@snovon/solast 0.2.0

package/dist/detectors/uninitialized-implementation.js

@@ -0,0 +1,333 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UninitializedImplementationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'uninitialized-implementation';
+const PATTERN = RULE_ID;
+const PROXY_CONSTRUCTORS = new Set([
+    'erc1967proxy',
+    'transparentupgradeableproxy',
+]);
+const INITIALIZER_MODIFIERS = new Set([
+    'initializer',
+    'reinitializer',
+]);
+const INITIALIZER_NAMES = new Set([
+    'init',
+    'initialize',
+    'setup',
+]);
+class UninitializedImplementationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Upgradeable implementation contracts should lock initializers.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Call `_disableInitializers()` in the implementation constructor, or in an explicit initializer-guarded implementation lock function.',
+    };
+    file = '';
+    ctx;
+    findings = [];
+    currentFunction = null;
+    emitted = new Set();
+    setFile(file) {
+        this.file = file;
+        this.ctx = undefined;
+        this.findings = [];
+        this.currentFunction = null;
+        this.emitted = new Set();
+    }
+    setContext(ctx) {
+        this.ctx = ctx;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = (0, ast_1.isNode)(node, 'FunctionDefinition') ? node : null;
+    }
+    FunctionDefinition_post(_node) {
+        this.currentFunction = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    FunctionCall(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        if (!this.ctx?.semantic)
+            return;
+        const proxyName = newExpressionTypeName(node.expression);
+        if (!proxyName || !isRecognizedProxy(proxyName))
+            return;
+        const implementationArg = node.arguments?.[0];
+        const implementationName = extractNewContractName(implementationArg)
+            || resolveLocalImplementationName(this.currentFunction, implementationArg, node);
+        if (!implementationName)
+            return;
+        const implementation = this.ctx.semantic.resolveContract(this.file, implementationName);
+        if (!implementation || !isDeployableImplementation(implementation))
+            return;
+        if (!isUpgradeableImplementation(implementation, this.ctx.semantic))
+            return;
+        if (hasInitializerLock(implementation, this.ctx.semantic))
+            return;
+        this.emitFinding(node, implementation, proxyName);
+    }
+    emitFinding(proxyCall, implementation, proxyName) {
+        const key = implementation.id;
+        if (this.emitted.has(key))
+            return;
+        this.emitted.add(key);
+        const loc = (0, ast_1.tryLoc)(proxyCall, this.currentFunction) ?? { line: 1, endLine: 1, column: 0, endColumn: 0 };
+        const functionName = functionDisplayName(this.currentFunction);
+        this.findings.push({
+            file: this.file,
+            contract: implementation.name,
+            'function': functionName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'high',
+            confidence: 'high',
+            category: 'access-control',
+            message: `Implementation contract '${implementation.name}' is deployed behind ${lastName(proxyName)} but does not lock its initializer surface with _disableInitializers().`,
+            rationale: 'A proxy-referenced upgradeable implementation that remains initializable can be initialized directly by an attacker, allowing ownership or upgrade authority to be claimed on the logic contract.',
+            suggestedFix: 'Add a constructor to the implementation contract that calls `_disableInitializers()`, or call `_disableInitializers()` from an explicit initializer-guarded implementation lock function.',
+            contractName: implementation.name,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            delegateTarget: implementation.name,
+            initializerPath: `${implementation.name}._disableInitializers`,
+            trace: `proxy: ${lastName(proxyName)}; implementation: ${implementation.name}`,
+            findingId: '',
+            contractHash: '',
+        });
+    }
+}
+exports.UninitializedImplementationDetector = UninitializedImplementationDetector;
+function isRecognizedProxy(namePath) {
+    return PROXY_CONSTRUCTORS.has(lastName(namePath).toLowerCase());
+}
+function lastName(namePath) {
+    const parts = namePath.split('.');
+    return parts[parts.length - 1] || namePath;
+}
+function newExpressionTypeName(node) {
+    let expr = node;
+    if ((0, ast_1.isNode)(expr, 'FunctionCallOptions'))
+        expr = expr.expression;
+    if (!(0, ast_1.isNode)(expr, 'NewExpression'))
+        return '';
+    return userDefinedTypeName(expr.typeName);
+}
+function userDefinedTypeName(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return '';
+    if (typeof typeName.namePath === 'string')
+        return typeName.namePath;
+    if (typeof typeName.name === 'string')
+        return typeName.name;
+    return '';
+}
+function extractNewContractName(node) {
+    const direct = newExpressionTypeName((0, ast_1.isNode)(node, 'FunctionCall') ? node.expression : node);
+    if (direct)
+        return direct;
+    if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+        const callee = callName(node.expression);
+        if (callee.toLowerCase() === 'address') {
+            return extractNewContractName(node.arguments?.[0]);
+        }
+    }
+    return '';
+}
+function resolveLocalImplementationName(functionNode, implementationArg, proxyCall) {
+    const identifier = implementationIdentifierName(implementationArg);
+    if (!identifier || !(0, ast_1.isNode)(functionNode, 'FunctionDefinition'))
+        return '';
+    const bindings = collectImplementationBindingsBefore(functionNode.body, proxyCall);
+    return bindings.get(identifier) || '';
+}
+function implementationIdentifierName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '');
+    if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+        const callee = callName(node.expression);
+        if (callee.toLowerCase() === 'address') {
+            const arg = node.arguments?.[0];
+            if ((0, ast_1.isNode)(arg, 'Identifier'))
+                return String(arg.name || '');
+        }
+    }
+    return '';
+}
+function collectImplementationBindingsBefore(root, stopNode) {
+    const bindings = new Map();
+    function visit(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node === stopNode)
+            return true;
+        recordImplementationBinding(node, bindings);
+        for (const value of Object.values(node)) {
+            if (!value)
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (visit(item))
+                        return true;
+                }
+                continue;
+            }
+            if (typeof value === 'object' && visit(value))
+                return true;
+        }
+        return false;
+    }
+    visit(root);
+    return bindings;
+}
+function recordImplementationBinding(node, bindings) {
+    if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+        const name = variableDeclarationName(node.variables?.[0]);
+        if (!name)
+            return;
+        const implementationName = extractNewContractName(node.initialValue);
+        if (implementationName)
+            bindings.set(name, implementationName);
+        return;
+    }
+    if (!(0, ast_1.isNode)(node, 'ExpressionStatement'))
+        return;
+    const expression = node.expression;
+    if (!(0, ast_1.isNode)(expression, 'BinaryOperation') || expression.operator !== '=')
+        return;
+    if (!(0, ast_1.isNode)(expression.left, 'Identifier'))
+        return;
+    const name = String(expression.left.name || '');
+    if (!name)
+        return;
+    const implementationName = extractNewContractName(expression.right);
+    if (implementationName) {
+        bindings.set(name, implementationName);
+    }
+    else {
+        bindings.delete(name);
+    }
+}
+function variableDeclarationName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    if ((0, ast_1.isNode)(node.identifier, 'Identifier'))
+        return String(node.identifier.name || '');
+    return '';
+}
+function callName(expr) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function isDeployableImplementation(contract) {
+    return contract.kind === 'contract';
+}
+function isUpgradeableImplementation(contract, semantic) {
+    const functions = semantic.inheritedFunctions(contract.id);
+    if (functions.some(isInitializerSurface))
+        return true;
+    const lin = semantic.linearize(contract.id);
+    const ids = lin ? lin.mro : [contract.id];
+    for (const id of ids) {
+        const info = semantic.contracts.get(id);
+        if (!info)
+            continue;
+        const name = info.name.toLowerCase();
+        if (name.includes('initializable') || name.includes('uupsupgradeable'))
+            return true;
+    }
+    return false;
+}
+function hasInitializerLock(contract, semantic) {
+    for (const fn of contract.functions) {
+        if (fn.isConstructor && bodyCallsDisableInitializers(fn.node))
+            return true;
+    }
+    for (const fn of semantic.inheritedFunctions(contract.id)) {
+        if (!fn.isConstructor && !hasInitializerGuard(fn))
+            continue;
+        if (bodyCallsDisableInitializers(fn.node))
+            return true;
+    }
+    return false;
+}
+function isInitializerSurface(fn) {
+    if (!isExternallyCallable(fn))
+        return false;
+    if (hasInitializerGuard(fn))
+        return true;
+    return INITIALIZER_NAMES.has(String(fn.name || '').toLowerCase());
+}
+function hasInitializerGuard(fn) {
+    return fn.modifiers.some(mod => INITIALIZER_MODIFIERS.has(String(mod || '').toLowerCase()));
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external' || visibility === 'default';
+}
+function bodyCallsDisableInitializers(fnNode) {
+    if (!fnNode?.body)
+        return false;
+    return walkFind(fnNode.body, node => isDisableInitializersCall(node));
+}
+function isDisableInitializersCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const expr = node.expression;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return expr.name === '_disableInitializers';
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return expr.memberName === '_disableInitializers';
+    return false;
+}
+function walkFind(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const value of Object.values(node)) {
+        if (!value)
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (walkFind(item, predicate))
+                    return true;
+            }
+            continue;
+        }
+        if (typeof value === 'object' && walkFind(value, predicate))
+            return true;
+    }
+    return false;
+}
+function functionDisplayName(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionDefinition'))
+        return '<unknown>';
+    if (node.isConstructor)
+        return '<constructor>';
+    if (node.isReceiveEther)
+        return '<receive>';
+    if (node.isFallback)
+        return '<fallback>';
+    return String(node.name || '<anonymous>');
+}
+//# sourceMappingURL=uninitialized-implementation.js.map

package/dist/detectors/uninitialized-storage-pointer.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class UninitializedStoragePointerDetector {
+    readonly id = "uninitialized-storage-pointer";
+    readonly patternKey = "uninitialized-storage-pointer";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}

package/dist/detectors/uninitialized-storage-pointer.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UninitializedStoragePointerDetector = void 0;
+const RULE_ID = 'uninitialized-storage-pointer';
+class UninitializedStoragePointerDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contractNode of ast.children || []) {
+            if (!isNode(contractNode, 'ContractDefinition'))
+                continue;
+            const contractName = String(contractNode.name || '<anonymous>');
+            for (const subNode of contractNode.subNodes || []) {
+                if (!isNode(subNode, 'FunctionDefinition') && !isNode(subNode, 'ModifierDefinition'))
+                    continue;
+                if (!subNode.body)
+                    continue;
+                const functionName = definitionName(subNode);
+                walkAny(subNode.body, node => {
+                    if (!isNode(node, 'VariableDeclarationStatement'))
+                        return false;
+                    if (hasInitializer(node))
+                        return false;
+                    for (const variable of node.variables || []) {
+                        if (!isNode(variable, 'VariableDeclaration'))
+                            continue;
+                        if (variable.storageLocation !== 'storage')
+                            continue;
+                        const loc = locOf(variable) || locOf(node) || locOf(subNode) || { line: 0, column: 0 };
+                        const variableName = String(variable.name || variable.identifier?.name || '<unnamed>');
+                        findings.push({
+                            file,
+                            line: loc.line,
+                            column: loc.column,
+                            pattern: RULE_ID,
+                            confidence: 'high',
+                            category: 'quality',
+                            ruleId: RULE_ID,
+                            severity: 'medium',
+                            contractName,
+                            functionName,
+                            contract: contractName,
+                            function: functionName,
+                            message: `Local storage pointer '${variableName}' is declared without an initialized storage reference.`,
+                            rationale: 'Solidity 0.8.28-era compiler behavior rejects or tightens ambiguous uninitialized local storage pointer declarations, and older compilers may alias an unintended storage slot.',
+                            suggestedFix: 'Initialize the storage pointer from an explicit storage reference, such as a state variable, mapping entry, or fixed layout-slot helper, before reading or writing through it.',
+                            findingId: '',
+                            contractHash: '',
+                        });
+                    }
+                    return false;
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.UninitializedStoragePointerDetector = UninitializedStoragePointerDetector;
+function hasInitializer(statement) {
+    return statement?.initialValue != null || statement?.expression != null;
+}
+function definitionName(node) {
+    if (isNode(node, 'ModifierDefinition'))
+        return String(node.name || '<modifier>');
+    if (node?.isConstructor || node?.kind === 'constructor')
+        return '<constructor>';
+    return String(node?.name || '<anonymous>');
+}
+function locOf(node) {
+    const start = node?.loc?.start;
+    if (!start)
+        return null;
+    return { line: Number(start.line || 0), column: Number(start.column || 0) };
+}
+function isNode(node, type) {
+    return !!node && typeof node === 'object' && node.type === type;
+}
+function walkAny(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (visitor(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, visitor))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+//# sourceMappingURL=uninitialized-storage-pointer.js.map

package/dist/detectors/uniswap-skim-token-balance-attack.d.ts

@@ -0,0 +1,8 @@
+import type { ScanResult } from '../index';
+import type { DetectorAstKind } from './types';
+export declare class UniswapSkimTokenBalanceAttackDetector {
+    readonly id = "uniswap-skim-token-balance-attack";
+    readonly patternKey = "uniswap-skim-token-balance-attack";
+    readonly supportedAstKinds: DetectorAstKind[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}