@snovon/solast 0.2.0

package/dist/detectors/unprotected-pair-initializer.d.ts

@@ -0,0 +1,22 @@
+import type { ScanResult } from '../index';
+export declare class UnprotectedPairInitializerDetector {
+    readonly id = "unprotected-pair-initializer";
+    readonly patternKey = "unprotected-pair-initializer";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private file;
+    private findings;
+    private current;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    private analyzeContract;
+    private hasGuard;
+}

package/dist/detectors/unprotected-pair-initializer.js

@@ -0,0 +1,359 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnprotectedPairInitializerDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'unprotected-pair-initializer';
+const CANDIDATE_NAMES = new Set(['initialize', 'sync', 'setreserves', '_update', 'update']);
+const REENTRANCY_GUARD_MODIFIERS = new Set([
+    'nonreentrant',
+    '_nonreentrant',
+    'noreentrant',
+    'noreentrancy',
+    'reentrancyguard',
+    'noreentry',
+    'nonreentrantcall',
+    'lock',
+    'locked',
+]);
+const INITIALIZER_GUARD_MODIFIERS = new Set(['initializer', 'reinitializer', 'onlyinitializing']);
+const ASSIGNMENT_OPERATORS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+class UnprotectedPairInitializerDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'AMM pair initializer or reserve mutator is externally callable without a guard.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags Uniswap V2 pair-shaped contracts whose public initializer or reserve mutator can change token or reserve state without access control, an initializer guard, or a reentrancy guard.',
+    };
+    file = '';
+    findings = [];
+    current = null;
+    setFile(file) {
+        this.file = file;
+        this.findings = [];
+        this.current = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.current = {
+            node,
+            name: (0, ast_1.getName)(node),
+            kind: String(node?.kind || node?.contractKind || '').toLowerCase(),
+            stateVars: new Set(),
+            functions: new Map(),
+            modifiers: new Map(),
+        };
+        for (const member of contractMembers(node)) {
+            if ((0, ast_1.isNode)(member, 'StateVariableDeclaration')) {
+                for (const variable of member.variables || []) {
+                    const name = (0, ast_1.getName)(variable);
+                    if (name)
+                        this.current.stateVars.add(name);
+                }
+            }
+            else if ((0, ast_1.isNode)(member, 'VariableDeclaration') && (member.stateVariable || member.isStateVar)) {
+                const name = (0, ast_1.getName)(member);
+                if (name)
+                    this.current.stateVars.add(name);
+            }
+            else if ((0, ast_1.isNode)(member, 'FunctionDefinition')) {
+                const name = functionName(member);
+                if (name)
+                    this.current.functions.set(name, member);
+            }
+            else if ((0, ast_1.isNode)(member, 'ModifierDefinition')) {
+                const name = (0, ast_1.getName)(member);
+                if (name)
+                    this.current.modifiers.set(name, member);
+            }
+        }
+    }
+    'ContractDefinition:exit'() {
+        if (this.current)
+            this.analyzeContract(this.current);
+        this.current = null;
+    }
+    analyzeContract(contract) {
+        if (contract.kind === 'interface' || contract.kind === 'library')
+            return;
+        if (!isPairShaped(contract.stateVars))
+            return;
+        const functionInfos = collectFunctionInfos(contract);
+        for (const info of functionInfos.values()) {
+            if (!isExternallyCallable(info.node))
+                continue;
+            if (!isCandidateFunctionName(info.name))
+                continue;
+            if (!info.node?.body)
+                continue;
+            if (!mutationPath(info, functionInfos, new Set()))
+                continue;
+            if (this.hasGuard(info.node, contract))
+                continue;
+            const loc = (0, ast_1.assertLoc)(info.node, contract.node);
+            this.findings.push({
+                file: this.file,
+                contract: contract.name || '<anonymous>',
+                'function': info.name || '<anonymous>',
+                line: loc.line,
+                endLine: loc.endLine,
+                column: loc.column,
+                pattern: RULE_ID,
+                confidence: 'high',
+                ruleId: RULE_ID,
+                severity: 'high',
+                message: `AMM pair entrypoint '${contract.name}.${info.name}' mutates token or reserve state without a recognized guard.`,
+                rationale: 'Nowswap-style pair initializers and reserve mutators let arbitrary callers repoint token or reserve accounting when they are public/external and no trusted caller, initializer, or reentrancy guard is visible.',
+                suggestedFix: 'Restrict the entrypoint to the factory or another trusted caller, use an OpenZeppelin initializer/reinitializer guard for initialization, or keep reserve sync/update paths behind a recognized reentrancy guard.',
+                contractName: contract.name || '<anonymous>',
+                functionName: info.name || '<anonymous>',
+                sourceLocation: { line: loc.line, column: loc.column },
+                findingId: '',
+                contractHash: '',
+            });
+        }
+    }
+    hasGuard(fn, contract) {
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(fn))
+            return true;
+        for (const modifier of fn.modifiers || []) {
+            const name = getModifierName(modifier);
+            const lower = name.toLowerCase();
+            if (INITIALIZER_GUARD_MODIFIERS.has(lower))
+                return true;
+            if (REENTRANCY_GUARD_MODIFIERS.has(lower))
+                return true;
+            const definition = contract.modifiers.get(name);
+            if (definition?.body && bodyContainsAccessControl(definition.body, contract.stateVars, new Set())) {
+                return true;
+            }
+        }
+        return bodyContainsAccessControl(fn.body, contract.stateVars, collectLocalNames(fn));
+    }
+}
+exports.UnprotectedPairInitializerDetector = UnprotectedPairInitializerDetector;
+function collectFunctionInfos(contract) {
+    const result = new Map();
+    for (const [name, fn] of contract.functions) {
+        result.set(name, {
+            node: fn,
+            name,
+            directMutation: !!fn.body && bodyMutatesPairState(fn.body),
+            calls: fn.body ? collectSameContractCalls(fn.body) : new Set(),
+        });
+    }
+    return result;
+}
+function mutationPath(info, functions, seen) {
+    if (info.directMutation)
+        return true;
+    if (seen.has(info.name))
+        return false;
+    seen.add(info.name);
+    for (const calledName of info.calls) {
+        const called = functions.get(calledName);
+        if (called && mutationPath(called, functions, seen))
+            return true;
+    }
+    return false;
+}
+function isPairShaped(stateVars) {
+    return stateVars.has('token0') && stateVars.has('token1') && stateVars.has('reserve0') && stateVars.has('reserve1');
+}
+function isCandidateFunctionName(name) {
+    return CANDIDATE_NAMES.has(name.toLowerCase());
+}
+function isExternallyCallable(fn) {
+    if (!fn || !fn.body)
+        return false;
+    if (fn.isConstructor === true || String(fn.kind || '').toLowerCase() === 'constructor')
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === '' || visibility === 'default' || visibility === 'public' || visibility === 'external';
+}
+function bodyMutatesPairState(body) {
+    return walkAny(body, (node) => {
+        const target = assignmentTarget(node);
+        return !!target && expressionTargetsPairState(target);
+    });
+}
+function assignmentTarget(node) {
+    if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+        const operator = String(node.operator || '');
+        if (!ASSIGNMENT_OPERATORS.has(operator))
+            return null;
+        return node.left || node.leftExpression;
+    }
+    if ((0, ast_1.isNode)(node, 'Assignment')) {
+        const operator = String(node.operator || '');
+        if (operator && !ASSIGNMENT_OPERATORS.has(operator))
+            return null;
+        return node.leftHandSide;
+    }
+    return null;
+}
+function expressionTargetsPairState(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return isPairStateName(String(expr.name || ''));
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        if (isPairStateName(String(expr.memberName || '')))
+            return true;
+        return expressionTargetsPairState(expr.expression);
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return expressionTargetsPairState(expr.base || expr.baseExpression);
+    if ((0, ast_1.isNode)(expr, 'TupleExpression'))
+        return (expr.components || []).some((component) => expressionTargetsPairState(component));
+    return false;
+}
+function isPairStateName(name) {
+    return name === 'token0' || name === 'token1' || name === 'reserve0' || name === 'reserve1';
+}
+function bodyContainsAccessControl(body, stateVars, localNames) {
+    return walkAny(body, (node) => {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const name = callName(node.expression).toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return false;
+        const condition = node.arguments?.[0];
+        return (0, access_control_1.requireExpressesAccessControl)(condition, (candidate) => stateVars.has(candidate) && !localNames.has(candidate));
+    });
+}
+function collectLocalNames(fn) {
+    const names = new Set();
+    for (const parameter of functionParameters(fn)) {
+        const name = (0, ast_1.getName)(parameter);
+        if (name)
+            names.add(name);
+    }
+    walkAny(fn.body, (node) => {
+        if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+            return false;
+        for (const variable of variableDeclarations(node)) {
+            const name = (0, ast_1.getName)(variable);
+            if (name)
+                names.add(name);
+        }
+        return false;
+    });
+    return names;
+}
+function collectSameContractCalls(body) {
+    const calls = new Set();
+    walkAny(body, (node) => {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const name = callName(node.expression);
+        const leaf = name.split('.').pop() || name;
+        if (leaf)
+            calls.add(leaf);
+        return false;
+    });
+    return calls;
+}
+function contractMembers(contract) {
+    if (Array.isArray(contract?.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract?.nodes))
+        return contract.nodes;
+    return [];
+}
+function functionParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function variableDeclarations(node) {
+    if (Array.isArray(node?.variables))
+        return node.variables;
+    if (Array.isArray(node?.declarations))
+        return node.declarations;
+    if (node?.variableDeclaration)
+        return [node.variableDeclaration];
+    return [];
+}
+function functionName(fn) {
+    return typeof fn?.name === 'string' ? fn.name : '';
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.name && typeof modifier.name.namePath === 'string')
+        return modifier.name.namePath;
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+        if (inner && typeof inner.namePath === 'string')
+            return inner.namePath;
+    }
+    return '';
+}
+function callName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const prefix = callName(expr.expression);
+        const member = String(expr.memberName || '');
+        return prefix ? `${prefix}.${member}` : member;
+    }
+    return '';
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' ||
+            key === 'range' ||
+            key === 'tokens' ||
+            key === 'comments' ||
+            key === 'leadingComments' ||
+            key === 'trailingComments') {
+            continue;
+        }
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+//# sourceMappingURL=unprotected-pair-initializer.js.map

package/dist/detectors/unprotected-upgrade-function.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class UnprotectedUpgradeFunctionDetector {
+    readonly id = "unprotected-upgrade-function";
+    readonly patternKey = "unprotected-upgrade-function";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}

package/dist/detectors/unprotected-upgrade-function.js

@@ -0,0 +1,180 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnprotectedUpgradeFunctionDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'unprotected-upgrade-function';
+const UPGRADE_FUNCTIONS = new Set(['upgradeTo', 'upgradeToAndCall', '_setImplementation', '_upgradeTo']);
+class UnprotectedUpgradeFunctionDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const child of ast.children || []) {
+            if (child?.type !== 'ContractDefinition')
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            for (const fn of child.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition')
+                    continue;
+                if (!isUpgradeEntryPoint(fn))
+                    continue;
+                if (hasAnyModifier(fn))
+                    continue;
+                if (hasInlineSenderGuard(fn.body))
+                    continue;
+                findings.push(makeFinding(file, child, fn));
+            }
+        }
+        return findings;
+    }
+}
+exports.UnprotectedUpgradeFunctionDetector = UnprotectedUpgradeFunctionDetector;
+function isUpgradeEntryPoint(fn) {
+    if (!fn?.body || isConstructor(fn))
+        return false;
+    const name = functionName(fn);
+    if (!UPGRADE_FUNCTIONS.has(name))
+        return false;
+    return isExternallyCallable(fn);
+}
+function isConstructor(fn) {
+    return fn?.isConstructor === true || fn?.kind === 'constructor';
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function functionName(fn) {
+    return String(fn?.name || '');
+}
+function hasAnyModifier(fn) {
+    return Array.isArray(fn?.modifiers) && fn.modifiers.length > 0;
+}
+function hasInlineSenderGuard(body) {
+    let guarded = false;
+    walk(body, node => {
+        if (guarded)
+            return;
+        if (node?.type === 'FunctionCall' && callName(node) === 'require') {
+            const condition = Array.isArray(node.arguments) ? node.arguments[0] : null;
+            if (isMsgSenderEquality(condition))
+                guarded = true;
+            return;
+        }
+        if (node?.type === 'IfStatement' && isMsgSenderInequality(node.condition) && branchContainsRevert(node.trueBody)) {
+            guarded = true;
+        }
+    });
+    return guarded;
+}
+function isMsgSenderEquality(expr) {
+    if (!expr || expr.type !== 'BinaryOperation')
+        return false;
+    const op = String(expr.operator || '');
+    if (op !== '==' && op !== '===')
+        return false;
+    return includesMsgSenderSide(expr);
+}
+function isMsgSenderInequality(expr) {
+    if (!expr || expr.type !== 'BinaryOperation')
+        return false;
+    const op = String(expr.operator || '');
+    if (op !== '!=' && op !== '!==')
+        return false;
+    return includesMsgSenderSide(expr);
+}
+function includesMsgSenderSide(expr) {
+    const left = expr.left ?? expr.leftExpression;
+    const right = expr.right ?? expr.rightExpression;
+    return (isMsgSender(left) && !isLiteral(right)) || (isMsgSender(right) && !isLiteral(left));
+}
+function isMsgSender(expr) {
+    return expr?.type === 'MemberAccess' &&
+        expr.memberName === 'sender' &&
+        expr.expression?.type === 'Identifier' &&
+        expr.expression.name === 'msg';
+}
+function isLiteral(expr) {
+    return expr?.type === 'NumberLiteral' ||
+        expr?.type === 'StringLiteral' ||
+        expr?.type === 'BooleanLiteral' ||
+        expr?.type === 'HexLiteral';
+}
+function branchContainsRevert(node) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if (child?.type === 'RevertStatement' || child?.type === 'ThrowStatement') {
+            found = true;
+            return;
+        }
+        if (child?.type === 'FunctionCall' && callName(child) === 'revert')
+            found = true;
+    });
+    return found;
+}
+function callName(call) {
+    const expr = call?.expression;
+    if (expr?.type === 'Identifier')
+        return String(expr.name || '');
+    if (expr?.type === 'MemberAccess')
+        return String(expr.memberName || '');
+    return '';
+}
+function makeFinding(file, contractNode, fn) {
+    const contractName = String(contractNode.name || '<anonymous>');
+    const name = functionName(fn);
+    const loc = locOf(fn);
+    return {
+        file,
+        contract: contractName,
+        'function': name,
+        line: loc.line,
+        endLine: loc.endLine,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Upgrade entry point '${contractName}.${name}' is public or external without a modifier or inline msg.sender authorization guard.`,
+        rationale: 'Unprotected upgrade functions can let any caller redirect implementation storage or delegatecall execution, matching the Yearn vault proxy upgrade-risk class.',
+        suggestedFix: 'Protect upgrade entry points with an owner/admin/role modifier or an inline require(msg.sender == admin) / if (msg.sender != admin) revert guard.',
+        contractName,
+        functionName: name,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+    };
+}
+function locOf(node) {
+    const { line, column, endLine } = (0, ast_1.assertLoc)(node);
+    return { line, column, endLine };
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function childrenOf(node) {
+    const out = [];
+    for (const value of Object.values(node || {})) {
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=unprotected-upgrade-function.js.map

package/dist/detectors/unreachable-code-0.8.28.d.ts

@@ -0,0 +1,19 @@
+import type { ScanResult } from '../index';
+export declare class UnreachableCode0828Detector {
+    readonly id = "unreachable-code-0.8.28";
+    readonly patternKey = "unreachable-code-0.8.28";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private walkNode;
+    private walkIf;
+    private walkLoop;
+    private walkBlock;
+    private walkChildren;
+    private childrenOf;
+    private isTerminator;
+    private isUnconditionalCall;
+    private getCallName;
+    private reportUnreachable;
+    private evaluateConstantCondition;
+    private constantNumberValue;
+}