@snovon/solast 0.2.0

package/dist/detectors/unguarded-governance-execution.js

@@ -0,0 +1,422 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnguardedGovernanceExecutionDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'unguarded-governance-execution';
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const GOVERNANCE_FN = /^(execute|executeProposal|queue)$/i;
+const STATUS_NAMES = /state|proposalstate|getproposalstate|votingended|finalized|succeeded|queued|executed/i;
+const READY_NAMES = /eta|queuedat|timelock|delay|isqueued|ready/i;
+const EXECUTED_NAMES = /executed/i;
+const LOW_LEVEL_OR_TRANSFER = /^(call|delegatecall|send|transfer|transferFrom)$/;
+const EXECUTOR_NAMES = /^(execute|executeTransaction|queue|queueTransaction)$/i;
+const EXECUTOR_OBJECT = /timelock|executor|governor|governance/i;
+class UnguardedGovernanceExecutionDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const modifiers = this.collectModifiers(contract);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition' || !fn.body)
+                    continue;
+                if (!this.isCandidateFunction(fn))
+                    continue;
+                const proposalParams = this.collectProposalParams(fn);
+                if (proposalParams.size === 0)
+                    continue;
+                if (!this.hasGovernanceGuardSurface(fn, modifiers))
+                    continue;
+                const ctx = {
+                    file,
+                    contractName: contract.name || '<anonymous>',
+                    functionName: fn.name || '<anonymous>',
+                    proposalParams,
+                    aliases: new Map(),
+                    guards: new Map(),
+                    findings,
+                };
+                this.applyPreBodyModifiers(fn, modifiers, ctx);
+                this.walkStatement(fn.body, ctx);
+            }
+        }
+        return findings;
+    }
+    isCandidateFunction(fn) {
+        const name = String(fn.name || '');
+        if (GOVERNANCE_FN.test(name))
+            return true;
+        if (!fn.body)
+            return false;
+        return this.containsExecutorDelegation(fn.body);
+    }
+    collectProposalParams(fn) {
+        const params = new Set();
+        for (const param of fn.parameters || []) {
+            const name = String(param?.name || '');
+            if (/^(id|proposalId|proposalID|proposal)$/i.test(name) || /proposal/i.test(name)) {
+                params.add(name);
+            }
+        }
+        return params;
+    }
+    collectModifiers(contract) {
+        const modifiers = new Map();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type === 'ModifierDefinition' && sub.name)
+                modifiers.set(sub.name, sub);
+        }
+        return modifiers;
+    }
+    applyPreBodyModifiers(fn, modifiers, ctx) {
+        for (const invocation of fn.modifiers || []) {
+            const modifier = modifiers.get(invocation?.name);
+            if (!modifier?.body)
+                continue;
+            const modifierParams = (modifier.parameters || []).map((p) => p?.name || '');
+            const argMap = new Map();
+            for (let i = 0; i < modifierParams.length; i++) {
+                const argName = this.identifierName(invocation.arguments?.[i]);
+                if (modifierParams[i] && argName)
+                    argMap.set(modifierParams[i], argName);
+            }
+            for (const statement of modifier.body.statements || []) {
+                if (statement?.type === 'ExpressionStatement' && statement.expression?.type === 'Identifier' && statement.expression.name === '_') {
+                    break;
+                }
+                this.walkStatementWithParamMap(statement, ctx, argMap);
+            }
+        }
+    }
+    walkStatementWithParamMap(statement, ctx, argMap) {
+        const original = ctx.proposalParams;
+        ctx.proposalParams = new Set([...ctx.proposalParams, ...argMap.keys()]);
+        this.walkStatement(statement, ctx, argMap);
+        ctx.proposalParams = original;
+    }
+    walkStatement(node, ctx, paramMap = new Map()) {
+        if (!node || typeof node !== 'object')
+            return;
+        switch (node.type) {
+            case 'Block':
+                for (const stmt of node.statements || [])
+                    this.walkStatement(stmt, ctx, paramMap);
+                return;
+            case 'VariableDeclarationStatement':
+                this.recordProposalAlias(node, ctx, paramMap);
+                if (node.initialValue)
+                    this.walkExpression(node.initialValue, ctx, paramMap);
+                return;
+            case 'ExpressionStatement':
+                this.walkExpression(node.expression, ctx, paramMap);
+                return;
+            case 'IfStatement':
+                this.walkExpression(node.condition, ctx, paramMap);
+                this.walkStatement(node.trueBody, ctx, paramMap);
+                this.walkStatement(node.falseBody, ctx, paramMap);
+                return;
+            case 'ForStatement':
+                this.walkStatement(node.initExpression, ctx, paramMap);
+                this.walkExpression(node.conditionExpression, ctx, paramMap);
+                this.walkExpression(node.loopExpression, ctx, paramMap);
+                this.walkStatement(node.body, ctx, paramMap);
+                return;
+            case 'WhileStatement':
+            case 'DoWhileStatement':
+                this.walkExpression(node.condition, ctx, paramMap);
+                this.walkStatement(node.body, ctx, paramMap);
+                return;
+            case 'ReturnStatement':
+            case 'ThrowStatement':
+            case 'EmitStatement':
+                this.walkExpression(node.expression, ctx, paramMap);
+                return;
+            default:
+                for (const child of this.childNodes(node)) {
+                    if (this.isStatementLike(child))
+                        this.walkStatement(child, ctx, paramMap);
+                    else
+                        this.walkExpression(child, ctx, paramMap);
+                }
+        }
+    }
+    walkExpression(node, ctx, paramMap) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'FunctionCall') {
+            const name = this.callMemberName(node);
+            if (name === 'require' || name === 'assert') {
+                this.recordGuard(node.arguments?.[0], ctx, paramMap);
+                for (const arg of node.arguments || [])
+                    this.walkExpression(arg, ctx, paramMap);
+                return;
+            }
+            if (this.isPrivilegedSink(node)) {
+                const proposalKey = this.proposalKeyForSink(node, ctx, paramMap);
+                if (proposalKey && !this.hasCompleteGuard(ctx, proposalKey)) {
+                    ctx.findings.push(this.makeFinding(ctx, node));
+                    return;
+                }
+            }
+            for (const child of this.childNodes(node))
+                this.walkExpression(child, ctx, paramMap);
+            return;
+        }
+        if (node.type === 'BinaryOperation') {
+            if (ASSIGN_OPS.has(node.operator) && this.isExecutedWrite(node.left, ctx, paramMap)) {
+                const key = this.proposalKeyForExpression(node.left, ctx, paramMap);
+                if (key)
+                    this.ensureGuard(ctx, key).executed = true;
+            }
+            if (node.left)
+                this.walkExpression(node.left, ctx, paramMap);
+            if (node.right)
+                this.walkExpression(node.right, ctx, paramMap);
+            return;
+        }
+        if (node.type === 'UnaryOperation') {
+            if (this.isExecutedWrite(node.subExpression, ctx, paramMap)) {
+                const key = this.proposalKeyForExpression(node.subExpression, ctx, paramMap);
+                if (key)
+                    this.ensureGuard(ctx, key).executed = true;
+            }
+            this.walkExpression(node.subExpression, ctx, paramMap);
+            return;
+        }
+        for (const child of this.childNodes(node))
+            this.walkExpression(child, ctx, paramMap);
+    }
+    recordProposalAlias(stmt, ctx, paramMap) {
+        const key = this.proposalKeyForExpression(stmt.initialValue, ctx, paramMap);
+        if (!key)
+            return;
+        for (const variable of stmt.variables || []) {
+            if (variable?.name)
+                ctx.aliases.set(variable.name, key);
+        }
+    }
+    recordGuard(condition, ctx, paramMap) {
+        if (!condition)
+            return;
+        const key = this.proposalKeyForExpression(condition, ctx, paramMap);
+        if (!key)
+            return;
+        const text = this.expressionToString(condition).toLowerCase();
+        const bits = this.ensureGuard(ctx, key);
+        if (STATUS_NAMES.test(text))
+            bits.status = true;
+        if (READY_NAMES.test(text))
+            bits.ready = true;
+        if (EXECUTED_NAMES.test(text))
+            bits.executed = true;
+    }
+    isPrivilegedSink(call) {
+        const member = this.callMemberName(call);
+        if (!member)
+            return false;
+        if (LOW_LEVEL_OR_TRANSFER.test(member))
+            return true;
+        if (EXECUTOR_NAMES.test(member) && EXECUTOR_OBJECT.test(this.expressionToString(this.callObject(call))))
+            return true;
+        return false;
+    }
+    proposalKeyForSink(call, ctx, paramMap) {
+        const direct = this.proposalKeyForExpression(call, ctx, paramMap);
+        if (direct)
+            return direct;
+        return ctx.proposalParams.size === 1 ? [...ctx.proposalParams][0] : null;
+    }
+    proposalKeyForExpression(node, ctx, paramMap) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if (node.type === 'Identifier') {
+            const name = this.mapParam(node.name, paramMap);
+            if (ctx.proposalParams.has(name))
+                return name;
+            return ctx.aliases.get(name) || null;
+        }
+        if (node.type === 'IndexAccess' && this.expressionToString(node.base).toLowerCase().includes('proposal')) {
+            const indexName = this.identifierName(node.index);
+            if (indexName) {
+                const mapped = this.mapParam(indexName, paramMap);
+                if (ctx.proposalParams.has(mapped))
+                    return mapped;
+            }
+        }
+        if (node.type === 'MemberAccess') {
+            const root = this.rootIdentifier(node.expression);
+            if (root && ctx.aliases.has(root))
+                return ctx.aliases.get(root) || null;
+        }
+        for (const child of this.childNodes(node)) {
+            const key = this.proposalKeyForExpression(child, ctx, paramMap);
+            if (key)
+                return key;
+        }
+        return null;
+    }
+    hasCompleteGuard(ctx, key) {
+        const bits = ctx.guards.get(key);
+        return !!bits?.status && !!bits.ready && !!bits.executed;
+    }
+    ensureGuard(ctx, key) {
+        let bits = ctx.guards.get(key);
+        if (!bits) {
+            bits = { status: false, ready: false, executed: false };
+            ctx.guards.set(key, bits);
+        }
+        return bits;
+    }
+    isExecutedWrite(node, ctx, paramMap) {
+        if (!node || this.proposalKeyForExpression(node, ctx, paramMap) === null)
+            return false;
+        return /executed/i.test(this.expressionToString(node));
+    }
+    containsExecutorDelegation(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'FunctionCall' && this.isPrivilegedSink(node))
+            return true;
+        return this.childNodes(node).some(child => this.containsExecutorDelegation(child));
+    }
+    hasGovernanceGuardSurface(fn, modifiers) {
+        if (this.containsGovernanceGuard(fn.body))
+            return true;
+        for (const invocation of fn.modifiers || []) {
+            const modifier = modifiers.get(invocation?.name);
+            if (modifier?.body && this.containsGovernanceGuard(modifier.body))
+                return true;
+        }
+        return false;
+    }
+    containsGovernanceGuard(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'FunctionCall') {
+            const name = this.callMemberName(node);
+            if ((name === 'require' || name === 'assert') && (STATUS_NAMES.test(this.expressionToString(node)) || READY_NAMES.test(this.expressionToString(node)))) {
+                return true;
+            }
+        }
+        return this.childNodes(node).some(child => this.containsGovernanceGuard(child));
+    }
+    makeFinding(ctx, call) {
+        const loc = this.locOf(call);
+        return {
+            file: ctx.file,
+            contract: ctx.contractName,
+            'function': ctx.functionName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Governance proposal execution in '${ctx.contractName}.${ctx.functionName}' performs a privileged call or asset movement before proposal state, execution, and timelock readiness are all validated.`,
+            rationale: 'The sink is source-ordered before complete same-proposal guards, matching the ENS DAO-style proposal execution validation bypass shape.',
+            suggestedFix: 'Validate the executed proposal state, voting/finalization status, and queue/timelock readiness before any treasury transfer, low-level target call, or timelock execution.',
+            contractName: ctx.contractName,
+            functionName: ctx.functionName,
+            sourceLocation: loc,
+            externalCallNode: call,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    callMemberName(call) {
+        const expr = call?.expression;
+        if (expr?.type === 'Identifier')
+            return expr.name || '';
+        if (expr?.type === 'MemberAccess')
+            return expr.memberName || '';
+        if (expr?.type === 'NameValueExpression')
+            return this.callMemberName({ expression: expr.expression });
+        return '';
+    }
+    callObject(call) {
+        if (call?.expression?.type === 'MemberAccess')
+            return call.expression.expression;
+        if (call?.expression?.type === 'NameValueExpression')
+            return this.callObject({ expression: call.expression.expression });
+        return null;
+    }
+    identifierName(node) {
+        if (node?.type === 'Identifier')
+            return node.name || '';
+        return '';
+    }
+    mapParam(name, paramMap) {
+        return paramMap.get(name) || name;
+    }
+    rootIdentifier(node) {
+        if (node?.type === 'Identifier')
+            return node.name || '';
+        if (node?.type === 'MemberAccess')
+            return this.rootIdentifier(node.expression);
+        if (node?.type === 'IndexAccess')
+            return this.rootIdentifier(node.base);
+        return '';
+    }
+    locOf(node) {
+        const { line, column, endLine } = (0, ast_1.assertLoc)(node);
+        return { line, column, endLine };
+    }
+    isStatementLike(node) {
+        return typeof node?.type === 'string' && /Statement$|^Block$/.test(node.type);
+    }
+    childNodes(node) {
+        const children = [];
+        if (!node || typeof node !== 'object')
+            return children;
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    if (item && typeof item === 'object')
+                        children.push(item);
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+    expressionToString(node) {
+        if (!node || typeof node !== 'object')
+            return '';
+        switch (node.type) {
+            case 'Identifier':
+                return node.name || '';
+            case 'NumberLiteral':
+            case 'StringLiteral':
+            case 'BooleanLiteral':
+                return String(node.value ?? '');
+            case 'MemberAccess':
+                return `${this.expressionToString(node.expression)}.${node.memberName || ''}`;
+            case 'IndexAccess':
+                return `${this.expressionToString(node.base)}[${this.expressionToString(node.index)}]`;
+            case 'FunctionCall':
+                return `${this.expressionToString(node.expression)}(${(node.arguments || []).map((arg) => this.expressionToString(arg)).join(',')})`;
+            case 'BinaryOperation':
+                return `${this.expressionToString(node.left)} ${node.operator || ''} ${this.expressionToString(node.right)}`;
+            case 'UnaryOperation':
+                return `${node.operator || ''}${this.expressionToString(node.subExpression)}`;
+            case 'NameValueExpression':
+                return this.expressionToString(node.expression);
+            default:
+                return this.childNodes(node).map(child => this.expressionToString(child)).join(' ');
+        }
+    }
+}
+exports.UnguardedGovernanceExecutionDetector = UnguardedGovernanceExecutionDetector;
+//# sourceMappingURL=unguarded-governance-execution.js.map

package/dist/detectors/unguarded-governance-executor.d.ts

@@ -0,0 +1,35 @@
+import type { ScanResult } from '../index';
+export declare class UnguardedGovernanceExecutorDetector {
+    readonly id = "unguarded-governance-executor";
+    readonly patternKey = "unguarded-governance-executor";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private hasGovernanceSurface;
+    private isExternallyCallable;
+    private hasRecognizedModifierGuard;
+    private modifierName;
+    private collectParameters;
+    private collectStorageAliases;
+    private collectLowLevelCalls;
+    private lowLevelCall;
+    private isDangerousGovernanceCall;
+    private isControlledTarget;
+    private isControlledData;
+    private isProposalMember;
+    private isProposalLikeStorageRead;
+    private hasGovernanceGateBefore;
+    private hasInlineAuthorityGuardBefore;
+    private hasExecutionLockBefore;
+    private isAuthorityCheck;
+    private containsGovernanceReference;
+    private containsAuthorityReference;
+    private containsMsgSender;
+    private containsParam;
+    private containsNameMatching;
+    private callName;
+    private rootIdentifier;
+    private walkBefore;
+    private walk;
+    private start;
+    private locOf;
+}