@snovon/solast 0.2.0

package/dist/detectors/tstore-race-condition.js

@@ -0,0 +1,632 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TstoreRaceConditionDetector = void 0;
+const RULE_ID = 'tstore-race-condition';
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const LOW_LEVEL_CALL_MEMBERS = new Set(['call', 'delegatecall', 'staticcall', 'send', 'transfer']);
+const BUILTIN_NAMESPACES = new Set(['msg', 'block', 'tx', 'abi', 'this', 'super', 'type']);
+const SECURITY_WORDS = /(auth|allow|approve|admin|owner|role|permission|lock|guard|execute|exec|price|quote|cost|rate|amount|balance|account|debt|credit|share|asset|reserve|liquidity|withdraw|deposit|custody|pending|transfer|token|fee|limit|nonce|order|settle|claim|mint|burn)/i;
+const TELEMETRY_CALLS = new Set(['log', 'debug']);
+const SENSITIVE_CALLS = new Set([
+    'call', 'delegatecall', 'transfer', 'send', 'transferfrom', 'safetransfer', 'safetransferfrom',
+    'mint', 'burn', 'withdraw', 'deposit', 'execute', 'exec', 'swap', 'buy', 'sell', 'claim',
+]);
+class TstoreRaceConditionDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        const contracts = collectContractsByName(ast);
+        const internalOnlyTypes = collectInternalOnlyTypes(contracts);
+        for (const child of ast.children || []) {
+            if (child?.type !== 'ContractDefinition')
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            try {
+                const info = buildContractInfo(child, contracts, internalOnlyTypes);
+                precomputeWriters(info);
+                for (const fn of info.functions) {
+                    if (!fn.body || !isExternallyReachable(fn))
+                        continue;
+                    const finding = analyzeFunction(file, info, fn);
+                    if (finding)
+                        findings.push(finding);
+                }
+            }
+            catch (_) {
+                // Keep parser edge cases local to this rule.
+            }
+        }
+        return findings;
+    }
+}
+exports.TstoreRaceConditionDetector = TstoreRaceConditionDetector;
+function analyzeFunction(file, info, fn) {
+    const fnName = String(fn.name || '<anonymous>');
+    const events = collectFunctionEvents(info, fn);
+    if (events.length === 0)
+        return null;
+    let afterExternal = false;
+    let afterDelegatecall = false;
+    const liveWrites = new Set();
+    for (const ev of events) {
+        if (ev.kind === 'tWrite') {
+            if (ev.isClear)
+                liveWrites.delete(ev.slot);
+            else
+                liveWrites.add(ev.slot);
+            continue;
+        }
+        if (ev.kind === 'externalCall') {
+            afterExternal = true;
+            if (ev.isDelegatecall)
+                afterDelegatecall = true;
+            continue;
+        }
+        if (ev.kind !== 'tRead' || !afterExternal || !ev.sensitive)
+            continue;
+        if ((ev.slot.startsWith('asm:') && afterDelegatecall) || liveWrites.has(ev.slot) || hasExternalWriter(info, fnName, ev.slot)) {
+            return makeFinding(file, info.name, fnName, locOf(fn), `Transient storage is relied on after an external-call boundary in '${info.name}.${fnName}'.`, 'Transient storage persists across calls within one transaction, so a reentrant call path or delegatecall can mutate the value before the later security-sensitive read.', 'Read and validate transient values before calling external code, pass the value explicitly, or guard and clear the transient slot before any reentrant boundary.');
+        }
+    }
+    return null;
+}
+function hasExternalWriter(info, fnName, slot) {
+    const writers = info.writers.get(slot);
+    if (!writers)
+        return false;
+    for (const writer of writers) {
+        if (writer !== fnName)
+            return true;
+    }
+    return false;
+}
+function buildContractInfo(contractNode, contracts, internalOnlyTypes) {
+    const functions = [];
+    for (const sub of contractNode.subNodes || []) {
+        if (sub?.type === 'FunctionDefinition')
+            functions.push(sub);
+    }
+    return {
+        name: String(contractNode.name || '<anonymous>'),
+        transientStateVars: resolveTransientVars(contractNode, contracts),
+        stateVariableTypes: resolveStateVariableTypes(contractNode, contracts),
+        callableMembersByType: collectCallableMembersByType(contracts),
+        internalOnlyTypes,
+        externalCallTargetTypes: collectExternalCallTargetTypes(contracts),
+        functions,
+        writers: new Map(),
+    };
+}
+function precomputeWriters(info) {
+    for (const fn of info.functions) {
+        if (!fn.body || !isExternallyReachable(fn))
+            continue;
+        const fnName = String(fn.name || '<anonymous>');
+        for (const ev of collectFunctionEvents(info, fn)) {
+            if (ev.kind !== 'tWrite' || ev.isClear)
+                continue;
+            let writers = info.writers.get(ev.slot);
+            if (!writers) {
+                writers = new Set();
+                info.writers.set(ev.slot, writers);
+            }
+            writers.add(fnName);
+        }
+    }
+}
+function collectFunctionEvents(info, fn) {
+    const events = [];
+    walkStmt(fn.body, info, events, buildFunctionTypeContext(info, fn));
+    return events;
+}
+function walkStmt(node, info, events, typeContext) {
+    if (!node || typeof node !== 'object')
+        return;
+    switch (node.type) {
+        case 'Block':
+            for (const s of node.statements || [])
+                walkStmt(s, info, events, typeContext);
+            return;
+        case 'ExpressionStatement':
+            walkExpr(node.expression, info, events, typeContext, false);
+            return;
+        case 'VariableDeclarationStatement':
+            walkExpr(node.initialValue, info, events, typeContext, variablesSensitive(node.variables));
+            return;
+        case 'ReturnStatement':
+            walkExpr(node.expression, info, events, typeContext, true);
+            return;
+        case 'EmitStatement':
+            walkExpr(node.expression, info, events, typeContext, false);
+            return;
+        case 'RevertStatement':
+            walkExpr(node.expression, info, events, typeContext, true);
+            return;
+        case 'IfStatement':
+            walkExpr(node.condition, info, events, typeContext, true);
+            walkStmt(node.trueBody, info, events, typeContext);
+            walkStmt(node.falseBody, info, events, typeContext);
+            return;
+        case 'ForStatement':
+            walkStmt(node.initExpression, info, events, typeContext);
+            walkExpr(node.conditionExpression, info, events, typeContext, true);
+            walkStmt(node.body, info, events, typeContext);
+            walkStmt(node.loopExpression, info, events, typeContext);
+            return;
+        case 'WhileStatement':
+        case 'DoWhileStatement':
+            walkExpr(node.condition, info, events, typeContext, true);
+            walkStmt(node.body, info, events, typeContext);
+            return;
+        case 'TryStatement':
+            walkExpr(node.expression, info, events, typeContext, false);
+            walkStmt(node.body, info, events, typeContext);
+            for (const clause of node.catchClauses || [])
+                walkStmt(clause?.body, info, events, typeContext);
+            return;
+        case 'InlineAssemblyStatement':
+            walkAssembly(node.body, events);
+            return;
+        default:
+            for (const c of childrenOf(node))
+                walkStmt(c, info, events, typeContext);
+    }
+}
+function walkExpr(node, info, events, typeContext, sensitive) {
+    if (!node || typeof node !== 'object')
+        return;
+    switch (node.type) {
+        case 'BinaryOperation': {
+            if (ASSIGN_OPS.has(String(node.operator || ''))) {
+                const target = transientTargetName(node.left, info);
+                const rhsSensitive = sensitive || exprNameSensitive(node.left);
+                walkExpr(node.right, info, events, typeContext, rhsSensitive);
+                if (target)
+                    events.push({ kind: 'tWrite', slot: target, isClear: node.operator === '=' && isFalseyLiteral(node.right), loc: locOf(node), node });
+                else
+                    walkExpr(node.left, info, events, typeContext, false);
+                return;
+            }
+            const childSensitive = sensitive || isComparisonOperator(String(node.operator || ''));
+            walkExpr(node.left, info, events, typeContext, childSensitive);
+            walkExpr(node.right, info, events, typeContext, childSensitive);
+            return;
+        }
+        case 'UnaryOperation': {
+            const target = transientTargetName(node.subExpression, info);
+            if (node.operator === 'delete' && target) {
+                events.push({ kind: 'tWrite', slot: target, isClear: true, loc: locOf(node), node });
+                return;
+            }
+            if ((node.operator === '++' || node.operator === '--') && target) {
+                events.push({ kind: 'tWrite', slot: target, isClear: false, loc: locOf(node), node });
+                return;
+            }
+            walkExpr(node.subExpression, info, events, typeContext, sensitive);
+            return;
+        }
+        case 'FunctionCall': {
+            const callee = callName(node);
+            const requireLike = callee === 'require' || callee === 'assert';
+            const callKind = externalCallKind(node, typeContext);
+            const sensitiveCall = isSensitiveCallName(callee) || callKind === 'delegatecall';
+            if (requireLike) {
+                const args = node.arguments || [];
+                if (args[0])
+                    walkExpr(args[0], info, events, typeContext, true);
+                for (const arg of args.slice(1))
+                    walkExpr(arg, info, events, typeContext, false);
+                return;
+            }
+            if (callKind) {
+                walkExpr(callBaseExpression(node), info, events, typeContext, false);
+                for (const arg of node.arguments || [])
+                    walkExpr(arg, info, events, typeContext, sensitiveCall);
+                events.push({ kind: 'externalCall', isDelegatecall: callKind === 'delegatecall', loc: locOf(node), node });
+                return;
+            }
+            const argSensitive = sensitive || sensitiveCall;
+            walkExpr(node.expression, info, events, typeContext, false);
+            for (const arg of node.arguments || [])
+                walkExpr(arg, info, events, typeContext, argSensitive);
+            return;
+        }
+        case 'Identifier': {
+            const name = String(node.name || '');
+            if (info.transientStateVars.has(name)) {
+                events.push({ kind: 'tRead', slot: stateSlot(name), sensitive, loc: locOf(node), node });
+            }
+            return;
+        }
+        default:
+            for (const c of childrenOf(node))
+                walkExpr(c, info, events, typeContext, sensitive);
+    }
+}
+function walkAssembly(node, events) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (node.type === 'AssemblyCall') {
+        const fname = String(node.functionName || '').toLowerCase();
+        const args = node.arguments || [];
+        if (fname === 'tstore') {
+            const slot = assemblySlotKey(args[0]);
+            if (slot)
+                events.push({ kind: 'tWrite', slot, isClear: isAssemblyZero(args[1]), loc: locOf(node), node });
+        }
+        else if (fname === 'tload') {
+            const slot = assemblySlotKey(args[0]);
+            if (slot)
+                events.push({ kind: 'tRead', slot, sensitive: true, loc: locOf(node), node });
+        }
+    }
+    for (const c of childrenOf(node))
+        walkAssembly(c, events);
+}
+function transientTargetName(node, info) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'Identifier' && info.transientStateVars.has(String(node.name || '')))
+        return stateSlot(String(node.name));
+    if (node.type === 'MemberAccess' &&
+        node.expression?.type === 'Identifier' &&
+        node.expression.name === 'this' &&
+        info.transientStateVars.has(String(node.memberName || ''))) {
+        return stateSlot(String(node.memberName));
+    }
+    return null;
+}
+function externalCallKind(node, typeContext) {
+    if (!node || node.type !== 'FunctionCall')
+        return null;
+    let target = node.expression;
+    if (target?.type === 'NameValueExpression')
+        target = target.expression;
+    if (target?.type !== 'MemberAccess')
+        return null;
+    const member = String(target.memberName || '').toLowerCase();
+    if (LOW_LEVEL_CALL_MEMBERS.has(member))
+        return member;
+    const base = target.expression;
+    if (!base)
+        return null;
+    if (base.type === 'Identifier' && BUILTIN_NAMESPACES.has(String(base.name || '')))
+        return null;
+    if (base.type === 'Identifier') {
+        const baseName = String(base.name || '');
+        const typeName = typeContext.variableTypes.get(baseName);
+        const knownMembers = typeName ? typeContext.callableMembersByType.get(typeName) : undefined;
+        if (knownMembers && !knownMembers.has(member))
+            return null;
+        if (typeName && typeContext.internalOnlyTypes.has(typeName))
+            return null;
+        if (typeName && !typeContext.userDefinedVariables.has(baseName) && !typeContext.externalCallTargetTypes.has(typeName))
+            return null;
+        return 'external';
+    }
+    if (base.type === 'MemberAccess' || base.type === 'IndexAccess' || base.type === 'FunctionCall')
+        return 'external';
+    return null;
+}
+function callBaseExpression(call) {
+    let target = call?.expression;
+    if (target?.type === 'NameValueExpression')
+        target = target.expression;
+    return target?.type === 'MemberAccess' ? target.expression : null;
+}
+function callName(call) {
+    let expr = call?.expression;
+    if (expr?.type === 'NameValueExpression')
+        expr = expr.expression;
+    if (expr?.type === 'Identifier')
+        return String(expr.name || '').toLowerCase();
+    if (expr?.type === 'MemberAccess')
+        return String(expr.memberName || '').toLowerCase();
+    return '';
+}
+function isSensitiveCallName(name) {
+    if (!name || TELEMETRY_CALLS.has(name))
+        return false;
+    return SENSITIVE_CALLS.has(name) || SECURITY_WORDS.test(name);
+}
+function exprNameSensitive(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type === 'Identifier')
+        return SECURITY_WORDS.test(String(node.name || ''));
+    if (node.type === 'MemberAccess')
+        return SECURITY_WORDS.test(String(node.memberName || ''));
+    if (node.type === 'IndexAccess')
+        return exprNameSensitive(node.base);
+    return childrenOf(node).some(exprNameSensitive);
+}
+function variablesSensitive(vars) {
+    return (vars || []).some(v => SECURITY_WORDS.test(String(v?.name || '')));
+}
+function isComparisonOperator(op) {
+    return op === '==' || op === '!=' || op === '<' || op === '>' || op === '<=' || op === '>=' || op === '&&' || op === '||';
+}
+function assemblySlotKey(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'AssemblyCall' && (!Array.isArray(node.arguments) || node.arguments.length === 0)
+        && typeof node.functionName === 'string')
+        return 'asm:id:' + node.functionName;
+    if (node.type === 'HexNumber' && typeof node.value === 'string') {
+        try {
+            return 'asm:lit:' + BigInt(node.value).toString();
+        }
+        catch {
+            return null;
+        }
+    }
+    if (node.type === 'DecimalNumber' && typeof node.value === 'string') {
+        try {
+            return 'asm:lit:' + BigInt(node.value).toString();
+        }
+        catch {
+            return null;
+        }
+    }
+    if (node.type === 'Identifier' && typeof node.name === 'string')
+        return 'asm:id:' + node.name;
+    return null;
+}
+function isAssemblyZero(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type !== 'HexNumber' && node.type !== 'DecimalNumber')
+        return false;
+    try {
+        return BigInt(node.value).toString() === '0';
+    }
+    catch {
+        return false;
+    }
+}
+function isFalseyLiteral(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type === 'BooleanLiteral')
+        return node.value === false;
+    if (node.type === 'NumberLiteral') {
+        const raw = String(node.number ?? node.value ?? '').trim();
+        if (!raw)
+            return false;
+        try {
+            return BigInt(raw).toString() === '0';
+        }
+        catch {
+            return /^0(x0+)?$/i.test(raw);
+        }
+    }
+    if (node.type === 'HexLiteral')
+        return /^0x0+$/i.test(String(node.value ?? '').trim());
+    return false;
+}
+function buildFunctionTypeContext(info, fn) {
+    const variableTypes = new Map(info.stateVariableTypes);
+    const userDefinedVariables = new Set();
+    for (const parameter of [...(fn.parameters || []), ...(fn.returnParameters || [])]) {
+        const typeName = typeNameToString(parameter?.typeName);
+        if (parameter?.name && typeName)
+            variableTypes.set(String(parameter.name), typeName);
+        if (parameter?.name && isUserDefinedTypeName(parameter?.typeName))
+            userDefinedVariables.add(String(parameter.name));
+    }
+    collectLocalVariableTypes(fn.body, variableTypes, userDefinedVariables);
+    return {
+        variableTypes,
+        userDefinedVariables,
+        callableMembersByType: info.callableMembersByType,
+        internalOnlyTypes: info.internalOnlyTypes,
+        externalCallTargetTypes: info.externalCallTargetTypes,
+    };
+}
+function collectCallableMembersByType(contracts) {
+    const out = new Map();
+    for (const node of contracts.values()) {
+        const typeName = normalizeTypeName(node?.name);
+        if (!typeName)
+            continue;
+        const members = new Set();
+        for (const sub of node?.subNodes || []) {
+            if (sub?.type !== 'FunctionDefinition')
+                continue;
+            const name = String(sub.name || '').toLowerCase();
+            if (name)
+                members.add(name);
+        }
+        out.set(typeName, members);
+    }
+    return out;
+}
+function collectExternalCallTargetTypes(contracts) {
+    const names = new Set();
+    for (const node of contracts.values()) {
+        if ((node?.kind === 'contract' || node?.kind === 'interface') && node.name)
+            names.add(String(node.name));
+    }
+    return names;
+}
+function collectLocalVariableTypes(node, variableTypes, userDefinedVariables) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (node.type === 'VariableDeclarationStatement') {
+        for (const variable of node.variables || []) {
+            const typeName = typeNameToString(variable?.typeName);
+            if (variable?.name && typeName)
+                variableTypes.set(String(variable.name), typeName);
+            if (variable?.name && isUserDefinedTypeName(variable?.typeName))
+                userDefinedVariables.add(String(variable.name));
+        }
+    }
+    for (const c of childrenOf(node))
+        collectLocalVariableTypes(c, variableTypes, userDefinedVariables);
+}
+function collectContractsByName(ast) {
+    const map = new Map();
+    for (const child of ast.children || []) {
+        if (child?.type === 'ContractDefinition' && child.name)
+            map.set(String(child.name), child);
+    }
+    return map;
+}
+function collectInternalOnlyTypes(contracts) {
+    const names = new Set();
+    for (const node of contracts.values()) {
+        if (node?.kind === 'library')
+            names.add(String(node.name || ''));
+        for (const sub of node?.subNodes || []) {
+            if ((sub?.type === 'StructDefinition' || sub?.type === 'EnumDefinition') && sub.name)
+                names.add(String(sub.name));
+        }
+    }
+    return names;
+}
+function resolveTransientVars(contractNode, contracts, visited = new Set()) {
+    const vars = new Set();
+    const contractName = String(contractNode?.name || '');
+    if (contractName) {
+        if (visited.has(contractName))
+            return vars;
+        visited.add(contractName);
+    }
+    for (const base of contractNode?.baseContracts || []) {
+        const baseContract = contracts.get(baseContractName(base));
+        if (!baseContract)
+            continue;
+        for (const name of resolveTransientVars(baseContract, contracts, visited))
+            vars.add(name);
+    }
+    for (const sub of contractNode?.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const v of sub.variables || []) {
+            if (v?.isStateVar && v?.isTransient && v?.name)
+                vars.add(String(v.name));
+        }
+    }
+    return vars;
+}
+function resolveStateVariableTypes(contractNode, contracts, visited = new Set()) {
+    const vars = new Map();
+    const contractName = String(contractNode?.name || '');
+    if (contractName) {
+        if (visited.has(contractName))
+            return vars;
+        visited.add(contractName);
+    }
+    for (const base of contractNode?.baseContracts || []) {
+        const baseContract = contracts.get(baseContractName(base));
+        if (!baseContract)
+            continue;
+        for (const [name, typeName] of resolveStateVariableTypes(baseContract, contracts, visited))
+            vars.set(name, typeName);
+    }
+    for (const sub of contractNode?.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const v of sub.variables || []) {
+            const typeName = typeNameToString(v?.typeName);
+            if (v?.isStateVar && v?.name && typeName)
+                vars.set(String(v.name), typeName);
+        }
+    }
+    return vars;
+}
+function baseContractName(base) {
+    const namePath = base?.baseName?.namePath;
+    if (namePath)
+        return String(namePath).split('.').pop() || '';
+    return String(base?.baseName?.name || '').split('.').pop() || '';
+}
+function typeNameToString(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return null;
+    if (typeName.type === 'ElementaryTypeName')
+        return normalizeTypeName(typeName.name);
+    if (typeName.type === 'UserDefinedTypeName')
+        return normalizeTypeName(typeName.namePath || typeName.name);
+    if (typeName.type === 'ArrayTypeName')
+        return typeNameToString(typeName.baseTypeName);
+    return null;
+}
+function isUserDefinedTypeName(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    if (typeName.type === 'UserDefinedTypeName')
+        return true;
+    if (typeName.type === 'ArrayTypeName')
+        return isUserDefinedTypeName(typeName.baseTypeName);
+    return false;
+}
+function normalizeTypeName(typeName) {
+    if (!typeName)
+        return null;
+    const last = String(typeName).split('.').pop() || '';
+    if (last === 'uint')
+        return 'uint256';
+    if (last === 'int')
+        return 'int256';
+    return last || null;
+}
+function isExternallyReachable(fn) {
+    const visibility = String(fn.visibility || '');
+    return visibility === 'public' || visibility === 'external' || visibility === '';
+}
+function makeFinding(file, contract, fn, loc, message, rationale, suggestedFix) {
+    const source = loc || { line: 0, column: 0 };
+    return {
+        file,
+        contract,
+        'function': fn,
+        line: source.line,
+        endLine: source.line,
+        column: source.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message,
+        rationale,
+        suggestedFix,
+        contractName: contract,
+        functionName: fn,
+        sourceLocation: { line: source.line, column: source.column },
+        findingId: '',
+        contractHash: '',
+    };
+}
+function stateSlot(name) {
+    return 'state:' + name;
+}
+function locOf(node) {
+    const start = node?.loc?.start;
+    if (!start)
+        return null;
+    return { line: Number(start.line || 0), column: Number(start.column || 0) };
+}
+function childrenOf(node) {
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=tstore-race-condition.js.map