transfer = true;
+        for (const baseName of info.baseNames)
+            queue.push(baseName);
+    }
+    return surface;
+}
+function surfaceIsTokenShaped(surface) {
+    const names = new Set([...surface.stateVars].map(name => name.toLowerCase()));
+    if (names.has('totalsupply') && names.has('balanceof'))
+        return true;
+    if (names.has('_totalsupply') && (names.has('_balances') || names.has('balances')))
+        return true;
+    if ((names.has('balanceof') || names.has('_balances') || names.has('balances')) && surface.hasErc20Transfer)
+        return true;
+    return false;
+}
+function hasAllowlistedErc20Base(surface) {
+    for (const base of surface.unresolvedBaseNames) {
+        if (ERC20_BASE_ALLOWLIST.has(base))
+            return true;
+    }
+    for (const base of surface.resolvedBaseNames) {
+        if (ERC20_BASE_ALLOWLIST.has(base))
+            return true;
+    }
+    return false;
+}
+function hasErc20Transfer(contract) {
+    return getContractMembers(contract, 'FunctionDefinition').some(fn => {
+        const name = getName(fn).toLowerCase();
+        if (name !== 'transfer')
+            return false;
+        const params = getParameterList(fn);
+        return params.length >= 2;
+    });
+}
+function findStateMutationRoot(node, ctx) {
+    let root = '';
+    walk(node, current => {
+        if (root || !isStateMutation(current, ctx))
+            return;
+        root = getReferenceRoot(getMutationTarget(current));
+    });
+    return root;
+}
+function isStateMutation(node, ctx) {
+    const target = getMutationTarget(node);
+    const root = getReferenceRoot(target);
+    return !!root && ctx.stateVars.has(root);
+}
+function getMutationTarget(node) {
+    if (isAssignment(node))
+        return node.left ?? node.leftHandSide;
+    if (isNode(node, 'UnaryOperation'))
+        return node.subExpression ?? node.vSubExpression;
+    return null;
+}
+function isAssignment(node) {
+    if (!node)
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    return isNode(node, 'BinaryOperation') && ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(getOperator(node));
+}
+function isExternallyCallable(fn) {
+    const kind = String(fn.kind || (fn.isConstructor ? 'constructor' : '') || 'function').toLowerCase();
+    if (kind === 'constructor')
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isReadOnly(fn) {
+    const stateMutability = String(fn.stateMutability || '').toLowerCase();
+    return stateMutability === 'view' || stateMutability === 'pure';
+}
+function isInterfaceOrLibrary(contract) {
+    const kind = String(contract.kind || contract.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function collectStateVariables(contract) {
+    const stateVars = new Set();
+    for (const member of getContractMembers(contract, 'StateVariableDeclaration')) {
+        for (const variable of member.variables || []) {
+            if (variable?.name)
+                stateVars.add(String(variable.name));
+        }
+    }
+    for (const member of getContractMembers(contract, 'VariableDeclaration')) {
+        if (member?.stateVariable && member.name)
+            stateVars.add(String(member.name));
+    }
+    return stateVars;
+}
+function collectFunctionNames(contract) {
+    const names = new Set();
+    for (const fn of getContractMembers(contract, 'FunctionDefinition')) {
+        const n = getName(fn);
+        if (n)
+            names.add(n);
+    }
+    return names;
+}
+function collectModifierBodies(contract) {
+    const bodies = new Map();
+    for (const member of getContractMembers(contract, 'ModifierDefinition')) {
+        const name = getName(member);
+        if (name && member.body)
+            bodies.set(name, member.body);
+    }
+    return bodies;
+}
+function getBaseContractNames(contract) {
+    const list = Array.isArray(contract?.baseContracts) ? contract.baseContracts : [];
+    const names = [];
+    for (const base of list) {
+        const n = extractBaseName(base);
+        if (n)
+            names.push(n);
+    }
+    return names;
+}
+function extractBaseName(base) {
+    if (!base)
+        return '';
+    const baseName = base.baseName ?? base.vBaseName;
+    if (!baseName)
+        return '';
+    if (typeof baseName === 'string')
+        return baseName.split('.').pop() || '';
+    if (typeof baseName.namePath === 'string')
+        return baseName.namePath.split('.').pop() || '';
+    if (typeof baseName.name === 'string')
+        return baseName.name.split('.').pop() || '';
+    if (baseName.name && typeof baseName.name.name === 'string')
+        return baseName.name.name;
+    return '';
+}
+function collectParameterNames(fn) {
+    return new Set(getParameterList(fn).map(param => String(param?.name || '')).filter(Boolean));
+}
+function getParameterList(fn) {
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    return [];
+}
+function getContractMembers(contract, kind) {
+    const members = [];
+    for (const list of [contract?.subNodes, contract?.nodes]) {
+        if (!Array.isArray(list))
+            continue;
+        for (const child of list) {
+            if (isNode(child, kind))
+                members.push(child);
+        }
+    }
+    return members;
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function getStatementList(body) {
+    return Array.isArray(body?.statements) ? body.statements : [];
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (modifier.modifierName) {
+        if (typeof modifier.modifierName === 'string')
+            return modifier.modifierName;
+        if (modifier.modifierName.name)
+            return String(modifier.modifierName.name);
+    }
+    if (modifier.name) {
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name.name)
+            return String(modifier.name.name);
+        if (modifier.name.namePath)
+            return String(modifier.name.namePath);
+    }
+    return '';
+}
+function getCallExpressionName(call) {
+    const callee = call?.expression;
+    if (!callee)
+        return '';
+    return getExpressionName(callee);
+}
+function getExpressionName(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'MemberAccess')) {
+        const inner = getExpressionName(expr.expression);
+        const member = String(expr.memberName || '');
+        return inner ? `${inner}.${member}` : member;
+    }
+    return '';
+}
+function getReferenceRoot(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'IndexAccess'))
+        return getReferenceRoot(expr.base ?? expr.baseExpression);
+    if (isNode(expr, 'MemberAccess'))
+        return getReferenceRoot(expr.expression);
+    return '';
+}
+function isMsgSender(expr) {
+    if (!isNode(expr, 'MemberAccess'))
+        return false;
+    if (String(expr.memberName || '') !== 'sender')
+        return false;
+    const inner = expr.expression;
+    return isNode(inner, 'Identifier') && getName(inner) === 'msg';
+}
+function walkContracts(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition'))
+        visitor(node);
+    for (const child of childNodes(node))
+        walkContracts(child, visitor);
+}
+function walk(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return;
+    visitor(node);
+    for (const child of childNodes(node))
+        walk(child, visitor);
+}
+function childNodes(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function getOperator(node) {
+    return String(node?.operator || '');
+}
+function getCallArguments(call) {
+    return Array.isArray(call?.arguments) ? call.arguments : [];
+}
+function buildFinding(file, contractName, functionName, loc, sink) {
+    return {
+        file,
+        contract: contractName,
+        'function': functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: `${RULE_ID}/${sink}`,
+        confidence: 'high',
+        category: 'vulnerability',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Token access-control gap in '${contractName}.${functionName}': externally callable token mint/admin path ` +
+            'has no recognized owner, minter, or role authorization guard.',
+        rationale: `Mirrors ${PROVENANCE}: a token-shaped contract exposes supply or token-admin authority to arbitrary callers.`,
+        suggestedFix: 'Restrict the entrypoint with onlyOwner/onlyRole/onlyMinter or an inline require(msg.sender == owner/admin) / hasRole(..., msg.sender) check before the token mutation.',
+        contractName,
+        functionName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+    };
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line, column: node.loc.start.column };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=token-access-control.js.map

package/dist/detectors/token-incorrect-signature-verification.d.ts

@@ -0,0 +1,23 @@
+import type { ScanResult } from '../index';
+export declare class TokenIncorrectSignatureVerificationDetector {
+    readonly id = "token-incorrect-signature-verification";
+    readonly patternKey = "token-incorrect-signature-verification";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private currentContractKind;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(_node: any): void;
+    FunctionDefinition(node: any): void;
+    private makeFinding;
+}