@snovon/solast 0.2.0

package/dist/detectors/unbound-zk-verifier-input.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class UnboundZkVerifierInputDetector {
+    readonly id = "unbound-zk-verifier-input";
+    readonly patternKey = "unbound-zk-verifier-input";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}

package/dist/detectors/unbound-zk-verifier-input.js

@@ -0,0 +1,445 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnboundZkVerifierInputDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'unbound-zk-verifier-input';
+const PATTERN = RULE_ID;
+const SOURCE = 'research-feed-2026-05-07-2204-i-starkware-s-privacy-preserving-zk-stark-proof-syst';
+const VERIFIER_CALLS = new Set([
+    'isValid',
+    'verify',
+    'verifyProof',
+    'verifyProofAndRegister',
+    'verifyProofAndRegisterCpu',
+    'verifyProofAndRegisterGps',
+    'verifyProofAndRegisterMemoryPage',
+    'verifyProofAndRegisterContinuousPage',
+]);
+const ZK_RECEIVER_KEYWORD_RE = /proof|fact|gps|stark|fri|committee/i;
+const BUILTIN_CASTS = new Set([
+    'address', 'bool', 'bytes', 'bytes1', 'bytes2', 'bytes3', 'bytes4',
+    'bytes5', 'bytes6', 'bytes7', 'bytes8', 'bytes9', 'bytes10', 'bytes11',
+    'bytes12', 'bytes13', 'bytes14', 'bytes15', 'bytes16', 'bytes17',
+    'bytes18', 'bytes19', 'bytes20', 'bytes21', 'bytes22', 'bytes23',
+    'bytes24', 'bytes25', 'bytes26', 'bytes27', 'bytes28', 'bytes29',
+    'bytes30', 'bytes31', 'bytes32', 'int', 'int8', 'int16', 'int24', 'int32',
+    'int40', 'int48', 'int56', 'int64', 'int72', 'int80', 'int88', 'int96',
+    'int104', 'int112', 'int120', 'int128', 'int136', 'int144', 'int152',
+    'int160', 'int168', 'int176', 'int184', 'int192', 'int200', 'int208',
+    'int216', 'int224', 'int232', 'int240', 'int248', 'int256', 'uint',
+    'uint8', 'uint16', 'uint24', 'uint32', 'uint40', 'uint48', 'uint56',
+    'uint64', 'uint72', 'uint80', 'uint88', 'uint96', 'uint104', 'uint112',
+    'uint120', 'uint128', 'uint136', 'uint144', 'uint152', 'uint160',
+    'uint168', 'uint176', 'uint184', 'uint192', 'uint200', 'uint208',
+    'uint216', 'uint224', 'uint232', 'uint240', 'uint248', 'uint256',
+]);
+const WEAK_PAYLOAD_NAMES = new Set([
+    'claim',
+    'leaf',
+    'nonce',
+]);
+class UnboundZkVerifierInputDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        const findings = [];
+        if (!ast || ast.type !== 'SourceUnit')
+            return findings;
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const stateVars = collectStateVariables(contract);
+            const stateVarTypes = collectStateVariableTypes(contract);
+            const contractName = contract.name || '<anonymous>';
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition' || !fn.body)
+                    continue;
+                const ctx = {
+                    contractName,
+                    functionName: fn.name || (fn.isConstructor ? '<constructor>' : '<anonymous>'),
+                    stateVars,
+                    stateVarTypes,
+                    params: collectParameterNames(fn),
+                    paramTypes: collectParameterTypes(fn),
+                    arrayParams: collectArrayParameters(fn),
+                    localBindings: new Map(),
+                    arrayElements: new Map(),
+                    findings,
+                    file,
+                };
+                walkStatements(fn.body, ctx);
+            }
+        }
+        return findings;
+    }
+}
+exports.UnboundZkVerifierInputDetector = UnboundZkVerifierInputDetector;
+function collectStateVariables(contract) {
+    const names = new Set();
+    for (const sub of contract.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                names.add(variable.name);
+        }
+    }
+    return names;
+}
+function collectParameterNames(fn) {
+    const names = new Set();
+    for (const param of fn.parameters || []) {
+        if (param?.name)
+            names.add(param.name);
+    }
+    return names;
+}
+function collectParameterTypes(fn) {
+    const types = new Map();
+    for (const param of fn.parameters || []) {
+        if (param?.name)
+            types.set(param.name, typeNameToString(param.typeName));
+    }
+    return types;
+}
+function collectArrayParameters(fn) {
+    const names = new Set();
+    for (const param of fn.parameters || []) {
+        if (param?.name && isArrayType(param.typeName))
+            names.add(param.name);
+    }
+    return names;
+}
+function collectStateVariableTypes(contract) {
+    const types = new Map();
+    for (const sub of contract.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                types.set(variable.name, typeNameToString(variable.typeName));
+        }
+    }
+    return types;
+}
+function typeNameToString(typeName) {
+    if (!typeName)
+        return '';
+    if (typeName.type === 'ElementaryTypeName')
+        return typeName.name || '';
+    if (typeName.type === 'UserDefinedTypeName')
+        return typeName.namePath || '';
+    if (typeName.type === 'ArrayTypeName')
+        return `${typeNameToString(typeName.baseTypeName)}[]`;
+    if (typeName.type === 'Mapping') {
+        return `mapping(${typeNameToString(typeName.keyType)}=>${typeNameToString(typeName.valueType)})`;
+    }
+    return '';
+}
+function walkStatements(node, ctx) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (node.type === 'VariableDeclarationStatement') {
+        recordVariableDeclaration(node, ctx);
+        if (node.initialValue)
+            walkStatements(node.initialValue, ctx);
+        return;
+    }
+    if (node.type === 'BinaryOperation' && node.operator === '=') {
+        recordAssignment(node, ctx);
+    }
+    if (node.type === 'FunctionCall') {
+        const pushTarget = getPushTarget(node);
+        if (pushTarget && node.arguments?.[0]) {
+            appendArrayBinding(pushTarget, classifyBinding(node.arguments[0], ctx), ctx);
+        }
+        const verifierName = getVerifierCallName(node, ctx);
+        if (verifierName) {
+            inspectVerifierCall(node, verifierName, ctx);
+        }
+    }
+    for (const child of childNodes(node)) {
+        walkStatements(child, ctx);
+    }
+}
+function recordVariableDeclaration(node, ctx) {
+    const initial = node.initialValue;
+    for (const variable of node.variables || []) {
+        if (!variable?.name)
+            continue;
+        if (isArrayType(variable.typeName)) {
+            ctx.arrayElements.set(variable.name, initial?.type === 'TupleExpression'
+                ? (initial.components || []).map((component) => classifyBinding(component, ctx))
+                : []);
+        }
+        if (initial) {
+            ctx.localBindings.set(variable.name, classifyBinding(initial, ctx));
+        }
+    }
+}
+function recordAssignment(node, ctx) {
+    const left = node.left;
+    const right = node.right;
+    if (!left || !right)
+        return;
+    if (left.type === 'IndexAccess' && left.base?.type === 'Identifier') {
+        setArrayBinding(left.base.name, left.index, classifyBinding(right, ctx), ctx);
+        return;
+    }
+    if (left.type === 'Identifier') {
+        if (right.type === 'TupleExpression') {
+            ctx.arrayElements.set(left.name, (right.components || []).map((component) => classifyBinding(component, ctx)));
+        }
+        ctx.localBindings.set(left.name, classifyBinding(right, ctx));
+    }
+}
+function inspectVerifierCall(node, verifierName, ctx) {
+    const args = node.arguments || [];
+    if (args.length === 0)
+        return;
+    const inputArg = args[verifierName === 'isValid' ? 0 : args.length - 1];
+    if (!inputArg || isPublicInputBound(inputArg, ctx))
+        return;
+    const loc = locOf(node);
+    ctx.findings.push({
+        file: ctx.file,
+        contract: ctx.contractName,
+        'function': ctx.functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: PATTERN,
+        confidence: 'medium',
+        ruleId: RULE_ID,
+        severity: 'medium',
+        message: `Verifier call in '${ctx.contractName}.${ctx.functionName}' validates zk proof public inputs without binding every input to caller, state, or a payload hash.`,
+        rationale: 'A cryptographically valid zk proof is insufficient unless the consumer contract checks that its public inputs commit to the intended caller, contract state transition, or hashed payload.',
+        suggestedFix: 'Populate verifier public inputs from msg.sender, trusted contract state, or keccak256 over the payload being authorized before calling the verifier.',
+        contractName: ctx.contractName,
+        functionName: ctx.functionName,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+        source: SOURCE,
+        provenance: SOURCE,
+    });
+}
+function isPublicInputBound(expr, ctx) {
+    const bindings = publicInputBindings(expr, ctx);
+    if (bindings.length === 0)
+        return false;
+    const hasStrong = bindings.some(binding => binding === 'strong');
+    if (!hasStrong)
+        return false;
+    return bindings.every(binding => binding === 'strong' || binding === 'weak');
+}
+function publicInputBindings(expr, ctx) {
+    if (!expr)
+        return [];
+    if (expr.type === 'Identifier') {
+        return ctx.arrayElements.get(expr.name) || [classifyBinding(expr, ctx)];
+    }
+    if (expr.type === 'TupleExpression') {
+        return (expr.components || []).map((component) => classifyBinding(component, ctx));
+    }
+    return [classifyBinding(expr, ctx)];
+}
+function classifyBinding(expr, ctx) {
+    if (!expr || typeof expr !== 'object')
+        return 'unknown';
+    if (containsMsgSender(expr))
+        return 'strong';
+    if (containsStateRead(expr, ctx.stateVars))
+        return 'strong';
+    if (containsPayloadHash(expr, ctx.params))
+        return 'strong';
+    if (expr.type === 'Identifier') {
+        const local = ctx.localBindings.get(expr.name);
+        if (local)
+            return local;
+        if (ctx.params.has(expr.name)) {
+            return WEAK_PAYLOAD_NAMES.has(expr.name) ? 'weak' : 'unbound';
+        }
+        return 'unknown';
+    }
+    if (expr.type === 'MemberAccess' && expr.expression?.type === 'Identifier') {
+        const base = expr.expression.name;
+        if (ctx.stateVars.has(base))
+            return 'strong';
+        if (ctx.params.has(base))
+            return 'unbound';
+    }
+    if (expr.type === 'FunctionCall' && isBuiltinCast(expr.expression) && expr.arguments?.length === 1) {
+        return classifyBinding(expr.arguments[0], ctx);
+    }
+    return containsFunctionParam(expr, ctx.params) ? 'unbound' : 'unknown';
+}
+function containsMsgSender(node) {
+    return contains(node, child => child.type === 'MemberAccess' &&
+        child.memberName === 'sender' &&
+        child.expression?.type === 'Identifier' &&
+        child.expression.name === 'msg');
+}
+function containsStateRead(node, stateVars) {
+    return contains(node, child => child.type === 'Identifier' &&
+        stateVars.has(child.name));
+}
+function containsPayloadHash(node, params) {
+    return contains(node, child => child.type === 'FunctionCall' &&
+        getDirectName(child.expression) === 'keccak256' &&
+        containsFunctionParam(child, params));
+}
+function containsFunctionParam(node, params) {
+    return contains(node, child => child.type === 'Identifier' &&
+        params.has(child.name) &&
+        !/proof|public|input/i.test(child.name));
+}
+function getVerifierCallName(call, ctx) {
+    const expression = unwrapCallOptions(call.expression);
+    if (expression?.type !== 'MemberAccess')
+        return null;
+    const memberName = expression.memberName;
+    if (!VERIFIER_CALLS.has(memberName))
+        return null;
+    // The bare member name `verify` is too generic — ordinary signature, attestation,
+    // and Merkle verifiers (e.g. `ISigVerifier.verify(bytes32, bytes)`) collide with
+    // the zk verifier surface. Require zk-specific evidence (zk-named receiver/type
+    // or a public-input array argument) before treating it as a zk verifier call.
+    if (memberName === 'verify' && !hasZkVerifyEvidence(call, expression, ctx)) {
+        return null;
+    }
+    return memberName;
+}
+function hasZkVerifyEvidence(call, expression, ctx) {
+    if (hasZkReceiverEvidence(expression, ctx))
+        return true;
+    if (hasPublicInputArrayArgument(call, ctx))
+        return true;
+    return false;
+}
+function hasZkReceiverEvidence(expression, ctx) {
+    const receiver = expression.expression;
+    if (!receiver)
+        return false;
+    let receiverName = '';
+    if (receiver.type === 'Identifier')
+        receiverName = receiver.name || '';
+    else if (receiver.type === 'MemberAccess')
+        receiverName = receiver.memberName || '';
+    if (receiverName && ZK_RECEIVER_KEYWORD_RE.test(receiverName))
+        return true;
+    if (receiver.type === 'Identifier') {
+        const typeStr = ctx.stateVarTypes.get(receiver.name)
+            || ctx.paramTypes.get(receiver.name)
+            || '';
+        if (typeStr && ZK_RECEIVER_KEYWORD_RE.test(typeStr))
+            return true;
+    }
+    return false;
+}
+function hasPublicInputArrayArgument(call, ctx) {
+    for (const arg of call.arguments || []) {
+        if (isArrayArgument(arg, ctx))
+            return true;
+    }
+    return false;
+}
+function isArrayArgument(arg, ctx) {
+    if (!arg)
+        return false;
+    if (arg.type === 'Identifier') {
+        if (ctx.arrayElements.has(arg.name))
+            return true;
+        if (ctx.arrayParams.has(arg.name))
+            return true;
+    }
+    if (arg.type === 'TupleExpression' && arg.isArray)
+        return true;
+    if (arg.type === 'FunctionCall'
+        && arg.expression?.type === 'NewExpression'
+        && isArrayType(arg.expression.typeName)) {
+        return true;
+    }
+    return false;
+}
+function unwrapCallOptions(expr) {
+    if (expr?.type === 'NameValueExpression')
+        return expr.expression;
+    return expr;
+}
+function getPushTarget(call) {
+    const expression = unwrapCallOptions(call.expression);
+    if (expression?.type !== 'MemberAccess')
+        return null;
+    if (expression.memberName !== 'push')
+        return null;
+    if (expression.expression?.type !== 'Identifier')
+        return null;
+    return expression.expression.name;
+}
+function getDirectName(expr) {
+    if (!expr)
+        return null;
+    if (expr.type === 'Identifier')
+        return expr.name;
+    if (expr.type === 'ElementaryTypeName')
+        return expr.name;
+    if (expr.type === 'MemberAccess')
+        return expr.memberName;
+    return null;
+}
+function isBuiltinCast(expr) {
+    const name = getDirectName(expr);
+    return !!name && BUILTIN_CASTS.has(name);
+}
+function isArrayType(typeName) {
+    return typeName?.type === 'ArrayTypeName';
+}
+function setArrayBinding(name, index, binding, ctx) {
+    const elements = ctx.arrayElements.get(name) || [];
+    const numericIndex = Number(index?.number);
+    if (Number.isInteger(numericIndex) && numericIndex >= 0) {
+        elements[numericIndex] = binding;
+    }
+    else {
+        elements.push(binding);
+    }
+    ctx.arrayElements.set(name, elements);
+}
+function appendArrayBinding(name, binding, ctx) {
+    const elements = ctx.arrayElements.get(name) || [];
+    elements.push(binding);
+    ctx.arrayElements.set(name, elements);
+}
+function childNodes(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const child of value) {
+                if (child && typeof child === 'object')
+                    children.push(child);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function contains(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childNodes(node).some(child => contains(child, predicate));
+}
+function locOf(node) {
+    const { line, column } = (0, ast_1.assertLoc)(node);
+    return { line, column };
+}
+//# sourceMappingURL=unbound-zk-verifier-input.js.map

package/dist/detectors/unbounded-share-price-collateral-oracle.d.ts

@@ -0,0 +1,48 @@
+import type { ScanResult } from '../index';
+export declare class UnboundedSharePriceCollateralOracleDetector {
+    readonly id = "unbounded-share-price-collateral-oracle";
+    readonly patternKey = "unbounded-share-price-collateral-oracle";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private analyzeFunction;
+    private collectSharePriceReads;
+    private isSharePriceCall;
+    private assignedNamesForCall;
+    private propagateTaint;
+    private hasCollateralOracleSink;
+    private hasLocalSafeguard;
+    private buildFinding;
+    private collectIndependentOracleNames;
+    private hasFreshnessCheck;
+    private hasDeviationBound;
+    private hasDeviationBoundForCall;
+    private conditionHasDeviationBound;
+    private hasTwoSidedClamp;
+    private collectGuardBounds;
+    private collectBoundsFromConjunction;
+    private classifyComparisonBound;
+    private collectMinMaxBounds;
+    private analyzeMinMaxChain;
+    private assignmentToName;
+    private hasPricingArithmetic;
+    private hasInlinePricingArithmetic;
+    private returnUsesName;
+    private isReturned;
+    private taintedInGuardSink;
+    private guardCondition;
+    private isComparison;
+    private containsComparison;
+    private isMultiplicative;
+    private isAssignmentOperator;
+    private isZeroOnlyComparison;
+    private containsZeroLiteral;
+    private containsBlockTimestamp;
+    private memberName;
+    private unwrapCallOptions;
+    private receiverText;
+    private collectIdentifiers;
+    private containsNode;
+    private walk;
+    private walkWithParent;
+    private children;
+}