@snovon/solast 0.2.0

package/dist/semantic/eog.js

@@ -0,0 +1,545 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildReadOnlyReentrancyEog = buildReadOnlyReentrancyEog;
+const INTERNAL_CALLS = new Set([
+    'require',
+    'assert',
+    'revert',
+    'keccak256',
+    'sha256',
+    'ripemd160',
+    'ecrecover',
+    'addmod',
+    'mulmod',
+    'selfdestruct',
+    'suicide',
+]);
+function buildReadOnlyReentrancyEog(ast) {
+    const contracts = collectContracts(ast);
+    inlineInternalCalls(contracts);
+    const readSurfaces = collectReadSurfaces(contracts);
+    const subgraphs = [];
+    for (const contract of contracts) {
+        const sameContractSurfaces = readSurfaces.filter(surface => surface.contract === contract.name && !surface.viaDelegatecall);
+        for (const fn of contract.functions) {
+            for (const call of fn.externalCalls) {
+                const writesAfterCall = fn.storageAccesses.filter(access => access.kind === 'write' && access.order > call.order);
+                for (const write of writesAfterCall) {
+                    let surfaces = call.kind === 'delegatecall'
+                        ? readSurfaces.filter(surface => surface.slots.includes(write.slot))
+                        : sameContractSurfaces.filter(surface => surface.slots.includes(write.slot));
+                    if (call.kind === 'delegatecall' && surfaces.some(surface => surface.contract !== fn.contract)) {
+                        surfaces = surfaces.filter(surface => surface.contract !== fn.contract);
+                    }
+                    for (const readSurface of surfaces) {
+                        subgraphs.push({
+                            writer: fn,
+                            call,
+                            postCallWrite: write,
+                            readSurface: {
+                                ...readSurface,
+                                viaDelegatecall: call.kind === 'delegatecall' && readSurface.contract !== fn.contract,
+                            },
+                            slot: write.slot,
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return subgraphs;
+}
+function collectContracts(ast) {
+    const contracts = [];
+    const sourceUnits = ast?.children || ast?.subNodes || [];
+    const sourceContext = {
+        libraryFunctions: new Map(),
+    };
+    for (const node of sourceUnits) {
+        if (node?.type !== 'ContractDefinition' || node.kind !== 'library')
+            continue;
+        const functions = new Set();
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type === 'FunctionDefinition' && subNode.name) {
+                functions.add(subNode.name);
+            }
+        }
+        sourceContext.libraryFunctions.set(node.name || '', functions);
+    }
+    for (const node of sourceUnits) {
+        if (node?.type !== 'ContractDefinition')
+            continue;
+        const contract = {
+            name: node.name || '<anonymous>',
+            stateVariables: new Set(),
+            stateVariableTypes: new Map(),
+            usingForDeclarations: collectUsingForDeclarations(node, sourceContext),
+            functions: [],
+        };
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of subNode.variables || []) {
+                if (variable?.name)
+                    contract.stateVariables.add(variable.name);
+                if (variable?.name)
+                    contract.stateVariableTypes.set(variable.name, variable.typeName);
+            }
+        }
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type === 'FunctionDefinition') {
+                contract.functions.push(summarizeFunction(subNode, contract));
+            }
+        }
+        contracts.push(contract);
+    }
+    return contracts;
+}
+function collectReadSurfaces(contracts) {
+    const surfaces = [];
+    for (const contract of contracts) {
+        for (const fn of contract.functions) {
+            const readSlots = unique(fn.storageAccesses
+                .filter(access => access.kind === 'read')
+                .map(access => access.slot));
+            if (readSlots.length === 0)
+                continue;
+            if (isPublicView(fn)) {
+                surfaces.push({
+                    contract: contract.name,
+                    functionName: fn.name,
+                    slots: readSlots,
+                    modifiers: fn.modifiers,
+                    line: fn.line,
+                    column: fn.column,
+                    viaDelegatecall: false,
+                });
+            }
+            else if (fn.externalCalls.length > 0) {
+                surfaces.push({
+                    contract: contract.name,
+                    functionName: fn.name,
+                    slots: readSlots,
+                    modifiers: fn.modifiers,
+                    line: fn.line,
+                    column: fn.column,
+                    viaDelegatecall: true,
+                });
+            }
+        }
+    }
+    return surfaces;
+}
+function collectUsingForDeclarations(contractNode, sourceContext) {
+    const declarations = [];
+    for (const subNode of contractNode.subNodes || []) {
+        if (subNode?.type !== 'UsingForDeclaration')
+            continue;
+        const libraryName = String(subNode.libraryName || '');
+        if (!libraryName)
+            continue;
+        declarations.push({
+            typeName: typeNameToString(subNode.typeName),
+            functions: new Set(sourceContext.libraryFunctions.get(libraryName) || []),
+        });
+    }
+    return declarations;
+}
+function summarizeFunction(node, contract) {
+    let order = 0;
+    const localVariables = new Set();
+    const localVariableTypes = new Map();
+    const externalCalls = [];
+    const storageAccesses = [];
+    const internalCalls = [];
+    for (const parameter of node.parameters || []) {
+        if (parameter?.name)
+            localVariables.add(parameter.name);
+        if (parameter?.name)
+            localVariableTypes.set(parameter.name, parameter.typeName);
+    }
+    for (const parameter of node.returnParameters || []) {
+        if (parameter?.name)
+            localVariables.add(parameter.name);
+        if (parameter?.name)
+            localVariableTypes.set(parameter.name, parameter.typeName);
+    }
+    const summary = {
+        contract: contract.name,
+        name: node.name || '<anonymous>',
+        visibility: node.visibility || '',
+        stateMutability: node.stateMutability || '',
+        modifiers: getModifiers(node),
+        line: node.loc?.start?.line || 0,
+        column: node.loc?.start?.column || 0,
+        externalCalls,
+        storageAccesses,
+        internalCalls,
+    };
+    function nextOrder() {
+        order += 1;
+        return order;
+    }
+    function visitStatement(statement) {
+        if (!statement || typeof statement !== 'object')
+            return;
+        if (statement.type === 'VariableDeclarationStatement') {
+            for (const variable of statement.variables || []) {
+                if (variable?.name)
+                    localVariables.add(variable.name);
+                if (variable?.name)
+                    localVariableTypes.set(variable.name, variable.typeName);
+            }
+            visitExpression(statement.initialValue, statement.loc);
+            return;
+        }
+        if (statement.type === 'ExpressionStatement') {
+            visitExpression(statement.expression, statement.loc);
+            return;
+        }
+        if (statement.type === 'ReturnStatement') {
+            visitExpression(statement.expression, statement.loc);
+            return;
+        }
+        if (statement.type === 'IfStatement') {
+            visitExpression(statement.condition, statement.loc);
+            visitStatement(statement.trueBody);
+            visitStatement(statement.falseBody);
+            return;
+        }
+        if (statement.type === 'ForStatement') {
+            visitStatement(statement.initExpression);
+            visitExpression(statement.conditionExpression, statement.loc);
+            visitExpression(statement.loopExpression, statement.loc);
+            visitStatement(statement.body);
+            return;
+        }
+        if (statement.type === 'WhileStatement') {
+            visitExpression(statement.condition, statement.loc);
+            visitStatement(statement.body);
+            return;
+        }
+        if (statement.type === 'Block') {
+            for (const child of statement.statements || [])
+                visitStatement(child);
+            return;
+        }
+        traverseChildren(statement, child => {
+            if (child?.type && child.type.endsWith('Statement'))
+                visitStatement(child);
+        });
+    }
+    function visitExpression(expr, fallbackLoc, writeContext = false) {
+        if (!expr || typeof expr !== 'object')
+            return;
+        const externalKind = getExternalCallKind(expr, contract, localVariables, localVariableTypes);
+        if (externalKind) {
+            externalCalls.push({
+                kind: externalKind,
+                line: expr.loc?.start?.line || fallbackLoc?.start?.line || 0,
+                column: expr.loc?.start?.column || fallbackLoc?.start?.column || 0,
+                order: nextOrder(),
+                expression: expr,
+            });
+        }
+        const internalCallName = getInternalCallName(expr);
+        if (internalCallName) {
+            internalCalls.push({
+                name: internalCallName,
+                line: expr.loc?.start?.line || fallbackLoc?.start?.line || 0,
+                column: expr.loc?.start?.column || fallbackLoc?.start?.column || 0,
+                order: nextOrder(),
+            });
+        }
+        if (expr.type === 'BinaryOperation' && isAssignmentOperator(expr.operator)) {
+            if (expr.operator !== '=') {
+                recordStorageAccess(expr.left, 'read', fallbackLoc);
+            }
+            visitExpression(expr.right, fallbackLoc);
+            recordStorageAccess(expr.left, 'write', fallbackLoc);
+            return;
+        }
+        if (expr.type === 'UnaryOperation' && (expr.operator === '++' || expr.operator === '--')) {
+            recordStorageAccess(expr.subExpression, 'write', fallbackLoc);
+            return;
+        }
+        const slot = resolveStateSlot(expr);
+        if (slot && !writeContext) {
+            storageAccesses.push({
+                kind: 'read',
+                slot,
+                line: expr.loc?.start?.line || fallbackLoc?.start?.line || 0,
+                column: expr.loc?.start?.column || fallbackLoc?.start?.column || 0,
+                order: nextOrder(),
+                expression: expr,
+            });
+        }
+        for (const child of expressionChildren(expr)) {
+            visitExpression(child, fallbackLoc);
+        }
+    }
+    function recordStorageAccess(expr, kind, fallbackLoc) {
+        const slot = resolveStateSlot(expr);
+        if (!slot) {
+            visitExpression(expr, fallbackLoc, kind === 'write');
+            return;
+        }
+        storageAccesses.push({
+            kind,
+            slot,
+            line: expr.loc?.start?.line || fallbackLoc?.start?.line || 0,
+            column: expr.loc?.start?.column || fallbackLoc?.start?.column || 0,
+            order: nextOrder(),
+            expression: expr,
+        });
+    }
+    function resolveStateSlot(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type === 'Identifier') {
+            return contract.stateVariables.has(expr.name) && !localVariables.has(expr.name)
+                ? expr.name
+                : null;
+        }
+        if (expr.type === 'IndexAccess') {
+            return resolveStateSlot(expr.base);
+        }
+        if (expr.type === 'MemberAccess') {
+            if (expr.expression?.type === 'Identifier' && expr.expression.name === 'this') {
+                return contract.stateVariables.has(expr.memberName) ? expr.memberName : null;
+            }
+            return resolveStateSlot(expr.expression);
+        }
+        return null;
+    }
+    visitStatement(node.body);
+    return summary;
+}
+function getExternalCallKind(expr, contract, localVariables, localVariableTypes) {
+    if (!expr || expr.type !== 'FunctionCall')
+        return null;
+    let callee = expr.expression;
+    if (callee?.type === 'NameValueExpression')
+        callee = callee.expression;
+    if (callee?.type !== 'MemberAccess')
+        return null;
+    const member = String(callee.memberName || '').toLowerCase();
+    if (member === 'call' || member === 'delegatecall' || member === 'staticcall' || member === 'send' || member === 'transfer') {
+        return member;
+    }
+    if (member === 'encode' || member === 'encodewithsignature' || member === 'encodewithselector' || member === 'decode') {
+        return null;
+    }
+    if (callee.expression?.type === 'Identifier' && callee.expression.name === 'abi') {
+        return null;
+    }
+    if (isLibraryFunction(callee, contract, localVariables, localVariableTypes)) {
+        return null;
+    }
+    return 'external';
+}
+function isLibraryFunction(node, contract, localVariables, localVariableTypes) {
+    if (!node || node.type !== 'MemberAccess')
+        return false;
+    const memberName = String(node.memberName || '');
+    if (!memberName)
+        return false;
+    const receiverRoot = getReceiverRoot(node.expression);
+    if (!receiverRoot)
+        return false;
+    const receiverType = inferExpressionType(node.expression, contract, localVariableTypes);
+    if (!receiverType)
+        return false;
+    const rootIsState = receiverRoot.type === 'Identifier' && contract.stateVariables.has(receiverRoot.name) && !localVariables.has(receiverRoot.name);
+    const rootIsLocal = receiverRoot.type === 'Identifier' && localVariables.has(receiverRoot.name);
+    if (!rootIsState && !rootIsLocal)
+        return false;
+    const receiverTypeName = typeNameToString(receiverType);
+    if (!receiverTypeName)
+        return false;
+    return contract.usingForDeclarations.some(declaration => {
+        if (declaration.typeName && !typesMatch(declaration.typeName, receiverTypeName))
+            return false;
+        return declaration.functions.has(memberName);
+    });
+}
+function getReceiverRoot(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'Identifier')
+        return expr;
+    if (expr.type === 'IndexAccess')
+        return getReceiverRoot(expr.base);
+    if (expr.type === 'MemberAccess')
+        return getReceiverRoot(expr.expression);
+    return null;
+}
+function inferExpressionType(expr, contract, localVariableTypes) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'Identifier') {
+        return localVariableTypes.get(expr.name) || contract.stateVariableTypes.get(expr.name) || null;
+    }
+    if (expr.type === 'IndexAccess') {
+        const baseType = inferExpressionType(expr.base, contract, localVariableTypes);
+        return baseType?.type === 'Mapping' ? baseType.valueType : null;
+    }
+    if (expr.type === 'MemberAccess' && expr.expression?.type === 'Identifier' && expr.expression.name === 'this') {
+        return contract.stateVariableTypes.get(expr.memberName) || null;
+    }
+    return null;
+}
+function typeNameToString(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return null;
+    if (typeName.type === 'ElementaryTypeName') {
+        return normalizeTypeName(typeName.name);
+    }
+    if (typeName.type === 'UserDefinedTypeName') {
+        return normalizeTypeName(typeName.namePath || typeName.name);
+    }
+    return null;
+}
+function normalizeTypeName(typeName) {
+    if (!typeName)
+        return null;
+    return typeName === 'uint' ? 'uint256' : typeName;
+}
+function typesMatch(left, right) {
+    return normalizeTypeName(left) === normalizeTypeName(right);
+}
+function getInternalCallName(expr) {
+    if (!expr || expr.type !== 'FunctionCall')
+        return null;
+    const callee = expr.expression;
+    if (!callee || callee.type !== 'Identifier')
+        return null;
+    const name = callee.name;
+    if (!name || INTERNAL_CALLS.has(name))
+        return null;
+    return name;
+}
+const MAX_INLINE_DEPTH = 8;
+function inlineInternalCalls(contracts) {
+    for (const contract of contracts) {
+        const fnMap = new Map();
+        for (const fn of contract.functions) {
+            if (!fnMap.has(fn.name))
+                fnMap.set(fn.name, fn);
+        }
+        const expanded = new Map();
+        for (const fn of contract.functions) {
+            const counter = { value: 0 };
+            const events = expandFunctionEvents(fn, fnMap, new Set([fn.name]), counter, 0);
+            expanded.set(fn, events);
+        }
+        for (const fn of contract.functions) {
+            const events = expanded.get(fn);
+            if (!events)
+                continue;
+            fn.externalCalls.length = 0;
+            fn.externalCalls.push(...events.externalCalls);
+            fn.storageAccesses.length = 0;
+            fn.storageAccesses.push(...events.storageAccesses);
+        }
+    }
+}
+function expandFunctionEvents(fn, fnMap, visited, counter, depth) {
+    const externalCalls = [];
+    const storageAccesses = [];
+    const events = [
+        ...fn.externalCalls.map(node => ({ kind: 'external', node })),
+        ...fn.storageAccesses.map(node => ({ kind: 'storage', node })),
+        ...(fn.internalCalls || []).map(node => ({ kind: 'internal', node })),
+    ].sort((a, b) => a.node.order - b.node.order);
+    for (const event of events) {
+        if (event.kind === 'external') {
+            counter.value += 1;
+            externalCalls.push({ ...event.node, order: counter.value });
+            continue;
+        }
+        if (event.kind === 'storage') {
+            counter.value += 1;
+            storageAccesses.push({ ...event.node, order: counter.value });
+            continue;
+        }
+        if (depth >= MAX_INLINE_DEPTH)
+            continue;
+        const callee = fnMap.get(event.node.name);
+        if (!callee)
+            continue;
+        if (visited.has(callee.name))
+            continue;
+        visited.add(callee.name);
+        const sub = expandFunctionEvents(callee, fnMap, visited, counter, depth + 1);
+        visited.delete(callee.name);
+        externalCalls.push(...sub.externalCalls);
+        storageAccesses.push(...sub.storageAccesses);
+    }
+    return { externalCalls, storageAccesses };
+}
+function expressionChildren(expr) {
+    const children = [];
+    for (const key of ['expression', 'left', 'right', 'subExpression', 'base', 'index', 'initialValue', 'arguments', 'components']) {
+        const value = expr[key];
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function traverseChildren(node, callback) {
+    if (!node || typeof node !== 'object')
+        return;
+    for (const value of Object.values(node)) {
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    callback(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            callback(value);
+        }
+    }
+}
+function getModifiers(node) {
+    return (node.modifiers || [])
+        .map((modifier) => getNodeName(modifier).toLowerCase())
+        .filter((name) => name.length > 0);
+}
+function getNodeName(node) {
+    if (!node)
+        return '';
+    if (typeof node === 'string')
+        return node;
+    if (node.name)
+        return getNodeName(node.name);
+    if (node.type === 'Identifier')
+        return node.name || '';
+    if (node.type === 'ModifierInvocation')
+        return getNodeName(node.name);
+    if (node.type === 'MemberAccess')
+        return node.memberName || '';
+    return '';
+}
+function isAssignmentOperator(operator) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(operator);
+}
+function isPublicView(fn) {
+    const visibility = fn.visibility || 'public';
+    const inferredViewName = /^(get|preview|quote|current|shareValue|totalAssets|accountLiquidity)/i.test(fn.name);
+    const hasNoMutatingShape = fn.externalCalls.length === 0 && fn.storageAccesses.every(access => access.kind !== 'write');
+    return (visibility === 'public' || visibility === 'external') &&
+        (fn.stateMutability === 'view' || fn.stateMutability === 'pure' || (inferredViewName && hasNoMutatingShape));
+}
+function unique(values) {
+    return [...new Set(values)].sort((a, b) => a.localeCompare(b));
+}
+//# sourceMappingURL=eog.js.map

package/dist/semantic/imports.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Solidity import resolution.
+ *
+ * Solidity supports three import forms (per the language docs at
+ * https://docs.soliditylang.org/en/latest/layout-of-source-files.html):
+ *
+ *   1. `import "x";`                              — glob; merges all of x's symbols.
+ *   2. `import "x" as X;`                         — namespace; X.Foo references x's Foo.
+ *   3. `import {A, B as C} from "x";`             — named; optionally renamed.
+ *
+ * (ES-style `import * as X from "x";` is NOT valid Solidity — the spec
+ * docstring for SemanticModel calls this out explicitly because external
+ * reviewers commonly conflate them.)
+ *
+ * This module:
+ *   - Parses `ImportDirective` nodes into `ImportInfo` records.
+ *   - Resolves the raw path to an absolute path using the policy from
+ *     the spec: relative paths against importer dir; project paths via
+ *     remappings → node_modules → projectRoot fallback.
+ *   - Builds per-source-unit `visibleSymbols` maps so detector queries
+ *     like `resolveContract(fromPath, "Base")` can find a contract that
+ *     was imported (possibly under an alias) from another file.
+ *
+ * Lenient by design: unresolved imports emit a diagnostic but the rest
+ * of the model continues to work. Per-file detector behaviour falls
+ * back when cross-file lookups return undefined.
+ */
+import type { ImportInfo, SourceUnitInfo, ExportedSymbol, SymbolName, SourcePath, ContractInfo } from './types';
+import { SemanticDiagnostic } from './diagnostics';
+export interface ImportResolutionContext {
+    /** Absolute project root used as the base for non-relative paths. */
+    projectRoot: string;
+    /** Foundry-style path remappings (`@oz/=lib/openzeppelin/contracts/`). */
+    remappings: Array<{
+        from: string;
+        to: string;
+    }>;
+    /**
+     * Async-ish file existence check; injectable for tests. The model
+     * itself only calls this synchronously; tests can supply a stub that
+     * recognises a fixed set of paths without touching the filesystem.
+     */
+    fileExists(absPath: string): boolean;
+}
+/**
+ * Read the three import forms from a single `ImportDirective` AST node.
+ * Returns `null` if the node doesn't look like a real import (defensive
+ * — the parser shouldn't emit those, but we don't want to crash if it
+ * does).
+ */
+export declare function readImportDirective(node: any): ImportInfo | null;
+/**
+ * Resolve a raw import path against the importer's directory and the
+ * project root. Returns the absolute path on success or `undefined`.
+ *
+ * Policy:
+ *   - Relative path (starts with `.` or `..`): normalise against
+ *     importer directory.
+ *   - Project path: check `remappings` first (longest-prefix match wins),
+ *     then `node_modules/` under projectRoot, then projectRoot itself.
+ *
+ * The model is lenient: a path that resolves to a non-existent file
+ * still returns the resolved string (so detectors / diagnostics know
+ * what we tried). Callers should check `fileExists` themselves before
+ * treating the path as authoritative.
+ */
+export declare function resolveImportPath(rawPath: string, importerPath: string, ctx: ImportResolutionContext): string | undefined;
+/**
+ * Build the `visibleSymbols` map for a source unit: the set of contract
+ * names a detector working inside this file can reference, mapped to
+ * the actual `ContractInfo` the name resolves to.
+ *
+ * Three rules:
+ *   - Local declarations (contracts/libraries/interfaces in this file)
+ *     are always visible by their own name.
+ *   - `import "x";`            (glob)     → every export of x is visible by its export-name.
+ *   - `import "x" as X;`       (namespace) → `X.Foo` notation; for now we expose `X` as
+ *     a synthetic symbol pointing at the FIRST exported contract; detectors needing
+ *     full member access should consult `imports[i].resolvedPath` and re-resolve.
+ *     This is a known v1 limitation documented in the spec.
+ *   - `import {A, B as C} from "x";` (named) → each local name maps to the export.
+ *
+ * Diagnostics:
+ *   - `unresolved-import`: path didn't resolve to a parsed source unit.
+ *   - `unresolved-symbol`: a `named` import asks for an export the
+ *     source unit doesn't have.
+ */
+export declare function buildVisibleSymbols(sourceUnit: SourceUnitInfo, parsedSourceUnits: Map<SourcePath, SourceUnitInfo>, contractsByExporter: Map<SourcePath, Map<SymbolName, ContractInfo>>, diagnostics: SemanticDiagnostic[]): Map<SymbolName, ExportedSymbol>;