@snovon/solast 0.2.0

package/dist/detectors/arbitrary-storage-proof-forgery.js

@@ -0,0 +1,340 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ArbitraryStorageProofForgeryDetector = void 0;
+const RULE_ID = 'arbitrary-storage-proof-forgery';
+const INTRINSIC_IDS = new Set([
+    'msg', 'sender', 'value', 'data', 'this', 'block', 'tx',
+    'keccak256', 'sha256', 'sha3', 'ripemd160',
+    'abi', 'encode', 'encodePacked', 'encodeWithSelector', 'encodeWithSignature',
+    'uint160', 'uint256', 'uint128', 'uint64', 'uint32', 'uint16', 'uint8',
+    'bytes32', 'bytes16', 'bytes8', 'bytes4', 'bytes',
+    'address', 'payable', 'super',
+]);
+const HASH_CALLEES = new Set(['keccak256', 'sha256', 'sha3', 'ripemd160']);
+const VERIFIER_NAME_RE = /^(verify|decode|validate)/i;
+const PRIVILEGED_INTERNAL_RE = /^_(mint|release|credit|withdraw|burn|unlock|finalize|execute|send|transfer)/i;
+const EXTERNAL_ACTION_NAMES = new Set(['call', 'delegatecall', 'transfer', 'send']);
+function extractIds(n, out) {
+    if (!n || typeof n !== 'object')
+        return;
+    if (n.type === 'Identifier' && typeof n.name === 'string') {
+        out.add(n.name);
+    }
+    for (const key of Object.keys(n)) {
+        if (key === 'parent')
+            continue;
+        const v = n[key];
+        if (v && typeof v === 'object') {
+            if (Array.isArray(v)) {
+                for (const item of v)
+                    extractIds(item, out);
+            }
+            else {
+                extractIds(v, out);
+            }
+        }
+    }
+}
+function isHashCall(n) {
+    const expr = n?.expression;
+    return (n?.type === 'FunctionCall' &&
+        expr?.type === 'Identifier' &&
+        typeof expr.name === 'string' &&
+        HASH_CALLEES.has(expr.name));
+}
+function isUpperConstant(id) {
+    return /^[A-Z][A-Z0-9_]*$/.test(id);
+}
+class ArbitraryStorageProofForgeryDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Storage proof data authorizes a bridge action without binding root, domain, slot, and payload to trusted state.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    supportedAstKinds = ['parser'];
+    findings = [];
+    currentContract = '';
+    currentContractKind = '';
+    stateVars = new Set();
+    functionStack = [];
+    setFile(_file) {
+        this.findings = [];
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.stateVars.clear();
+        this.functionStack = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = String(node?.name || '');
+        this.currentContractKind = String(node?.kind || '');
+        this.stateVars.clear();
+        for (const subNode of node?.subNodes || []) {
+            if (subNode?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const v of subNode.variables || []) {
+                if (typeof v?.name === 'string' && v.name.length > 0) {
+                    this.stateVars.add(v.name);
+                }
+            }
+        }
+    }
+    'ContractDefinition:exit'() {
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.stateVars.clear();
+    }
+    FunctionDefinition(node) {
+        if (this.currentContractKind === 'interface' || this.currentContractKind === 'library')
+            return;
+        if (!node?.body)
+            return;
+        const mutability = String(node.stateMutability || '').toLowerCase();
+        if (mutability === 'view' || mutability === 'pure')
+            return;
+        const params = new Set();
+        for (const p of node.parameters || []) {
+            if (typeof p?.name === 'string' && p.name.length > 0)
+                params.add(p.name);
+        }
+        this.functionStack.push({
+            node,
+            name: String(node.name || ''),
+            params,
+            locals: new Set(),
+            localInits: new Map(),
+            verifierCalls: [],
+            requireCalls: [],
+            ifConditions: [],
+            actions: [],
+            variableDeclarations: [],
+        });
+    }
+    'FunctionDefinition:exit'(node) {
+        const state = this.functionStack[this.functionStack.length - 1];
+        if (!state || state.node !== node)
+            return;
+        this.functionStack.pop();
+        this.analyzeFunction(state);
+    }
+    VariableDeclarationStatement(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        state.variableDeclarations.push(node);
+        for (const v of node.variables || []) {
+            if (typeof v?.name !== 'string' || v.name.length === 0)
+                continue;
+            state.locals.add(v.name);
+            if (!node.initialValue)
+                continue;
+            if (!state.localInits.has(v.name))
+                state.localInits.set(v.name, []);
+            state.localInits.get(v.name).push(node.initialValue);
+        }
+    }
+    FunctionCall(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        const expr = node.expression;
+        if (!expr)
+            return;
+        if (expr.type === 'MemberAccess' && typeof expr.memberName === 'string') {
+            if (VERIFIER_NAME_RE.test(expr.memberName))
+                state.verifierCalls.push(node);
+            if (EXTERNAL_ACTION_NAMES.has(expr.memberName))
+                state.actions.push(node);
+            return;
+        }
+        if (expr.type !== 'Identifier' || typeof expr.name !== 'string')
+            return;
+        if (expr.name === 'require' || expr.name === 'assert') {
+            state.requireCalls.push(node);
+        }
+        else if (PRIVILEGED_INTERNAL_RE.test(expr.name)) {
+            state.actions.push(node);
+        }
+    }
+    IfStatement(node) {
+        const state = this.currentFunction();
+        if (state && node?.condition)
+            state.ifConditions.push(node.condition);
+    }
+    currentFunction() {
+        return this.functionStack.length > 0 ? this.functionStack[this.functionStack.length - 1] : null;
+    }
+    analyzeFunction(state) {
+        if (state.verifierCalls.length === 0 || state.actions.length === 0)
+            return;
+        const actionIds = new Set();
+        for (const action of state.actions)
+            extractIds(action, actionIds);
+        const emittedLocs = new Set();
+        for (const verifierCall of state.verifierCalls) {
+            const verifierArgs = verifierCall.arguments || [];
+            const verifierMember = String(verifierCall.expression?.memberName || '');
+            const isDecode = /decode/i.test(verifierMember);
+            const decodedStructName = isDecode ? this.findDecodedStructName(state, verifierCall) : '';
+            const covered = new Set();
+            for (let i = 1; i < verifierArgs.length; i++) {
+                extractIds(verifierArgs[i], covered);
+            }
+            this.expandLocalCoverage(covered, state.localInits);
+            const { checkedIds, decodedFieldChecks } = this.collectChecks(state, decodedStructName);
+            const isFinding = isDecode
+                ? this.decodeChecksAreIncomplete(decodedFieldChecks)
+                : this.directProofChecksAreIncomplete(verifierArgs, state, checkedIds, actionIds, covered);
+            if (!isFinding)
+                continue;
+            const loc = verifierCall.loc?.start || state.node.loc?.start || { line: 1, column: 0 };
+            const locKey = `${loc.line}:${loc.column}`;
+            if (emittedLocs.has(locKey))
+                continue;
+            emittedLocs.add(locKey);
+            this.findings.push({
+                ruleId: this.id,
+                severity: 'high',
+                confidence: 'medium',
+                contractName: this.currentContract,
+                functionName: state.name,
+                line: loc.line,
+                column: loc.column,
+                message: 'Arbitrary storage proof forgery: proof data authorizes a privileged action without binding root, domain, slot, and payload to trusted state.',
+            });
+        }
+    }
+    findDecodedStructName(state, verifierCall) {
+        for (const stmt of state.variableDeclarations) {
+            if (stmt.initialValue !== verifierCall)
+                continue;
+            for (const v of stmt.variables || []) {
+                const isStruct = v?.typeName?.type === 'UserDefinedTypeName' ||
+                    v?.storageLocation === 'memory' ||
+                    v?.storageLocation === 'storage';
+                if (isStruct && typeof v?.name === 'string' && v.name.length > 0)
+                    return v.name;
+            }
+        }
+        return '';
+    }
+    expandLocalCoverage(covered, localInits) {
+        let changed = true;
+        while (changed) {
+            changed = false;
+            for (const [name, inits] of localInits) {
+                if (!covered.has(name))
+                    continue;
+                for (const init of inits) {
+                    const before = covered.size;
+                    extractIds(init, covered);
+                    if (covered.size > before)
+                        changed = true;
+                }
+            }
+        }
+    }
+    collectChecks(state, decodedStructName) {
+        const checkedIds = new Set();
+        const decodedFieldChecks = new Set();
+        const collectChecked = (n) => {
+            if (!n || typeof n !== 'object')
+                return;
+            if (n.type === 'BinaryOperation' && (n.operator === '==' || n.operator === '!=')) {
+                extractIds(n.left, checkedIds);
+                extractIds(n.right, checkedIds);
+                if (decodedStructName) {
+                    this.captureDecodedField(n.left, decodedStructName, decodedFieldChecks);
+                    this.captureDecodedField(n.right, decodedStructName, decodedFieldChecks);
+                }
+            }
+            for (const key of Object.keys(n)) {
+                if (key === 'parent')
+                    continue;
+                const v = n[key];
+                if (v && typeof v === 'object') {
+                    if (Array.isArray(v))
+                        v.forEach(collectChecked);
+                    else
+                        collectChecked(v);
+                }
+            }
+        };
+        for (const call of state.requireCalls)
+            collectChecked(call);
+        for (const condition of state.ifConditions)
+            collectChecked(condition);
+        return { checkedIds, decodedFieldChecks };
+    }
+    captureDecodedField(side, decodedStructName, decodedFieldChecks) {
+        if (side?.type === 'MemberAccess' &&
+            side.expression?.type === 'Identifier' &&
+            side.expression.name === decodedStructName &&
+            typeof side.memberName === 'string') {
+            decodedFieldChecks.add(side.memberName);
+        }
+    }
+    decodeChecksAreIncomplete(decodedFieldChecks) {
+        const hasRoot = ['root', 'stateRoot', 'storageRoot', 'trustedRoot'].some(f => decodedFieldChecks.has(f));
+        const hasDomain = ['srcChainId', 'chainId', 'domain', 'origin', 'sourceChain', 'sourceChainId'].some(f => decodedFieldChecks.has(f));
+        const hasAccountOrSlot = ['account', 'slot', 'key', 'addr', 'address'].some(f => decodedFieldChecks.has(f));
+        const hasPayload = ['payloadHash', 'payload', 'messageHash', 'msgHash'].some(f => decodedFieldChecks.has(f));
+        return !(hasRoot && hasDomain && hasAccountOrSlot && hasPayload);
+    }
+    directProofChecksAreIncomplete(verifierArgs, state, checkedIds, actionIds, covered) {
+        for (let i = 1; i < verifierArgs.length; i++) {
+            const arg = verifierArgs[i];
+            if (isHashCall(arg))
+                continue;
+            const isLocalHash = (argId) => { const inits = state.localInits.get(argId); return inits ? inits.some(init => isHashCall(init)) : false; };
+            if (arg.type === "Identifier" && typeof arg.name === "string" && isLocalHash(arg.name))
+                continue;
+            const argIds = new Set();
+            extractIds(arg, argIds);
+            if (argIds.size === 0)
+                continue;
+            for (const id of argIds) {
+                if (this.isTrustedOrBound(id, state, checkedIds, actionIds))
+                    continue;
+                return true;
+            }
+        }
+        for (const action of state.actions) {
+            for (const arg of action.arguments || []) {
+                const argIds = new Set();
+                extractIds(arg, argIds);
+                for (const id of argIds) {
+                    if (INTRINSIC_IDS.has(id))
+                        continue;
+                    if (this.stateVars.has(id))
+                        continue;
+                    if (isUpperConstant(id))
+                        continue;
+                    if (covered.has(id))
+                        continue;
+                    if (checkedIds.has(id))
+                        continue;
+                    if (!state.params.has(id))
+                        continue;
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    isTrustedOrBound(id, state, checkedIds, actionIds) {
+        return (INTRINSIC_IDS.has(id) ||
+            this.stateVars.has(id) ||
+            isUpperConstant(id) ||
+            checkedIds.has(id) ||
+            actionIds.has(id) ||
+            false);
+    }
+}
+exports.ArbitraryStorageProofForgeryDetector = ArbitraryStorageProofForgeryDetector;
+//# sourceMappingURL=arbitrary-storage-proof-forgery.js.map

package/dist/detectors/arbitrary-transfer-from.d.ts

@@ -0,0 +1,38 @@
+import type { ScanResult } from '../index';
+export declare class ArbitraryTransferFromDetector {
+    readonly id = "arbitrary-transfer-from";
+    readonly patternKey = "arbitrary-transfer-from";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    private currentFile;
+    private findings;
+    private currentContract;
+    private currentFunction;
+    private isFunctionProtected;
+    private functionVisibility;
+    private localAliases;
+    private callerBoundSources;
+    private hasSafeErc20ForErc20;
+    private contractErc20Names;
+    private functionErc20Names;
+    private contractNonErc20Names;
+    private functionNonErc20Names;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(_node: any): void;
+    ContractDefinition_post(node: any): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(_node: any): void;
+    FunctionDefinition_post(node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    VariableDeclaration(node: any): void;
+    UsingForDeclaration(node: any): void;
+    ExpressionStatement(node: any): void;
+    FunctionCall(node: any): void;
+    private collectCallerBoundSources;
+    private addCallerBoundSource;
+    private resolveAlias;
+    private recordUsingFor;
+    private recordTypedVariable;
+    private hasErc20SafeTransferFromEvidence;
+}