@snovon/solast 0.2.0

package/dist/detectors/zksync-batch-validation.js

@@ -0,0 +1,461 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ZkSyncBatchValidationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'zksync-batch-validation';
+const BATCH_FUNCTION = /^(?:commit|prove|execute)Batch(?:es)?(?:[A-Z]\w*)?$/;
+const ZKSYNC_STORAGE_REF = /(?:storedBatchHashes|totalBatchesCommitted|totalBatchesExecuted|priorityOperationsHash|priorityQueueHash|totalPriorityRequests|firstPriorityRequestId)/i;
+const VERIFY_BATCH = /^(?:verifyBatchData|_verifyBatchData|verifyBatch|_verifyBatch|_verifyBatchDataHash)$/i;
+const BATCH_STATE = /(?:storedBatch|totalBatchesCommitted|committedBatch|batchHash|storedBatchHashes)/i;
+const PRIORITY_CURSOR = /(?:totalPriorityRequests|firstPriorityRequestId|priorityRequest|priorityOperations|priorityQueue)/i;
+const PRIORITY_HASH = /(?:priorityOperationsHash|priorityQueueHash|priorityHash)/i;
+const SYSTEM_GUARD_MODIFIER = /(?:onlySystemCall|onlySystem|onlyBootloader|onlySystemContext|systemCall)/i;
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+class ZkSyncBatchValidationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scan(ast, ctx = {}) {
+        return this.scanAst(ast, ctx.file || ctx.filename || '<ast>');
+    }
+    scanAst(ast, file) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const contracts = collectContracts(ast);
+        const registry = buildContractRegistry(contracts);
+        for (const contract of contracts) {
+            if (isInterfaceLike(contract))
+                continue;
+            const info = collectContractInfo(contract);
+            if (!hasZkSyncShape(info, contract, registry))
+                continue;
+            for (const fn of contractMembers(contract)) {
+                if (!isNode(fn, 'FunctionDefinition'))
+                    continue;
+                if (!fn.body)
+                    continue;
+                if (!BATCH_FUNCTION.test(getFunctionName(fn)))
+                    continue;
+                const analysis = analyzeFunction(fn, info);
+                const finding = findingForAnalysis(file, info.name, fn, analysis);
+                if (finding)
+                    findings.push(finding);
+            }
+        }
+        return findings;
+    }
+}
+exports.ZkSyncBatchValidationDetector = ZkSyncBatchValidationDetector;
+function findingForAnalysis(file, contractName, fn, analysis) {
+    const functionName = getFunctionName(fn);
+    if (analysis.unsafeSystemCall) {
+        return makeFinding(file, contractName, functionName, locOf(analysis.unsafeSystemCall), 'unguarded-system-contract-call', `zkSync batch validation function '${contractName}.${functionName}' performs an unguarded low-level call to a zkSync system-range address.`, 'Guard raw calls to zkSync system contracts with an only-system/bootloader modifier or an explicit msg.sender system-address check before accepting batch metadata.');
+    }
+    if (analysis.acceptsBatchInfo && analysis.advancesPriorityCursor && analysis.mutatesBatchState && !analysis.hasPriorityHashCheck) {
+        return makeFinding(file, contractName, functionName, locOf(analysis.advancesPriorityCursor), 'priority-operation-gap', `zkSync batch validation function '${contractName}.${functionName}' advances priority-operation state without a visible priorityOperationsHash contiguity check.`, 'Recompute and compare the rolling priority operation hash before moving the priority cursor or storing accepted batch metadata.');
+    }
+    if (analysis.acceptsBatchInfo && analysis.mutatesBatchState && !analysis.hasStrongVerifyGuard && !analysis.hasGuardedSystemCall) {
+        return makeFinding(file, contractName, functionName, locOf(analysis.mutatesBatchState), 'missing-verify-batch-data', `zkSync batch validation function '${contractName}.${functionName}' accepts StoredBatchInfo-like metadata before a visible verifyBatchData guard.`, 'Require verifyBatchData or an equivalent _verifyBatch* guard on the batch metadata before writing committed-batch state.');
+    }
+    return null;
+}
+function analyzeFunction(fn, info) {
+    const analysis = {
+        acceptsBatchInfo: acceptsStoredBatchInfo(fn),
+        hasStrongVerifyGuard: hasStrongVerifyGuard(fn),
+        mutatesBatchState: null,
+        advancesPriorityCursor: null,
+        hasPriorityHashCheck: false,
+        unsafeSystemCall: null,
+        hasGuardedSystemCall: false,
+    };
+    if (containsInlineAssembly(fn.body))
+        return analysis;
+    walk(fn.body, node => {
+        if (!analysis.mutatesBatchState && isStateMutation(node, info.stateVars, BATCH_STATE)) {
+            analysis.mutatesBatchState = node;
+        }
+        if (!analysis.advancesPriorityCursor && isStateMutation(node, info.stateVars, PRIORITY_CURSOR)) {
+            analysis.advancesPriorityCursor = node;
+        }
+        if (!analysis.hasPriorityHashCheck && isPriorityHashCheck(node)) {
+            analysis.hasPriorityHashCheck = true;
+        }
+        if (!analysis.unsafeSystemCall && isUnsafeSystemCall(node, info, fn)) {
+            analysis.unsafeSystemCall = node;
+        }
+        if (!analysis.hasGuardedSystemCall && isGuardedSystemCall(node, info, fn)) {
+            analysis.hasGuardedSystemCall = true;
+        }
+    });
+    return analysis;
+}
+function collectContractInfo(contract) {
+    const info = {
+        name: getName(contract) || '<anonymous>',
+        hasStoredBatchInfoStruct: false,
+        stateVars: new Set(),
+        systemAddresses: new Set(),
+        hasZkSyncStorageReferences: false,
+    };
+    for (const member of contractMembers(contract)) {
+        if (isStoredBatchInfoStruct(member))
+            info.hasStoredBatchInfoStruct = true;
+        if (isNode(member, 'StateVariableDeclaration')) {
+            for (const variable of arrayOf(member.variables)) {
+                const name = getName(variable);
+                if (name)
+                    info.stateVars.add(name);
+                if (name && isSystemAddressExpression(variable.expression))
+                    info.systemAddresses.add(name);
+            }
+        }
+    }
+    walk(contract, node => {
+        if (info.hasZkSyncStorageReferences)
+            return;
+        if (!isNode(node, 'MemberAccess'))
+            return;
+        if (ZKSYNC_STORAGE_REF.test(expressionText(node)))
+            info.hasZkSyncStorageReferences = true;
+    });
+    return info;
+}
+function hasZkSyncShape(info, contract, registry) {
+    const hasStruct = info.hasStoredBatchInfoStruct || hasInheritedStoredBatchInfoStruct(contract, registry);
+    if (!hasStruct)
+        return false;
+    const joined = [...info.stateVars].join(' ');
+    if (BATCH_STATE.test(joined) || PRIORITY_CURSOR.test(joined) || PRIORITY_HASH.test(joined) || info.systemAddresses.size > 0) {
+        return true;
+    }
+    return info.hasZkSyncStorageReferences;
+}
+function hasInheritedStoredBatchInfoStruct(contract, registry, visited = new Set()) {
+    for (const base of arrayOf(contract?.baseContracts)) {
+        const baseName = baseContractName(base);
+        if (!baseName || visited.has(baseName))
+            continue;
+        visited.add(baseName);
+        const baseDef = registry.get(baseName);
+        if (!baseDef)
+            continue;
+        for (const member of contractMembers(baseDef)) {
+            if (isStoredBatchInfoStruct(member))
+                return true;
+        }
+        if (hasInheritedStoredBatchInfoStruct(baseDef, registry, visited))
+            return true;
+    }
+    return false;
+}
+function baseContractName(base) {
+    const namePath = base?.baseName?.namePath;
+    if (namePath)
+        return String(namePath).split('.').pop() || '';
+    const name = base?.baseName?.name;
+    if (name)
+        return String(name).split('.').pop() || '';
+    return '';
+}
+function buildContractRegistry(contracts) {
+    const registry = new Map();
+    for (const contract of contracts) {
+        const name = getName(contract);
+        if (name)
+            registry.set(name, contract);
+    }
+    return registry;
+}
+function isStoredBatchInfoStruct(node) {
+    if (!isNode(node, 'StructDefinition'))
+        return false;
+    if (!/StoredBatchInfo|BatchInfo/i.test(getName(node)))
+        return false;
+    const fields = new Set(arrayOf(node.members).map(member => getName(member)));
+    return fields.has('batchHash') && fields.has('priorityOperationsHash') && (fields.has('number') || fields.has('batchNumber'));
+}
+function acceptsStoredBatchInfo(fn) {
+    return getParameters(fn).some(param => /StoredBatchInfo|BatchInfo/i.test(typeText(param.typeName)));
+}
+function hasStrongVerifyGuard(fn) {
+    let guarded = false;
+    walkWithIfContext(fn.body, false, (node, insideIf) => {
+        if (guarded || !isNode(node, 'FunctionCall'))
+            return;
+        if (insideIf)
+            return;
+        const callee = unwrapCallOptions(node.expression);
+        const name = getCallName(callee);
+        if (name !== 'require' && name !== 'assert')
+            return;
+        if (containsVerifyBatchCall(arrayOf(node.arguments)[0]))
+            guarded = true;
+    });
+    return guarded;
+}
+function containsInlineAssembly(node) {
+    let found = false;
+    walk(node, current => {
+        if (isNode(current, 'InlineAssemblyStatement') || isNode(current, 'AssemblyBlock') || isNode(current, 'AssemblyCall')) {
+            found = true;
+        }
+    });
+    return found;
+}
+function isPriorityHashCheck(node) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    const name = getCallName(callee);
+    if (name !== 'require' && name !== 'assert')
+        return false;
+    const condition = arrayOf(node.arguments)[0];
+    if (!condition || !isNode(condition, 'BinaryOperation'))
+        return false;
+    const op = String(condition.operator || '');
+    if (op !== '==' && op !== '!=')
+        return false;
+    return PRIORITY_HASH.test(expressionText(condition.left)) || PRIORITY_HASH.test(expressionText(condition.right));
+}
+function isUnsafeSystemCall(node, info, fn) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    const member = String(callee.memberName || '');
+    if (member !== 'call' && member !== 'delegatecall')
+        return false;
+    if (!isKnownSystemTarget(callee.expression, info))
+        return false;
+    return !hasSystemCallGuard(fn, info);
+}
+function isGuardedSystemCall(node, info, fn) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    const member = String(callee.memberName || '');
+    if (member !== 'call' && member !== 'delegatecall')
+        return false;
+    if (!isKnownSystemTarget(callee.expression, info))
+        return false;
+    return hasSystemCallGuard(fn, info);
+}
+function hasSystemCallGuard(fn, info) {
+    if (arrayOf(fn.modifiers).some(mod => SYSTEM_GUARD_MODIFIER.test(getName(mod))))
+        return true;
+    let guarded = false;
+    walk(fn.body, node => {
+        if (guarded || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = unwrapCallOptions(node.expression);
+        const name = getCallName(callee);
+        if (name !== 'require' && name !== 'assert')
+            return;
+        const condition = expressionText(arrayOf(node.arguments)[0]);
+        if (/msg\.sender/i.test(condition) && [...info.systemAddresses].some(system => condition.includes(system))) {
+            guarded = true;
+        }
+    });
+    return guarded;
+}
+function isKnownSystemTarget(node, info) {
+    if (isNode(node, 'Identifier'))
+        return info.systemAddresses.has(getName(node));
+    return isSystemAddressExpression(node);
+}
+function isSystemAddressExpression(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'FunctionCall') && getCallName(unwrapCallOptions(node.expression)) === 'address') {
+        return arrayOf(node.arguments).some(isSystemAddressExpression);
+    }
+    if (isNode(node, 'NumberLiteral') || isNode(node, 'Literal')) {
+        const raw = String(node.number ?? node.value ?? '').toLowerCase();
+        return /^0x0{36}8[0-9a-f]{3}$/.test(raw);
+    }
+    return false;
+}
+function isStateMutation(node, stateVars, namePattern) {
+    if (isNode(node, 'BinaryOperation') && ASSIGN_OPS.has(String(node.operator || ''))) {
+        return rootIdentifierMatches(node.left, stateVars, namePattern);
+    }
+    if (isNode(node, 'UnaryOperation') && (node.operator === '++' || node.operator === '--' || node.operator === 'delete')) {
+        return rootIdentifierMatches(node.subExpression, stateVars, namePattern);
+    }
+    return false;
+}
+function rootIdentifierMatches(node, stateVars, namePattern) {
+    const root = rootIdentifier(node);
+    if (!root || !stateVars.has(root))
+        return false;
+    if (namePattern.test(root))
+        return true;
+    return namePattern.test(expressionText(node));
+}
+function rootIdentifier(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return getName(node);
+    if (isNode(node, 'IndexAccess'))
+        return rootIdentifier(node.base || node.baseExpression);
+    if (isNode(node, 'MemberAccess'))
+        return rootIdentifier(node.expression);
+    return '';
+}
+function containsVerifyBatchCall(node) {
+    let found = false;
+    walk(node, current => {
+        if (found || !isNode(current, 'FunctionCall'))
+            return;
+        const callee = unwrapCallOptions(current.expression);
+        if (VERIFY_BATCH.test(getCallName(callee)))
+            found = true;
+    });
+    return found;
+}
+function makeFinding(file, contractName, functionName, loc, pattern, message, suggestedFix) {
+    return {
+        file,
+        contract: contractName,
+        'function': functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: `${RULE_ID}/${pattern}`,
+        confidence: 'high',
+        category: 'vulnerability',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message,
+        rationale: 'The function has zkSync Era batch-validation shape and reaches a known unsafe acceptance pattern using only AST-visible structure.',
+        suggestedFix,
+        contractName,
+        functionName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+    };
+}
+function getParameters(fn) {
+    return fn?.parameters?.parameters || fn?.parameters || [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walk(ast, node => {
+        if (isNode(node, 'ContractDefinition'))
+            out.push(node);
+    });
+    return out;
+}
+function contractMembers(contract) {
+    return Array.isArray(contract?.subNodes) ? contract.subNodes : [];
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionName(fn) {
+    return getName(fn) || (fn?.isConstructor ? '<constructor>' : '<anonymous>');
+}
+function getCallName(callee) {
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '');
+    if (isNode(callee, 'MemberAccess'))
+        return String(callee.memberName || '');
+    return '';
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while (cur && (isNode(cur, 'NameValueExpression') || isNode(cur, 'FunctionCallOptions'))) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function expressionText(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return getName(node);
+    if (isNode(node, 'MemberAccess'))
+        return `${expressionText(node.expression)}.${node.memberName || ''}`;
+    if (isNode(node, 'IndexAccess'))
+        return `${expressionText(node.base || node.baseExpression)}[${expressionText(node.index || node.indexExpression)}]`;
+    if (isNode(node, 'FunctionCall'))
+        return `${expressionText(node.expression)}(${arrayOf(node.arguments).map(expressionText).join(',')})`;
+    if (isNode(node, 'NameValueExpression') || isNode(node, 'FunctionCallOptions'))
+        return expressionText(node.expression);
+    if (isNode(node, 'UnaryOperation'))
+        return `${node.operator || ''}${expressionText(node.subExpression)}`;
+    if (isNode(node, 'BinaryOperation'))
+        return `${expressionText(node.left)}${node.operator || ''}${expressionText(node.right)}`;
+    if (isNode(node, 'NumberLiteral') || isNode(node, 'Literal') || isNode(node, 'StringLiteral') || isNode(node, 'BooleanLiteral')) {
+        return String(node.number ?? node.value ?? '');
+    }
+    return childNodes(node).map(expressionText).join(' ');
+}
+function typeText(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'UserDefinedTypeName'))
+        return String(node.namePath || node.name || '');
+    if (isNode(node, 'ArrayTypeName'))
+        return typeText(node.baseTypeName);
+    if (isNode(node, 'ElementaryTypeName'))
+        return String(node.name || '');
+    return childNodes(node).map(typeText).join(' ');
+}
+function locOf(node) {
+    const info = (0, ast_1.tryLoc)(node);
+    if (info)
+        return { line: info.line || 1, column: info.column };
+    return { line: 1, column: 0 };
+}
+function arrayOf(value) {
+    return Array.isArray(value) ? value : [];
+}
+function getName(node) {
+    return String(node?.name || '');
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node))
+        walk(child, visit);
+}
+function walkWithIfContext(node, insideIf, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node, insideIf);
+    const childInsideIf = insideIf || isNode(node, 'IfStatement');
+    for (const child of childNodes(node))
+        walkWithIfContext(child, childInsideIf, visit);
+}
+function childNodes(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=zksync-batch-validation.js.map

package/dist/detectors/zksync-era-rollup-state-update.d.ts

@@ -0,0 +1,60 @@
+import type { ScanResult } from '../index';
+export declare class ZksyncEraRollupStateUpdateDetector {
+    readonly id = "zksync-era-rollup-state-update";
+    readonly patternKey = "zksync-era-rollup-state-update";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private findings;
+    private visitIndex;
+    private parentStack;
+    private currentFunction;
+    private isRollupFunction;
+    private hasBarrier;
+    private barrierIndex;
+    private hasUnenforcedBarrier;
+    private mutations;
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    private nextIndex;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(node: any): void;
+    BinaryOperation(node: any): void;
+    BinaryOperation_post(node: any): void;
+    FunctionCall(node: any): void;
+    FunctionCall_post(node: any): void;
+    RevertStatement(node: any): void;
+    ThrowStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    ExpressionStatement_post(node: any): void;
+    IfStatement(node: any): void;
+    IfStatement_post(node: any): void;
+    UnaryOperation(node: any): void;
+    UnaryOperation_post(node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    VariableDeclarationStatement_post(node: any): void;
+    ReturnStatement(node: any): void;
+    ReturnStatement_post(node: any): void;
+    Block(node: any): void;
+    Block_post(node: any): void;
+    TupleExpression(node: any): void;
+    TupleExpression_post(node: any): void;
+    private isEnforcedValidation;
+    private unconditionallyReverts;
+    private containsNode;
+    private isRollupShapedFunction;
+    private hasValidationModifier;
+    private extractModifierName;
+    private isBarrierCall;
+    private isValidationName;
+    private isImplicitProofBarrierName;
+    private getDirectCallName;
+    private isRollupShapedStorageNode;
+    private isRollupShapedStorageName;
+    private makeFinding;
+}