@snovon/solast 0.2.0

package/dist/detectors/unchecked-call-forwarding.js

@@ -0,0 +1,330 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UncheckedCallForwardingDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'unchecked-call-forwarding';
+const PATTERN = `${RULE_ID}/discarded-forwarded-success`;
+const LOW_LEVEL_CALLS = new Set(['call', 'delegatecall', 'staticcall', 'send']);
+class UncheckedCallForwardingDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Forwarding wrappers should not hide low-level call failure.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+        help: 'Check the low-level call success value before returning forwarded data, or bubble the success value to the caller as part of the wrapper return value.',
+    };
+    currentFile = '';
+    currentContract = '<unknown>';
+    fn = null;
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '<unknown>';
+        this.fn = null;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if ((0, ast_1.isNode)(node, 'ContractDefinition') && node.kind !== 'interface') {
+            this.currentContract = node.name || '<anonymous>';
+        }
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '<unknown>';
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.fn = null;
+        if (!(0, ast_1.isNode)(node, 'FunctionDefinition') || !node.body)
+            return;
+        this.fn = {
+            name: node.name || (node.isConstructor ? '<constructor>' : '<fallback>'),
+            node,
+            captures: [],
+            checkedVars: new Set(),
+            returnedVars: new Set(),
+            hasReturnExpression: false,
+            aliasEdges: new Map(),
+            emittedKeys: new Set(),
+        };
+    }
+    FunctionDefinition_post(_node) {
+        if (this.fn)
+            this.finalizeFunction(this.fn);
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.fn)
+            return;
+        const call = asLowLevelCall(node.initialValue);
+        if (call) {
+            this.fn.captures.push({
+                callName: call.callName,
+                callNode: call.node,
+                successVar: firstVariableName(node.variables),
+                dataVars: dataVariableNames(node.variables),
+            });
+            return;
+        }
+        const alias = aliasDeclaration(node);
+        if (alias)
+            this.fn.aliasEdges.set(alias.alias, alias.source);
+    }
+    ExpressionStatement(node) {
+        if (!this.fn)
+            return;
+        const expr = node.expression;
+        if (!(0, ast_1.isNode)(expr, 'BinaryOperation') || expr.operator !== '=')
+            return;
+        const call = asLowLevelCall(expr.right);
+        if (call) {
+            this.fn.captures.push({
+                callName: call.callName,
+                callNode: call.node,
+                successVar: assignedSuccessName(expr.left, call.callName),
+                dataVars: assignedDataNames(expr.left),
+            });
+            return;
+        }
+        const alias = aliasAssignment(expr);
+        if (alias)
+            this.fn.aliasEdges.set(alias.alias, alias.source);
+    }
+    FunctionCall(node) {
+        if (!this.fn)
+            return;
+        const directName = directCallName(node.expression);
+        if (directName !== 'require' && directName !== 'assert')
+            return;
+        collectCheckedIdentifiers(node.arguments?.[0], this.fn.checkedVars);
+    }
+    IfStatement(node) {
+        if (!this.fn)
+            return;
+        const checked = revertingFailureCheck(node);
+        if (checked)
+            this.fn.checkedVars.add(checked);
+    }
+    ReturnStatement(node) {
+        if (!this.fn || !node.expression)
+            return;
+        this.fn.hasReturnExpression = true;
+        collectIdentifiers(node.expression, this.fn.returnedVars);
+    }
+    finalizeFunction(fn) {
+        for (const capture of fn.captures) {
+            const successNames = successNamesFor(capture, fn.aliasEdges);
+            if (hasAny(fn.checkedVars, successNames) || hasAny(fn.returnedVars, successNames))
+                continue;
+            if (!isForwardingContext(capture, fn))
+                continue;
+            const loc = (0, ast_1.tryLoc)(capture.callNode, fn.node) ?? { line: 1, endLine: 1, column: 0, endColumn: 0 };
+            const key = `${loc.line}:${loc.column}`;
+            if (fn.emittedKeys.has(key))
+                continue;
+            fn.emittedKeys.add(key);
+            this.findings.push({
+                file: this.currentFile,
+                contract: this.currentContract,
+                'function': fn.name,
+                line: loc.line,
+                endLine: loc.endLine,
+                column: loc.column,
+                endColumn: loc.endColumn,
+                ruleId: RULE_ID,
+                pattern: PATTERN,
+                severity: 'medium',
+                confidence: 'medium',
+                category: 'unsafe-pattern',
+                message: `Forwarding wrapper '${fn.name}' uses ${capture.callName} return data or wrapper output without checking the low-level call success value.`,
+                findingId: '',
+                contractHash: '',
+                contractName: this.currentContract,
+                functionName: fn.name,
+                sourceLocation: { line: loc.line, column: loc.column },
+            });
+        }
+    }
+}
+exports.UncheckedCallForwardingDetector = UncheckedCallForwardingDetector;
+function isForwardingContext(capture, fn) {
+    if (capture.callName === 'send')
+        return capture.successVar !== null && fn.hasReturnExpression;
+    if (hasAny(fn.returnedVars, capture.dataVars))
+        return true;
+    return capture.dataVars.size === 0 && fn.hasReturnExpression;
+}
+function successNamesFor(capture, aliases) {
+    const names = new Set();
+    if (!capture.successVar)
+        return names;
+    names.add(capture.successVar);
+    for (const [alias, source] of aliases) {
+        if (source === capture.successVar)
+            names.add(alias);
+    }
+    return names;
+}
+function hasAny(haystack, needles) {
+    for (const needle of needles) {
+        if (haystack.has(needle))
+            return true;
+    }
+    return false;
+}
+function asLowLevelCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return null;
+    const callName = lowLevelMemberName(node.expression);
+    return callName ? { node, callName } : null;
+}
+function lowLevelMemberName(expr) {
+    if (!expr)
+        return null;
+    if ((0, ast_1.isNode)(expr, 'MemberAccess') && LOW_LEVEL_CALLS.has(expr.memberName))
+        return expr.memberName;
+    if ((0, ast_1.isNode)(expr, 'NameValueExpression'))
+        return lowLevelMemberName(expr.expression);
+    return null;
+}
+function firstVariableName(variables) {
+    if (!Array.isArray(variables) || variables.length === 0)
+        return null;
+    return variableName(variables[0]);
+}
+function dataVariableNames(variables) {
+    const names = new Set();
+    if (!Array.isArray(variables))
+        return names;
+    for (let i = 1; i < variables.length; i++) {
+        const name = variableName(variables[i]);
+        if (name)
+            names.add(name);
+    }
+    return names;
+}
+function assignedSuccessName(left, callName) {
+    if ((0, ast_1.isNode)(left, 'TupleExpression'))
+        return assignedName(left.components?.[0]);
+    return callName === 'send' ? identifierName(left) : null;
+}
+function assignedDataNames(left) {
+    const names = new Set();
+    if (!(0, ast_1.isNode)(left, 'TupleExpression'))
+        return names;
+    for (let i = 1; i < (left.components || []).length; i++) {
+        const name = assignedName(left.components[i]);
+        if (name)
+            names.add(name);
+    }
+    return names;
+}
+function assignedName(expr) {
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return identifierName(expr.base);
+    return identifierName(expr);
+}
+function variableName(node) {
+    return node?.name || node?.identifier?.name || null;
+}
+function aliasDeclaration(node) {
+    if (!Array.isArray(node.variables) || node.variables.length !== 1)
+        return null;
+    const alias = variableName(node.variables[0]);
+    const source = identifierName(node.initialValue);
+    return alias && source ? { alias, source } : null;
+}
+function aliasAssignment(node) {
+    const alias = identifierName(node.left);
+    const source = identifierName(node.right);
+    return alias && source ? { alias, source } : null;
+}
+function revertingFailureCheck(node) {
+    const condition = node.condition;
+    if (!(0, ast_1.isNode)(condition, 'UnaryOperation') || condition.operator !== '!')
+        return null;
+    const checked = identifierName(condition.subExpression);
+    if (!checked)
+        return null;
+    return containsRevertOrReturn(node.trueBody) ? checked : null;
+}
+function containsRevertOrReturn(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'RevertStatement') || (0, ast_1.isNode)(node, 'ReturnStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'FunctionCall') && directCallName(node.expression) === 'revert')
+        return true;
+    if ((0, ast_1.isNode)(node, 'AssemblyCall') && node.functionName === 'revert')
+        return true;
+    for (const child of childNodes(node)) {
+        if (containsRevertOrReturn(child))
+            return true;
+    }
+    return false;
+}
+function collectCheckedIdentifiers(expr, checked) {
+    const direct = checkedIdentifier(expr);
+    if (direct) {
+        checked.add(direct);
+        return;
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation') && expr.operator === '&&') {
+        collectCheckedIdentifiers(expr.left, checked);
+        collectCheckedIdentifiers(expr.right, checked);
+    }
+}
+function checkedIdentifier(expr) {
+    const direct = identifierName(expr);
+    if (direct)
+        return direct;
+    if ((0, ast_1.isNode)(expr, 'UnaryOperation') && expr.operator === '!')
+        return identifierName(expr.subExpression);
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation') && (expr.operator === '==' || expr.operator === '!=')) {
+        return identifierName(expr.left) || identifierName(expr.right);
+    }
+    return null;
+}
+function collectIdentifiers(node, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    const name = identifierName(node);
+    if (name)
+        out.add(name);
+    for (const child of childNodes(node))
+        collectIdentifiers(child, out);
+}
+function childNodes(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function directCallName(expr) {
+    return (0, ast_1.isNode)(expr, 'Identifier') ? expr.name : null;
+}
+function identifierName(expr) {
+    return (0, ast_1.isNode)(expr, 'Identifier') ? expr.name : null;
+}
+//# sourceMappingURL=unchecked-call-forwarding.js.map

package/dist/detectors/unchecked-external-call-unconditional-state-mutation.d.ts

@@ -0,0 +1,18 @@
+import type { ScanResult } from '../index';
+import { UncheckedExternalCallDetector } from './unchecked-external-call';
+export declare class UncheckedExternalCallUnconditionalStateMutationDetector extends UncheckedExternalCallDetector {
+    readonly id: string;
+    readonly patternKey: string;
+    protected analyzeFunction(file: string, ast: any, contract: any, fn: any): ScanResult[];
+    private collectLocalVars;
+    private hasUnvalidatedSubsequentStateMutation;
+    private assignsVariable;
+    private validatesVariable;
+    private isTerminatingFailureBranch;
+    private isFailureConditionForVariable;
+    private isSuccessConditionForVariable;
+    private isTerminatingStatement;
+    private booleanLiteralValue;
+    private isStateModification;
+    private isStateReference;
+}

package/dist/detectors/unchecked-external-call-unconditional-state-mutation.js

@@ -0,0 +1,311 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UncheckedExternalCallUnconditionalStateMutationDetector = void 0;
+const unchecked_external_call_1 = require("./unchecked-external-call");
+const loop_call_stack_1 = require("./_common/loop-call-stack");
+const RULE_ID = 'unchecked-external-call-unconditional-state-mutation';
+const PATTERN = `${RULE_ID}/phantom-state-update`;
+class UncheckedExternalCallUnconditionalStateMutationDetector extends unchecked_external_call_1.UncheckedExternalCallDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    analyzeFunction(file, ast, contract, fn) {
+        const returnedVars = new Set();
+        let hasReturnExpression = false;
+        this.collectReturnInfo(fn.body, returnedVars, () => { hasReturnExpression = true; });
+        const candidates = [];
+        this.collectCandidates(fn.body, ast, candidates, false);
+        const localVars = this.collectLocalVars(fn);
+        return candidates
+            .filter((candidate) => !this.isForwardingWrapperCandidate(candidate, returnedVars, hasReturnExpression))
+            .filter((candidate) => this.hasUnvalidatedSubsequentStateMutation(fn.body, candidate.stmtNode, localVars, candidate.checkedVar))
+            .map((candidate) => {
+            const finding = {
+                file,
+                contract: contract.name || '<anonymous>',
+                'function': fn.name || (fn.isConstructor ? '<constructor>' : '<anonymous>'),
+                line: candidate.loc.line,
+                column: candidate.loc.column,
+                ruleId: RULE_ID,
+                pattern: PATTERN,
+                severity: 'medium',
+                confidence: 'medium',
+                category: 'vulnerability',
+                message: `Unchecked external ${candidate.callName} return value followed by unconditional state mutation.`,
+                findingId: '',
+                contractHash: '',
+            };
+            if (candidate.insideLoop) {
+                (0, loop_call_stack_1.enrichLoopCallStack)(finding, (0, loop_call_stack_1.loopCallPathForFunction)(contract, fn));
+            }
+            return finding;
+        });
+    }
+    collectLocalVars(fn) {
+        const locals = new Set();
+        if (fn.parameters) {
+            for (const p of fn.parameters) {
+                if (p.name && p.storageLocation !== 'storage')
+                    locals.add(p.name);
+            }
+        }
+        if (fn.returnParameters) {
+            for (const p of fn.returnParameters) {
+                if (p.name)
+                    locals.add(p.name);
+            }
+        }
+        const traverse = (node) => {
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type === 'VariableDeclaration' && node.name && node.storageLocation !== 'storage') {
+                locals.add(node.name);
+            }
+            for (const [key, value] of Object.entries(node)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                if (Array.isArray(value)) {
+                    for (const item of value)
+                        traverse(item);
+                }
+                else if (value && typeof value === 'object') {
+                    traverse(value);
+                }
+            }
+        };
+        traverse(fn.body);
+        return locals;
+    }
+    hasUnvalidatedSubsequentStateMutation(fnBody, callStmtNode, localVars, checkedVar) {
+        let seenCall = false;
+        let seenValidation = false;
+        let seenSuccessReassignment = false;
+        let foundMutation = false;
+        const traverse = (node, inCheckedIf) => {
+            if (!node || typeof node !== 'object' || foundMutation)
+                return;
+            // If we see the call statement, we mark it.
+            if (node === callStmtNode) {
+                seenCall = true;
+                return;
+            }
+            if (seenCall &&
+                node !== callStmtNode &&
+                checkedVar &&
+                !seenValidation &&
+                this.assignsVariable(node, checkedVar)) {
+                seenSuccessReassignment = true;
+            }
+            const validateAfterChildren = seenCall &&
+                node !== callStmtNode &&
+                checkedVar &&
+                !seenSuccessReassignment &&
+                !seenValidation &&
+                node.type === 'IfStatement' &&
+                this.validatesVariable(node, checkedVar);
+            if (seenCall &&
+                node !== callStmtNode &&
+                checkedVar &&
+                !seenSuccessReassignment &&
+                node.type !== 'IfStatement' &&
+                this.validatesVariable(node, checkedVar)) {
+                seenValidation = true;
+            }
+            let nextInCheckedIf = inCheckedIf;
+            if (node.type === 'IfStatement' && checkedVar) {
+                if (this.isSuccessConditionForVariable(node.condition, checkedVar)) {
+                    nextInCheckedIf = true;
+                }
+            }
+            // If we've seen the call, and we are not AT the call, and we are NOT in an if block checking the success var
+            if (seenCall && node !== callStmtNode && !seenValidation && !nextInCheckedIf) {
+                if (this.isStateModification(node, localVars)) {
+                    foundMutation = true;
+                    return;
+                }
+            }
+            for (const [key, value] of Object.entries(node)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                if (Array.isArray(value)) {
+                    for (const item of value)
+                        traverse(item, nextInCheckedIf);
+                }
+                else if (value && typeof value === 'object') {
+                    traverse(value, nextInCheckedIf);
+                }
+            }
+            if (validateAfterChildren) {
+                seenValidation = true;
+            }
+        };
+        traverse(fnBody, false);
+        return foundMutation;
+    }
+    assignsVariable(node, name) {
+        if (node.type === 'VariableDeclarationStatement') {
+            return this.firstVariableName(node.variables) === name;
+        }
+        const expr = node.type === 'ExpressionStatement' ? node.expression : node;
+        if (expr?.type === 'BinaryOperation' && expr.operator === '=') {
+            if (this.identifierName(expr.left) === name)
+                return true;
+            if (expr.left?.type === 'TupleExpression') {
+                return this.identifierName(expr.left.components?.[0]) === name;
+            }
+        }
+        return false;
+    }
+    validatesVariable(node, checkedVar) {
+        const validations = new Set();
+        if (node.type === 'FunctionCall') {
+            const directName = this.directCallName(node.expression);
+            if (directName === 'require' || directName === 'assert') {
+                this.collectCheckedIdentifiers(node.arguments?.[0], validations);
+            }
+            if (directName === 'verifyCallResult' && node.arguments?.[0]) {
+                const checked = this.checkedIdentifier(node.arguments[0]);
+                if (checked)
+                    validations.add(checked);
+            }
+            else if ((directName === 'verify' ||
+                directName === 'verifyCallResultFromTarget' ||
+                directName === '_revert') &&
+                node.arguments?.[1]) {
+                const checked = this.checkedIdentifier(node.arguments[1]);
+                if (checked)
+                    validations.add(checked);
+            }
+        }
+        if (node.type === 'IfStatement') {
+            const revertingChecked = this.revertingFailureCheck(node);
+            if (revertingChecked)
+                validations.add(revertingChecked);
+            if (this.isTerminatingFailureBranch(node, checkedVar)) {
+                validations.add(checkedVar);
+            }
+            if (this.isSuccessConditionForVariable(node.condition, checkedVar) &&
+                this.isTerminatingStatement(node.falseBody)) {
+                validations.add(checkedVar);
+            }
+        }
+        if (node.type === 'ReturnStatement') {
+            this.collectReturnedSuccessIdentifiers(node.expression, validations, false);
+        }
+        return validations.has(checkedVar);
+    }
+    isTerminatingFailureBranch(node, checkedVar) {
+        if (node.type !== 'IfStatement')
+            return false;
+        if (!this.isFailureConditionForVariable(node.condition, checkedVar))
+            return false;
+        return this.isTerminatingStatement(node.trueBody);
+    }
+    isFailureConditionForVariable(condition, checkedVar) {
+        if (condition?.type === 'UnaryOperation' && condition.operator === '!') {
+            return this.identifierName(condition.subExpression) === checkedVar;
+        }
+        if (condition?.type !== 'BinaryOperation')
+            return false;
+        const leftName = this.identifierName(condition.left);
+        const rightName = this.identifierName(condition.right);
+        const leftBool = this.booleanLiteralValue(condition.left);
+        const rightBool = this.booleanLiteralValue(condition.right);
+        if (condition.operator === '==') {
+            return (leftName === checkedVar && rightBool === false) || (rightName === checkedVar && leftBool === false);
+        }
+        if (condition.operator === '!=') {
+            return (leftName === checkedVar && rightBool === true) || (rightName === checkedVar && leftBool === true);
+        }
+        return false;
+    }
+    isSuccessConditionForVariable(condition, checkedVar) {
+        if (this.identifierName(condition) === checkedVar)
+            return true;
+        if (condition?.type === 'BinaryOperation' && condition.operator === '&&') {
+            return this.isSuccessConditionForVariable(condition.left, checkedVar) ||
+                this.isSuccessConditionForVariable(condition.right, checkedVar);
+        }
+        if (condition?.type !== 'BinaryOperation')
+            return false;
+        const leftName = this.identifierName(condition.left);
+        const rightName = this.identifierName(condition.right);
+        const leftBool = this.booleanLiteralValue(condition.left);
+        const rightBool = this.booleanLiteralValue(condition.right);
+        if (condition.operator === '==') {
+            return (leftName === checkedVar && rightBool === true) || (rightName === checkedVar && leftBool === true);
+        }
+        if (condition.operator === '!=') {
+            return (leftName === checkedVar && rightBool === false) || (rightName === checkedVar && leftBool === false);
+        }
+        return false;
+    }
+    isTerminatingStatement(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'ReturnStatement' || node.type === 'RevertStatement' || node.type === 'ThrowStatement') {
+            return true;
+        }
+        if (node.type === 'ExpressionStatement') {
+            return this.isTerminatingStatement(node.expression);
+        }
+        if (node.type === 'FunctionCall') {
+            const directName = this.directCallName(node.expression);
+            if (directName === 'revert')
+                return true;
+            if ((directName === 'require' || directName === 'assert') && this.booleanLiteralValue(node.arguments?.[0]) === false) {
+                return true;
+            }
+        }
+        const statements = node.type === 'Block' ? node.statements : null;
+        if (Array.isArray(statements) && statements.length > 0) {
+            return this.isTerminatingStatement(statements[statements.length - 1]);
+        }
+        return false;
+    }
+    booleanLiteralValue(node) {
+        if (node?.type !== 'BooleanLiteral')
+            return null;
+        return node.value === true;
+    }
+    isStateModification(expr, localVars) {
+        if (!expr)
+            return false;
+        if (expr.type === 'BinaryOperation') {
+            const ops = ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='];
+            if (ops.includes(expr.operator)) {
+                return this.isStateReference(expr.left, localVars);
+            }
+        }
+        if (expr.type === 'UnaryOperation') {
+            const ops = ['++', '--', 'delete'];
+            if (ops.includes(expr.operator)) {
+                return this.isStateReference(expr.subExpression, localVars);
+            }
+        }
+        if (expr.type === 'FunctionCall') {
+            if (expr.expression?.type === 'MemberAccess') {
+                const member = expr.expression.memberName;
+                if (member === 'transfer' || member === 'transferFrom' || member === 'mint' || member === 'burn') {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    isStateReference(expr, localVars) {
+        if (!expr)
+            return false;
+        if (expr.type === 'Identifier') {
+            return !localVars.has(expr.name);
+        }
+        if (expr.type === 'IndexAccess') {
+            return this.isStateReference(expr.base, localVars);
+        }
+        if (expr.type === 'MemberAccess') {
+            return this.isStateReference(expr.expression, localVars);
+        }
+        return false;
+    }
+}
+exports.UncheckedExternalCallUnconditionalStateMutationDetector = UncheckedExternalCallUnconditionalStateMutationDetector;
+//# sourceMappingURL=unchecked-external-call-unconditional-state-mutation.js.map