@snovon/solast 0.2.0

package/dist/detectors/unguarded-governance-executor.js

@@ -0,0 +1,349 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnguardedGovernanceExecutorDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'unguarded-governance-executor';
+const PROVENANCE = 'x-20220214-buildfinance---dao-dao';
+const LOW_LEVEL_CALLS = new Set(['call', 'delegatecall']);
+const ACCESS_MODIFIERS = /^(only(owner|admin|governance|governor|timelock|role)|nonreentrant|lock)$/i;
+const EXECUTE_NAME = /execute|exec|relay|govern/i;
+const VOTE_OR_PROPOSAL_NAME = /vote|proposal|propose|passed|queued|state|yes|forvotes/i;
+const EXECUTION_LOCK_NAME = /executed|queued|passed|locked|processed|completed|consumed|done/i;
+class UnguardedGovernanceExecutorDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const contractName = contract.name || '<anonymous>';
+            const hasGovernanceSurface = this.hasGovernanceSurface(contract);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition')
+                    continue;
+                if (!fn.body)
+                    continue;
+                if (!this.isExternallyCallable(fn))
+                    continue;
+                if (this.hasRecognizedModifierGuard(fn))
+                    continue;
+                const functionName = fn.name || '<anonymous>';
+                if (!EXECUTE_NAME.test(functionName) && !hasGovernanceSurface)
+                    continue;
+                const params = this.collectParameters(fn);
+                const storageAliases = this.collectStorageAliases(fn);
+                const calls = this.collectLowLevelCalls(fn.body);
+                for (const call of calls) {
+                    if (!this.isDangerousGovernanceCall(call, params, storageAliases))
+                        continue;
+                    if (!this.hasGovernanceGateBefore(fn.body, call.node))
+                        continue;
+                    if (this.hasInlineAuthorityGuardBefore(fn.body, call.node))
+                        continue;
+                    if (this.hasExecutionLockBefore(fn.body, call.node))
+                        continue;
+                    const loc = this.locOf(fn);
+                    findings.push({
+                        file,
+                        contract: contractName,
+                        'function': functionName,
+                        line: loc.line,
+                        endLine: loc.endLine,
+                        column: loc.column,
+                        pattern: RULE_ID,
+                        confidence: 'high',
+                        ruleId: RULE_ID,
+                        severity: 'critical',
+                        message: `Dao Dao / Build Finance governance execution risk in '${contractName}.${functionName}': ` +
+                            'proposal- or caller-controlled target and calldata reach a low-level call without an authority guard or pre-call execution lock.',
+                        rationale: 'Matches the Build Finance Dao Dao exploit shape: public proposal execution can route arbitrary calldata to an attacker-selected target after a weak governance gate, enabling treasury or token-control seizure.',
+                        suggestedFix: 'Restrict execution to a timelock or governance authority, snapshot and validate voting power, block self/governance-token targets where appropriate, and mark proposals executed before the external call.',
+                        contractName,
+                        functionName,
+                        sourceLocation: loc,
+                        findingId: '',
+                        contractHash: '',
+                        provenance: PROVENANCE,
+                        source: PROVENANCE,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+    hasGovernanceSurface(contract) {
+        for (const node of contract.subNodes || []) {
+            if (node?.type === 'FunctionDefinition' && node.name && VOTE_OR_PROPOSAL_NAME.test(node.name)) {
+                return true;
+            }
+            if (node?.type === 'StateVariableDeclaration') {
+                for (const variable of node.variables || []) {
+                    if (variable?.name && VOTE_OR_PROPOSAL_NAME.test(variable.name))
+                        return true;
+                }
+            }
+        }
+        return false;
+    }
+    isExternallyCallable(fn) {
+        if (fn.isConstructor || fn.kind === 'constructor')
+            return false;
+        const visibility = String(fn.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external' || visibility === '';
+    }
+    hasRecognizedModifierGuard(fn) {
+        for (const modifier of fn.modifiers || []) {
+            const name = this.modifierName(modifier);
+            if (name && ACCESS_MODIFIERS.test(name))
+                return true;
+        }
+        return false;
+    }
+    modifierName(modifier) {
+        if (!modifier)
+            return '';
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name?.name)
+            return modifier.name.name;
+        return '';
+    }
+    collectParameters(fn) {
+        const params = new Set();
+        for (const param of fn.parameters || []) {
+            if (param?.name)
+                params.add(param.name);
+        }
+        return params;
+    }
+    collectStorageAliases(fn) {
+        const aliases = new Set();
+        this.walk(fn.body, node => {
+            if (node?.type !== 'VariableDeclarationStatement')
+                return;
+            if (!this.isProposalLikeStorageRead(node.initialValue))
+                return;
+            for (const variable of node.variables || []) {
+                if (variable?.name && variable.storageLocation === 'storage') {
+                    aliases.add(variable.name);
+                }
+            }
+        });
+        return aliases;
+    }
+    collectLowLevelCalls(node) {
+        const calls = [];
+        this.walk(node, child => {
+            const call = this.lowLevelCall(child);
+            if (call)
+                calls.push(call);
+        });
+        return calls.sort((a, b) => this.start(a.node) - this.start(b.node));
+    }
+    lowLevelCall(node) {
+        if (node?.type !== 'FunctionCall')
+            return null;
+        let callee = node.expression;
+        if (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions') {
+            callee = callee.expression;
+        }
+        if (callee?.type !== 'MemberAccess')
+            return null;
+        const member = String(callee.memberName || '').toLowerCase();
+        if (!LOW_LEVEL_CALLS.has(member))
+            return null;
+        return {
+            node,
+            member,
+            target: callee.expression,
+            args: Array.isArray(node.arguments) ? node.arguments : [],
+        };
+    }
+    isDangerousGovernanceCall(call, params, storageAliases) {
+        if (call.member !== 'call' && call.member !== 'delegatecall')
+            return false;
+        if (call.args.length === 0)
+            return false;
+        const targetControlled = this.isControlledTarget(call.target, params, storageAliases);
+        const dataControlled = call.args.some(arg => this.isControlledData(arg, params, storageAliases));
+        return targetControlled && dataControlled;
+    }
+    isControlledTarget(expr, params, storageAliases) {
+        if (!expr)
+            return false;
+        if (this.containsParam(expr, params))
+            return true;
+        return this.isProposalMember(expr, storageAliases, /target|token|to|destination|callee/i);
+    }
+    isControlledData(expr, params, storageAliases) {
+        if (!expr)
+            return false;
+        if (this.containsParam(expr, params))
+            return true;
+        return this.isProposalMember(expr, storageAliases, /data|calldata|payload|callData|selector/i);
+    }
+    isProposalMember(expr, storageAliases, memberPattern) {
+        if (expr?.type !== 'MemberAccess')
+            return false;
+        if (!memberPattern.test(String(expr.memberName || '')))
+            return false;
+        const root = this.rootIdentifier(expr.expression);
+        return !!root && storageAliases.has(root);
+    }
+    isProposalLikeStorageRead(expr) {
+        if (!expr)
+            return false;
+        const root = this.rootIdentifier(expr);
+        return !!root && /proposal|queued|passed/i.test(root);
+    }
+    hasGovernanceGateBefore(body, callNode) {
+        let found = false;
+        this.walkBefore(body, callNode, node => {
+            if (found)
+                return;
+            if (node?.type !== 'FunctionCall')
+                return;
+            const name = this.callName(node);
+            if (name !== 'require' && name !== 'assert')
+                return;
+            const condition = (node.arguments || [])[0];
+            if (this.containsGovernanceReference(condition))
+                found = true;
+        });
+        return found;
+    }
+    hasInlineAuthorityGuardBefore(body, callNode) {
+        let guarded = false;
+        this.walkBefore(body, callNode, node => {
+            if (guarded || node?.type !== 'FunctionCall')
+                return;
+            const name = this.callName(node);
+            if (name !== 'require' && name !== 'assert')
+                return;
+            const condition = (node.arguments || [])[0];
+            if (this.isAuthorityCheck(condition))
+                guarded = true;
+        });
+        return guarded;
+    }
+    hasExecutionLockBefore(body, callNode) {
+        let locked = false;
+        this.walkBefore(body, callNode, node => {
+            if (locked || node?.type !== 'BinaryOperation')
+                return;
+            if (node.operator !== '=')
+                return;
+            if (this.containsNameMatching(node.left, EXECUTION_LOCK_NAME))
+                locked = true;
+        });
+        return locked;
+    }
+    isAuthorityCheck(expr) {
+        if (!expr)
+            return false;
+        if (expr.type === 'BinaryOperation' && ['==', '!='].includes(expr.operator)) {
+            return this.containsMsgSender(expr.left) && this.containsAuthorityReference(expr.right)
+                || this.containsMsgSender(expr.right) && this.containsAuthorityReference(expr.left);
+        }
+        if (expr.type === 'FunctionCall') {
+            const name = this.callName(expr);
+            if (/hasrole|checkrole/i.test(name))
+                return this.containsMsgSender(expr);
+        }
+        return false;
+    }
+    containsGovernanceReference(expr) {
+        return this.containsNameMatching(expr, VOTE_OR_PROPOSAL_NAME);
+    }
+    containsAuthorityReference(expr) {
+        return this.containsNameMatching(expr, /owner|admin|timelock|governor|governance|guardian|role/i);
+    }
+    containsMsgSender(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (node?.type === 'MemberAccess' && node.memberName === 'sender' && this.rootIdentifier(node.expression) === 'msg') {
+                found = true;
+            }
+        });
+        return found;
+    }
+    containsParam(expr, params) {
+        let found = false;
+        this.walk(expr, node => {
+            if (node?.type === 'Identifier' && params.has(node.name))
+                found = true;
+        });
+        return found;
+    }
+    containsNameMatching(expr, pattern) {
+        let found = false;
+        this.walk(expr, node => {
+            if (node?.type === 'Identifier' && pattern.test(String(node.name || '')))
+                found = true;
+            if (node?.type === 'MemberAccess' && pattern.test(String(node.memberName || '')))
+                found = true;
+        });
+        return found;
+    }
+    callName(node) {
+        const expr = node?.expression;
+        if (expr?.type === 'Identifier')
+            return String(expr.name || '').toLowerCase();
+        if (expr?.type === 'MemberAccess')
+            return String(expr.memberName || '').toLowerCase();
+        return '';
+    }
+    rootIdentifier(expr) {
+        let current = expr;
+        while (current) {
+            if (current.type === 'Identifier')
+                return String(current.name || '');
+            if (current.type === 'MemberAccess') {
+                current = current.expression;
+                continue;
+            }
+            if (current.type === 'IndexAccess') {
+                current = current.base;
+                continue;
+            }
+            return '';
+        }
+        return '';
+    }
+    walkBefore(root, before, visit) {
+        const stop = this.start(before);
+        this.walk(root, node => {
+            if (this.start(node) < stop)
+                visit(node);
+        });
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const value of Object.values(node)) {
+            if (Array.isArray(value)) {
+                for (const child of value)
+                    this.walk(child, visit);
+            }
+            else if (value && typeof value === 'object') {
+                this.walk(value, visit);
+            }
+        }
+    }
+    start(node) {
+        return Array.isArray(node?.range) ? node.range[0] : Number.MAX_SAFE_INTEGER;
+    }
+    locOf(node) {
+        const { line, column, endLine } = (0, ast_1.assertLoc)(node);
+        return { line, column, endLine };
+    }
+}
+exports.UnguardedGovernanceExecutorDetector = UnguardedGovernanceExecutorDetector;
+//# sourceMappingURL=unguarded-governance-executor.js.map

package/dist/detectors/unindexed-event-address.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class UnindexedEventAddressDetector {
+    readonly id = "unindexed-event-address";
+    readonly patternKey = "unindexed-event-address";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}

package/dist/detectors/unindexed-event-address.js

@@ -0,0 +1,268 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnindexedEventAddressDetector = void 0;
+const RULE_ID = 'unindexed-event-address';
+class UnindexedEventAddressDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const event of collectTokenEventDefinitions(ast, lineOffsets)) {
+            for (const param of event.unindexedAddressParams) {
+                const message = `Unindexed address parameter '${param.name}' on event '${event.name}'` +
+                    (event.contractName ? ` in contract '${event.contractName}'` : '') +
+                    `: address parameters should be marked 'indexed' so off-chain consumers can filter logs by address.`;
+                findings.push({
+                    file,
+                    contract: event.contractName,
+                    'function': '',
+                    line: event.loc.line,
+                    endLine: event.endLine,
+                    column: event.loc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'informational',
+                    message,
+                    contractName: event.contractName,
+                    functionName: '',
+                    sourceLocation: event.loc,
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.UnindexedEventAddressDetector = UnindexedEventAddressDetector;
+function collectTokenEventDefinitions(ast, lineOffsets) {
+    const result = [];
+    walk(ast, (node) => {
+        if (!isNode(node, 'ContractDefinition'))
+            return;
+        if (!isTokenShapedContract(node))
+            return;
+        const contractName = node.name || '';
+        for (const event of directChildrenOf(node).filter(child => isNode(child, 'EventDefinition'))) {
+            const summary = summarizeTokenEvent(event, contractName, lineOffsets);
+            if (summary.unindexedAddressParams.length > 0)
+                result.push(summary);
+        }
+    });
+    return result;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    if (isNode(node, 'EventDefinition'))
+        return;
+    for (const child of childrenOf(node)) {
+        walk(child, visit);
+    }
+}
+function summarizeTokenEvent(node, contractName, lineOffsets) {
+    const params = getEventParameters(node);
+    const unindexedAddressParams = [];
+    for (const p of expectedIndexedAddressParams(node.name || '', params)) {
+        if (!isAddressType(p?.typeName))
+            continue;
+        if (p?.isIndexed === true || p?.indexed === true)
+            continue;
+        unindexedAddressParams.push({ name: p?.name || '<anonymous>' });
+    }
+    const loc = getStartLoc(node, lineOffsets) || { line: 0, column: 0 };
+    const endLine = getEndLine(node, lineOffsets) || loc.line;
+    return {
+        name: node.name || '<anonymous>',
+        contractName,
+        unindexedAddressParams,
+        loc,
+        endLine,
+    };
+}
+function expectedIndexedAddressParams(eventName, params) {
+    const first = params[0];
+    const second = params[1];
+    if (!isAddressType(first?.typeName) || !isAddressType(second?.typeName))
+        return [];
+    if (eventName === 'Transfer' && isTransferAddressName(first?.name, 'from') && isTransferAddressName(second?.name, 'to')) {
+        return [first, second];
+    }
+    if (eventName === 'Approval' && isApprovalOwnerName(first?.name) && isApprovalSpenderName(second?.name)) {
+        return [first, second];
+    }
+    return [];
+}
+function isTransferAddressName(name, expected) {
+    if (typeof name !== 'string' || name.length === 0)
+        return true;
+    return name.toLowerCase() === expected;
+}
+function isApprovalOwnerName(name) {
+    if (typeof name !== 'string' || name.length === 0)
+        return true;
+    return name.toLowerCase() === 'owner';
+}
+function isApprovalSpenderName(name) {
+    if (typeof name !== 'string' || name.length === 0)
+        return true;
+    const normalized = name.toLowerCase();
+    return normalized === 'spender' || normalized === 'approved';
+}
+function isTokenShapedContract(node) {
+    if (inheritsTokenSurface(node))
+        return true;
+    const functionNames = getDeclaredMemberNames(node, 'FunctionDefinition');
+    const memberNames = new Set([...functionNames, ...getDeclaredMemberNames(node, 'VariableDeclaration')]);
+    return ((memberNames.has('balanceOf') && functionNames.has('transfer')) ||
+        (memberNames.has('allowance') && functionNames.has('approve')) ||
+        (functionNames.has('ownerOf') && functionNames.has('transferFrom')) ||
+        (functionNames.has('ownerOf') && functionNames.has('safeTransferFrom')));
+}
+function getDeclaredMemberNames(node, kind) {
+    const names = new Set();
+    for (const child of directChildrenOf(node)) {
+        if (isNode(child, kind) && typeof child?.name === 'string' && child.name.length > 0) {
+            names.add(child.name);
+        }
+        if (Array.isArray(child?.variables)) {
+            for (const variable of child.variables) {
+                if (isNode(variable, kind) && typeof variable?.name === 'string' && variable.name.length > 0) {
+                    names.add(variable.name);
+                }
+            }
+        }
+        for (const nested of directChildrenOf(child)) {
+            if (isNode(nested, kind) && typeof nested?.name === 'string' && nested.name.length > 0) {
+                names.add(nested.name);
+            }
+        }
+    }
+    return names;
+}
+function inheritsTokenSurface(node) {
+    for (const base of getBaseContractNames(node)) {
+        const name = base.toLowerCase();
+        if (/^i?erc(20|721|1155)(metadata|enumerable|receiver)?$/.test(name))
+            return true;
+    }
+    return false;
+}
+function getBaseContractNames(node) {
+    const names = [];
+    const bases = Array.isArray(node?.baseContracts) ? node.baseContracts : [];
+    for (const base of bases) {
+        const baseName = base?.baseName;
+        if (typeof baseName?.namePath === 'string')
+            names.push(baseName.namePath);
+        else if (typeof baseName?.name === 'string')
+            names.push(baseName.name);
+        else if (typeof baseName === 'string')
+            names.push(baseName);
+        const typeName = base?.typeName;
+        if (typeof typeName?.name === 'string')
+            names.push(typeName.name);
+        if (typeof typeName?.pathNode?.name === 'string')
+            names.push(typeName.pathNode.name);
+    }
+    return names;
+}
+function getEventParameters(node) {
+    if (Array.isArray(node?.parameters))
+        return node.parameters;
+    if (Array.isArray(node?.parameters?.parameters))
+        return node.parameters.parameters;
+    return [];
+}
+function isAddressType(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    if (typeName.type !== 'ElementaryTypeName' && typeName.nodeType !== 'ElementaryTypeName')
+        return false;
+    return typeName.name === 'address';
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function directChildrenOf(node) {
+    const directKeys = ['subNodes', 'nodes', 'children'];
+    const children = [];
+    for (const key of directKeys) {
+        const value = node?.[key];
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    children.push(item);
+        }
+    }
+    return children;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'identifier')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    children.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getStartLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line, column: node.loc.start.column };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return offsetToLoc(offset, lineOffsets);
+}
+function getEndLine(node, lineOffsets) {
+    if (node?.loc?.end?.line)
+        return node.loc.end.line;
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const parts = String(node.src).split(':');
+    const offset = Number(parts[0]);
+    const length = Number(parts[1]);
+    if (!Number.isFinite(offset) || !Number.isFinite(length))
+        return undefined;
+    return offsetToLoc(offset + length, lineOffsets).line;
+}
+function offsetToLoc(byteOffset, lineOffsets) {
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= byteOffset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: byteOffset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=unindexed-event-address.js.map

package/dist/detectors/uninitialized-implementation.d.ts

@@ -0,0 +1,27 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class UninitializedImplementationDetector {
+    readonly id = "uninitialized-implementation";
+    readonly patternKey = "uninitialized-implementation";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private file;
+    private ctx;
+    private findings;
+    private currentFunction;
+    private emitted;
+    setFile(file: string): void;
+    setContext(ctx: DetectorContext): void;
+    getFindings(): ScanResult[];
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    FunctionCall(node: any): void;
+    private emitFinding;
+}