@snovon/solast 0.2.0

package/dist/detectors/arbitrary-call.d.ts

@@ -0,0 +1,4 @@
+import { ArbitraryCallErrorDetector } from './arbitrary-call-error';
+export declare class ArbitraryCallDetector extends ArbitraryCallErrorDetector {
+    constructor();
+}

package/dist/detectors/arbitrary-call.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ArbitraryCallDetector = void 0;
+const arbitrary_call_error_1 = require("./arbitrary-call-error");
+class ArbitraryCallDetector extends arbitrary_call_error_1.ArbitraryCallErrorDetector {
+    constructor() {
+        super('arbitrary-call', 'high');
+    }
+}
+exports.ArbitraryCallDetector = ArbitraryCallDetector;
+//# sourceMappingURL=arbitrary-call.js.map

package/dist/detectors/arbitrary-delegatecall-target.d.ts

@@ -0,0 +1,35 @@
+import type { ScanResult } from '../index';
+export declare class ArbitraryDelegatecallTargetDetector {
+    readonly id = "arbitrary-delegatecall-target";
+    readonly patternKey = "arbitrary-delegatecall-target";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private file;
+    private findings;
+    private contract;
+    private fn;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    BinaryOperation(node: any): void;
+    FunctionCall(node: any): void;
+    private recordGuard;
+    private recordAssignment;
+    private resolveTarget;
+    private evaluateContract;
+    private makeFinding;
+}

package/dist/detectors/arbitrary-delegatecall-target.js

@@ -0,0 +1,554 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ArbitraryDelegatecallTargetDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'arbitrary-delegatecall-target';
+class ArbitraryDelegatecallTargetDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Delegatecall target derives from arbitrary user input.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Restrict delegatecall targets to immutable implementations or admin-controlled allowlisted upgrade paths.',
+    };
+    file = '';
+    findings = [];
+    contract = null;
+    fn = null;
+    setFile(file) {
+        this.file = file;
+        this.findings = [];
+        this.contract = null;
+        this.fn = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'ContractDefinition') || node.kind === 'interface' || node.kind === 'library') {
+            this.contract = null;
+            return;
+        }
+        this.contract = {
+            name: String(node.name || '<anonymous>'),
+            stateVars: new Map(),
+            functions: [],
+            writes: [],
+            delegatecalls: [],
+            emitted: new Set(),
+        };
+    }
+    ContractDefinition_post(_node) {
+        if (this.contract)
+            this.evaluateContract(this.contract);
+        this.contract = null;
+        this.fn = null;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    StateVariableDeclaration(node) {
+        if (!this.contract || !(0, ast_1.isNode)(node, 'StateVariableDeclaration'))
+            return;
+        for (const variable of node.variables || []) {
+            const name = variableName(variable);
+            if (!name)
+                continue;
+            this.contract.stateVars.set(name, {
+                name,
+                constant: !!(variable.isDeclaredConst || variable.constant),
+                immutable: !!(variable.isImmutable || variable.immutable),
+            });
+        }
+    }
+    FunctionDefinition(node) {
+        this.fn = null;
+        if (!this.contract || !(0, ast_1.isNode)(node, 'FunctionDefinition') || !node.body)
+            return;
+        const params = new Set();
+        for (const param of node.parameters || []) {
+            const name = variableName(param);
+            if (name)
+                params.add(name);
+        }
+        this.fn = {
+            node,
+            name: functionDisplayName(node),
+            externallyCallable: isExternallyCallable(node),
+            isConstructor: isConstructor(node),
+            accessControlled: (0, access_control_1.hasRecognisedAccessControlModifier)(node),
+            params,
+            aliases: new Map(),
+            allowlistedParams: new Set(),
+            calls: new Set(),
+        };
+        this.contract.functions.push(this.fn);
+    }
+    FunctionDefinition_post(_node) {
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.fn || !(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+            return;
+        const initial = node.initialValue;
+        if (!initial)
+            return;
+        if (isAbiDecode(initial) && isCallerControlledDecodeInput(initial.arguments?.[0], this.fn)) {
+            for (const variable of node.variables || []) {
+                const name = variableName(variable);
+                if (name)
+                    this.fn.aliases.set(name, { kind: 'decoded-calldata', name });
+            }
+            return;
+        }
+        const source = this.resolveTarget(initial);
+        if (source.kind === 'unknown')
+            return;
+        for (const variable of node.variables || []) {
+            const name = variableName(variable);
+            if (name)
+                this.fn.aliases.set(name, source);
+        }
+    }
+    ExpressionStatement(node) {
+        if (!this.contract || !this.fn || !(0, ast_1.isNode)(node, 'ExpressionStatement'))
+            return;
+        this.recordGuard(node.expression);
+        this.recordAssignment(node.expression);
+    }
+    BinaryOperation(node) {
+        if (!this.contract || !this.fn || !(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return;
+        if (String(node.operator || '') !== '=')
+            return;
+        this.recordAssignment(node);
+    }
+    FunctionCall(node) {
+        if (!this.contract || !this.fn || !(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        this.recordGuard(node);
+        const callee = intraContractCalleeName(node);
+        if (callee)
+            this.fn.calls.add(callee);
+        const targetExpr = delegatecallTargetExpression(node);
+        if (!targetExpr)
+            return;
+        const target = this.resolveTarget(targetExpr);
+        this.contract.delegatecalls.push({ node, fn: this.fn, target });
+    }
+    recordGuard(expression) {
+        if (!this.fn || !isRequireOrAssertCall(expression))
+            return;
+        const condition = expression.arguments?.[0];
+        if ((0, access_control_1.requireExpressesAccessControl)(condition, isPrivilegedName))
+            this.fn.accessControlled = true;
+        for (const name of allowlistedTargetNames(condition)) {
+            if (this.fn.params.has(name))
+                this.fn.allowlistedParams.add(name);
+        }
+    }
+    recordAssignment(expression) {
+        if (!this.contract || !this.fn)
+            return;
+        const assignment = getAssignment(expression);
+        if (!assignment)
+            return;
+        const leftName = identifierName(assignment.left);
+        const right = assignment.right;
+        const rightName = identifierName(right);
+        if (leftName && this.contract.stateVars.has(leftName)) {
+            this.contract.writes.push({ variable: leftName, valueName: rightName, fn: this.fn });
+            return;
+        }
+        if (leftName) {
+            const source = this.resolveTarget(right);
+            if (source.kind !== 'unknown')
+                this.fn.aliases.set(leftName, source);
+        }
+    }
+    resolveTarget(expr, seen = new Set()) {
+        if (!expr || typeof expr !== 'object')
+            return { kind: 'unknown', name: '<unknown>' };
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const name = String(expr.name || '');
+            if (!name)
+                return { kind: 'unknown', name: '<identifier>' };
+            if (seen.has(name))
+                return { kind: 'unknown', name };
+            const alias = this.fn?.aliases.get(name);
+            if (alias) {
+                seen.add(name);
+                return alias;
+            }
+            if (this.fn?.params.has(name) && this.fn.externallyCallable)
+                return { kind: 'param', name };
+            if (this.contract?.stateVars.has(name))
+                return { kind: 'state', name };
+            return { kind: 'unknown', name };
+        }
+        if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+            const base = expr.base || expr.baseExpression;
+            const index = expr.index || expr.indexExpression;
+            if ((0, access_control_1.isMsgSenderExpr)(index) || isCallerIdentityCall(index)) {
+                return { kind: 'sender-mapping', name: expressionName(base) || '<mapping>' };
+            }
+            return this.resolveTarget(base, seen);
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            if (isAddressCast(expr))
+                return this.resolveTarget(expr.arguments?.[0], seen);
+            if (isAbiDecode(expr) && isCallerControlledDecodeInput(expr.arguments?.[0], this.fn)) {
+                return { kind: 'decoded-calldata', name: 'abi.decode' };
+            }
+            return { kind: 'unknown', name: callName(expr.expression) || '<call>' };
+        }
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            if (String(expr.memberName || '') === 'code')
+                return this.resolveTarget(expr.expression, seen);
+            return { kind: 'unknown', name: expressionName(expr) || '<member>' };
+        }
+        if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+            for (const component of expr.components || []) {
+                const source = this.resolveTarget(component, seen);
+                if (source.kind !== 'unknown')
+                    return source;
+            }
+        }
+        return { kind: 'unknown', name: expressionName(expr) || '<expression>' };
+    }
+    evaluateContract(contract) {
+        const untrustedFns = computeUntrustedFunctions(contract.functions);
+        for (const call of contract.delegatecalls) {
+            const reason = classifyTarget(contract, call, untrustedFns);
+            if (!reason)
+                continue;
+            const key = `${call.fn.name}:${call.target.kind}:${call.target.name}`;
+            if (contract.emitted.has(key))
+                continue;
+            contract.emitted.add(key);
+            this.findings.push(this.makeFinding(contract, call, reason));
+        }
+    }
+    makeFinding(contract, call, reason) {
+        const loc = (0, ast_1.tryLoc)(call.node, call.fn.node) ?? { line: 1, endLine: 1, column: 0, endColumn: 0 };
+        return {
+            file: this.file,
+            contract: contract.name,
+            'function': call.fn.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'high',
+            category: 'access-control',
+            message: `Delegatecall target in '${contract.name}.${call.fn.name}' is controlled by ${reason}.`,
+            rationale: 'delegatecall executes target code in the caller storage context; a user-controlled target can overwrite proxy state or seize funds.',
+            suggestedFix: 'Use a constant or immutable trusted implementation, or gate upgrades with recognized access control and validate the new target against an explicit allowlist.',
+            contractName: contract.name,
+            functionName: call.fn.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            delegateTarget: call.target.name,
+            trace: `target=${call.target.kind}:${call.target.name}; reason=${reason}`,
+            operationType: 'delegatecall',
+            externalCallNode: call.node,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.ArbitraryDelegatecallTargetDetector = ArbitraryDelegatecallTargetDetector;
+function classifyTarget(contract, call, untrustedFns) {
+    const target = call.target;
+    if (target.kind === 'trusted' || target.kind === 'unknown')
+        return null;
+    if (target.kind === 'param')
+        return `function parameter '${target.name}'`;
+    if (target.kind === 'decoded-calldata')
+        return 'calldata decoded address';
+    if (target.kind === 'sender-mapping')
+        return `msg.sender-keyed mapping '${target.name}'`;
+    const stateVar = contract.stateVars.get(target.name);
+    if (stateVar?.constant || stateVar?.immutable)
+        return null;
+    const writes = contract.writes.filter(write => write.variable === target.name);
+    if (writes.length === 0)
+        return null;
+    const nonConstructorWrites = writes.filter(write => !write.fn.isConstructor);
+    if (nonConstructorWrites.length === 0)
+        return null;
+    const allWritesTrusted = nonConstructorWrites.every(write => isTrustedWrite(write, untrustedFns));
+    return allWritesTrusted ? null : `externally writable storage '${target.name}'`;
+}
+/**
+ * A storage write to a delegatecall target slot is trusted only when it cannot
+ * be driven by unprivileged external input.
+ *
+ * - An externally-callable writer must itself be access-controlled and gate the
+ *   new value against an explicit allowlist.
+ * - A non-external (internal/private) writer is trusted only when no externally
+ *   callable function can transitively reach it without a recognized
+ *   access-control guard — this closes the setter-wrapper false negative where
+ *   an unguarded `external upgrade(x) { _setImpl(x); }` forwards user input into
+ *   an internal slot writer.
+ */
+function isTrustedWrite(write, untrustedFns) {
+    const fn = write.fn;
+    if (fn.externallyCallable) {
+        return fn.accessControlled && write.valueName !== '' && fn.allowlistedParams.has(write.valueName);
+    }
+    return !untrustedFns.has(fn);
+}
+/**
+ * Builds a same-contract call graph and returns the set of functions reachable
+ * from unprivileged external input. A function is in the set when it is, or is
+ * transitively called by, an externally-callable function with no recognized
+ * access-control guard. Access-controlled functions terminate propagation —
+ * paths through them are considered guarded.
+ *
+ * Conservative fallback: a non-external, non-constructor function with no
+ * resolvable same-contract caller is also treated as an untrusted entry point,
+ * since it may still be reachable via inheritance or dynamic dispatch the
+ * single-file call graph cannot see.
+ */
+function computeUntrustedFunctions(functions) {
+    const byName = new Map();
+    for (const fn of functions) {
+        const list = byName.get(fn.name);
+        if (list)
+            list.push(fn);
+        else
+            byName.set(fn.name, [fn]);
+    }
+    const calledNames = new Set();
+    for (const fn of functions) {
+        for (const callee of fn.calls)
+            calledNames.add(callee);
+    }
+    const untrusted = new Set();
+    const queue = [];
+    const mark = (fn) => {
+        if (!untrusted.has(fn)) {
+            untrusted.add(fn);
+            queue.push(fn);
+        }
+    };
+    for (const fn of functions) {
+        if (fn.accessControlled)
+            continue;
+        if (fn.externallyCallable) {
+            mark(fn);
+            continue;
+        }
+        if (!fn.isConstructor && !calledNames.has(fn.name))
+            mark(fn);
+    }
+    while (queue.length) {
+        const fn = queue.pop();
+        for (const calleeName of fn.calls) {
+            for (const callee of byName.get(calleeName) ?? []) {
+                if (callee.accessControlled)
+                    continue;
+                mark(callee);
+            }
+        }
+    }
+    return untrusted;
+}
+/** Resolves a call expression to a same-contract callee name, if any. */
+function intraContractCalleeName(call) {
+    const callee = unwrapCallOptions(call.expression);
+    if ((0, ast_1.isNode)(callee, 'Identifier')) {
+        return String(callee.name || '') || null;
+    }
+    if ((0, ast_1.isNode)(callee, 'MemberAccess')
+        && (0, ast_1.isNode)(callee.expression, 'Identifier')
+        && String(callee.expression.name || '') === 'this') {
+        return String(callee.memberName || '') || null;
+    }
+    return null;
+}
+function isExternallyCallable(fn) {
+    if (isConstructor(fn))
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'fallback' || kind === 'receive' || fn.isFallback || fn.isReceive)
+        return true;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isConstructor(fn) {
+    return !!fn?.isConstructor || String(fn?.kind || '').toLowerCase() === 'constructor';
+}
+function functionDisplayName(fn) {
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'fallback' || fn.isFallback)
+        return '<fallback>';
+    if (kind === 'receive' || fn.isReceive)
+        return '<receive>';
+    if (isConstructor(fn))
+        return '<constructor>';
+    return String(fn.name || '<anonymous>');
+}
+function variableName(node) {
+    if (!node)
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    if (typeof node.identifier?.name === 'string')
+        return node.identifier.name;
+    return '';
+}
+function identifierName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess') && (0, ast_1.isNode)(expr.expression, 'Identifier') && String(expr.expression.name || '') === 'this') {
+        return String(expr.memberName || '');
+    }
+    return '';
+}
+function getAssignment(expression) {
+    if (!expression || typeof expression !== 'object')
+        return null;
+    if ((0, ast_1.isNode)(expression, 'BinaryOperation') && String(expression.operator || '') === '=') {
+        return { left: expression.left || expression.leftExpression, right: expression.right || expression.rightExpression };
+    }
+    if ((0, ast_1.isNode)(expression, 'Assignment')) {
+        return { left: expression.leftHandSide || expression.left, right: expression.rightHandSide || expression.right };
+    }
+    return null;
+}
+function delegatecallTargetExpression(call) {
+    const callee = unwrapCallOptions(call.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return null;
+    if (String(callee.memberName || '').toLowerCase() !== 'delegatecall')
+        return null;
+    return callee.expression;
+}
+function unwrapCallOptions(expr) {
+    let current = expr;
+    while ((0, ast_1.isNode)(current, 'FunctionCallOptions') || (0, ast_1.isNode)(current, 'NameValueExpression')) {
+        current = current.expression;
+    }
+    return current;
+}
+function isRequireOrAssertCall(call) {
+    if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(call.expression);
+    return (0, ast_1.isNode)(callee, 'Identifier') && (callee.name === 'require' || callee.name === 'assert');
+}
+function isAbiDecode(call) {
+    if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(call.expression);
+    return (0, ast_1.isNode)(callee, 'MemberAccess')
+        && String(callee.memberName || '') === 'decode'
+        && (0, ast_1.isNode)(callee.expression, 'Identifier')
+        && String(callee.expression.name || '') === 'abi';
+}
+function isCallerControlledDecodeInput(expr, fn) {
+    if (!expr || !fn)
+        return false;
+    const name = identifierName(expr);
+    if (name && fn.params.has(name) && fn.externallyCallable)
+        return true;
+    return isMsgData(expr);
+}
+function isMsgData(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'MemberAccess') && String(expr.memberName || '') === 'data') {
+        return (0, ast_1.isNode)(expr.expression, 'Identifier') && String(expr.expression.name || '') === 'msg';
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return isMsgData(expr.base || expr.baseExpression);
+    if ((0, ast_1.isNode)(expr, 'IndexRangeAccess'))
+        return isMsgData(expr.base || expr.baseExpression);
+    return false;
+}
+function isAddressCast(call) {
+    if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(call.expression);
+    if ((0, ast_1.isNode)(callee, 'ElementaryTypeName'))
+        return String(callee.name || '').toLowerCase() === 'address';
+    if ((0, ast_1.isNode)(callee, 'Identifier'))
+        return String(callee.name || '').toLowerCase() === 'address';
+    return false;
+}
+function isCallerIdentityCall(expr) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    if ((expr.arguments || []).length !== 0)
+        return false;
+    const callee = unwrapCallOptions(expr.expression);
+    if ((0, ast_1.isNode)(callee, 'Identifier'))
+        return String(callee.name || '') === '_msgSender';
+    if ((0, ast_1.isNode)(callee, 'MemberAccess'))
+        return String(callee.memberName || '') === '_msgSender';
+    return false;
+}
+function allowlistedTargetNames(expr) {
+    if (!expr || typeof expr !== 'object')
+        return [];
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        const indexName = identifierName(expr.index || expr.indexExpression);
+        return indexName ? [indexName] : [];
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        const operator = String(expr.operator || '');
+        if (operator === '&&' || operator === '||') {
+            return [
+                ...allowlistedTargetNames(expr.left || expr.leftExpression),
+                ...allowlistedTargetNames(expr.right || expr.rightExpression),
+            ];
+        }
+        if (operator === '==' || operator === '===' || operator === '!=') {
+            return [
+                ...allowlistedTargetNames(expr.left || expr.leftExpression),
+                ...allowlistedTargetNames(expr.right || expr.rightExpression),
+            ];
+        }
+    }
+    if ((0, ast_1.isNode)(expr, 'UnaryOperation') && String(expr.operator || '') === '!') {
+        return allowlistedTargetNames(expr.subExpression);
+    }
+    return [];
+}
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: ['owner', 'admin', 'role', 'authority', 'authorized', 'governance', 'governor', 'guardian', 'manager', 'operator', 'upgrader'],
+        mode: 'word-boundary',
+    });
+}
+function expressionName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const base = expressionName(expr.expression);
+        const member = String(expr.memberName || '');
+        return base ? `${base}.${member}` : member;
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall'))
+        return callName(expr.expression);
+    return '';
+}
+function callName(expr) {
+    return expressionName(unwrapCallOptions(expr));
+}
+//# sourceMappingURL=arbitrary-delegatecall-target.js.map

package/dist/detectors/arbitrary-recipient-no-access-control.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class ArbitraryRecipientNoAccessControlDetector {
+    readonly id = "arbitrary-recipient-no-access-control";
+    readonly patternKey = "arbitrary-recipient-no-access-control";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}