@snovon/solast 0.2.0

package/dist/detectors/unauthorized-transferfrom-shell.js

@@ -0,0 +1,504 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnauthorizedTransferfromShellDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'unauthorized-transferfrom';
+const PROVENANCE = 'x-20240115-shell-unauthorized-transferfrom';
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyowners',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlyoperators',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+]);
+class UnauthorizedTransferfromShellDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const functions = new Map();
+            for (const fn of getContractFunctions(contract)) {
+                const body = getFunctionBody(fn);
+                const parameterNames = collectParameterNames(fn);
+                const shellSinkNodes = collectShellSinkNodes(body, parameterNames);
+                functions.set(functionDisplayName(fn), {
+                    node: fn,
+                    name: functionDisplayName(fn),
+                    body,
+                    parameterNames,
+                    shellSinkNodes,
+                    hasDirectShellSink: shellSinkNodes.length > 0,
+                    internalCallees: collectInternalCallNames(body),
+                });
+            }
+            const reachable = computeTransitiveReachable(functions);
+            const seen = new Set();
+            for (const info of functions.values()) {
+                if (!isExternallyCallable(info.node))
+                    continue;
+                if (!info.body)
+                    continue;
+                if (hasRecognizedAccessControlModifier(info.node))
+                    continue;
+                if (!reachable.get(info.name))
+                    continue;
+                const stmts = getBlockStatements(info.body);
+                let firstGuardIdx = -1;
+                let firstSinkIdx = -1;
+                let sinkLocNode = null;
+                for (let i = 0; i < stmts.length; i++) {
+                    const stmt = stmts[i];
+                    if (firstGuardIdx === -1 && statementHasInlineGuard(stmt)) {
+                        firstGuardIdx = i;
+                    }
+                    if (firstSinkIdx === -1) {
+                        let direct = null;
+                        for (const sink of info.shellSinkNodes) {
+                            if (statementContainsNode(stmt, sink)) {
+                                direct = sink;
+                                break;
+                            }
+                        }
+                        if (direct) {
+                            firstSinkIdx = i;
+                            sinkLocNode = direct;
+                        }
+                        else {
+                            const calls = collectInternalCallNames(stmt);
+                            for (const c of calls) {
+                                const callee = functions.get(c);
+                                if (callee && reachable.get(callee.name)) {
+                                    firstSinkIdx = i;
+                                    sinkLocNode = stmt;
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                }
+                if (firstSinkIdx === -1)
+                    continue;
+                if (firstGuardIdx !== -1 && firstSinkIdx >= firstGuardIdx)
+                    continue;
+                const key = `${contractName}:${info.name}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                const fnLoc = (0, ast_1.getLoc)(info.node, lineOffsets) || { line: 0, column: 0 };
+                const sinkLoc = sinkLocNode ? (0, ast_1.getLoc)(sinkLocNode, lineOffsets) : null;
+                const loc = sinkLoc || fnLoc;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': info.name,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Lack of access control in '${contractName}.${info.name}': externally callable function performs a Shell-style transferFrom from a caller-supplied source (and onward swap/transfer) without an owner/role check or inline msg.sender guard before the value move.`,
+                    rationale: 'Mirrors the 2024-01-15 Shell MEV bot 0xa898 incident: an externally callable function (selector 0x5f90d725) pulled tokens from an arbitrary victim and forwarded them via a router swap without verifying msg.sender. Any caller could trigger the privileged transferFrom and redirect proceeds.',
+                    suggestedFix: 'Add an owner/role-only modifier (e.g., onlyOwner) or an early require(msg.sender == owner) / require(hasRole(role, msg.sender)) guard that runs before the transferFrom and any router/swap calls.',
+                    contractName,
+                    functionName: info.name,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.UnauthorizedTransferfromShellDetector = UnauthorizedTransferfromShellDetector;
+function computeTransitiveReachable(functions) {
+    const cache = new Map();
+    function compute(info, seen) {
+        const cached = cache.get(info.name);
+        if (cached !== undefined)
+            return cached;
+        if (info.hasDirectShellSink) {
+            cache.set(info.name, true);
+            return true;
+        }
+        if (seen.has(info.name))
+            return false;
+        seen.add(info.name);
+        for (const calleeName of info.internalCallees) {
+            const callee = functions.get(calleeName);
+            if (callee && compute(callee, seen)) {
+                cache.set(info.name, true);
+                return true;
+            }
+        }
+        cache.set(info.name, false);
+        return false;
+    }
+    for (const info of functions.values())
+        compute(info, new Set());
+    return cache;
+}
+function collectShellSinkNodes(body, parameterNames) {
+    if (!body)
+        return [];
+    const transferFromCalls = [];
+    const forwardingCalls = [];
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const memberName = getCalleeMemberName(n).toLowerCase();
+        if (memberName === 'transferfrom') {
+            transferFromCalls.push(n);
+            return;
+        }
+        if (isForwardingMemberName(memberName)) {
+            forwardingCalls.push(n);
+        }
+    });
+    if (transferFromCalls.length === 0)
+        return [];
+    const hasCallerControlledForwarding = forwardingCalls.some(fc => callHasCallerControlledRecipient(fc, parameterNames));
+    const sinks = [];
+    for (const tf of transferFromCalls) {
+        const args = getCallArguments(tf);
+        if (args.length < 2)
+            continue;
+        const fromArg = args[0];
+        const toArg = args[1];
+        if (isMsgSenderRef(fromArg))
+            continue;
+        if (isAddressThisRef(toArg) && hasCallerControlledForwarding) {
+            sinks.push(tf);
+        }
+    }
+    return sinks;
+}
+function isForwardingMemberName(memberName) {
+    if (!memberName)
+        return false;
+    if (memberName.startsWith('swap'))
+        return true;
+    if (memberName === 'transfer' || memberName === 'safetransfer')
+        return true;
+    return false;
+}
+function callHasCallerControlledRecipient(call, parameterNames) {
+    const recipient = getForwardingRecipientArg(call);
+    if (!recipient)
+        return false;
+    if (isAddressThisRef(recipient) || isThisExpression(recipient))
+        return false;
+    if (isMsgSenderRef(recipient))
+        return true;
+    const name = getIdentifierName(recipient);
+    if (!name)
+        return false;
+    return parameterNames.has(name);
+}
+function getForwardingRecipientArg(call) {
+    const memberName = getCalleeMemberName(call).toLowerCase();
+    const args = getCallArguments(call);
+    if (memberName.startsWith('swap')) {
+        if (args.length >= 4)
+            return args[3];
+        return null;
+    }
+    if (memberName === 'transfer' || memberName === 'safetransfer') {
+        if (args.length >= 1)
+            return args[0];
+    }
+    return null;
+}
+function isAddressThisRef(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const args = getCallArguments(node);
+    if (args.length !== 1)
+        return false;
+    if (!isThisExpression(args[0]))
+        return false;
+    return isAddressTypeExpression(node.expression);
+}
+function isThisExpression(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'ThisExpression'))
+        return true;
+    if (isNode(node, 'Identifier') && String(node.name || '') === 'this')
+        return true;
+    return false;
+}
+function isAddressTypeExpression(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'ElementaryTypeName') && String(expr.name || '') === 'address')
+        return true;
+    if (isNode(expr, 'ElementaryTypeNameExpression')) {
+        const tn = expr.typeName;
+        if (tn && typeof tn === 'object' && String(tn.name || '') === 'address')
+            return true;
+    }
+    if (isNode(expr, 'Identifier') && String(expr.name || '') === 'address')
+        return true;
+    return false;
+}
+function getIdentifierName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return String(node.name || '');
+    return '';
+}
+function collectParameterNames(fn) {
+    const names = new Set();
+    const params = fn?.parameters;
+    if (!params)
+        return names;
+    let list = [];
+    if (Array.isArray(params))
+        list = params;
+    else if (Array.isArray(params.parameters))
+        list = params.parameters;
+    for (const p of list) {
+        if (p && typeof p === 'object' && typeof p.name === 'string' && p.name) {
+            names.add(p.name);
+        }
+    }
+    return names;
+}
+function statementContainsNode(stmt, target) {
+    if (!stmt || !target)
+        return false;
+    let found = false;
+    walk(stmt, n => { if (n === target)
+        found = true; });
+    return found;
+}
+function statementHasInlineGuard(stmt) {
+    let isGuard = false;
+    walk(stmt, node => {
+        if (isGuard)
+            return;
+        if (!isFunctionCall(node))
+            return;
+        const calleeName = getCalleeIdentifierName(node).toLowerCase();
+        if (calleeName !== 'require' && calleeName !== 'assert')
+            return;
+        const condition = getCallArguments(node)[0];
+        if (!condition)
+            return;
+        if (containsMsgSender(condition))
+            isGuard = true;
+    });
+    return isGuard;
+}
+function containsMsgSender(node) {
+    return walkAny(node, n => isMsgSenderRef(n));
+}
+function isMsgSenderRef(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (!isNode(node, 'MemberAccess'))
+        return false;
+    if (String(node.memberName || '') !== 'sender')
+        return false;
+    const base = node.expression;
+    if (!base || typeof base !== 'object')
+        return false;
+    if (!isNode(base, 'Identifier'))
+        return false;
+    return String(base.name || '') === 'msg';
+}
+function collectInternalCallNames(body) {
+    const out = new Set();
+    if (!body)
+        return out;
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (callee && isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name)
+                out.add(name);
+        }
+    });
+    return out;
+}
+function getCalleeMemberName(call) {
+    const expr = call?.expression;
+    if (!expr)
+        return '';
+    if (isNode(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function getCalleeIdentifierName(call) {
+    const expr = call?.expression;
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    return '';
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function hasRecognizedAccessControlModifier(fn) {
+    const modifiers = fn?.modifiers || [];
+    if (!Array.isArray(modifiers))
+        return false;
+    return modifiers.some((m) => ACCESS_CONTROL_MODIFIERS.has(getModifierName(m).toLowerCase()));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    return Array.isArray(body.statements) ? body.statements : [];
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(c => walkAny(c, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const c of childrenOf(node))
+        walk(c, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    return getName(fn) || '<anonymous>';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+//# sourceMappingURL=unauthorized-transferfrom-shell.js.map

package/dist/detectors/unauthorized-transferfrom.d.ts

@@ -0,0 +1,16 @@
+import type { ScanResult } from '../index';
+export declare class UnauthorizedTransferfromDetector {
+    readonly id = "unauthorized-transferfrom";
+    readonly patternKey = "unauthorized-transferfrom";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    private currentFile;
+    private sourceText;
+    private findings;
+    setFile(file: string): void;
+    setSourceText(sourceText?: string): void;
+    getFindings(): ScanResult[];
+    SourceUnit(ast: any): void;
+    ContractDefinition(node: any): void;
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+    private runAst;
+}