@snovon/solast 0.2.0

package/dist/detectors/bridge-business-logic-flaw-incorrect-acc.js

@@ -0,0 +1,394 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BridgeBusinessLogicFlawIncorrectAccDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'bridge-business-logic-flaw-incorrect-acc';
+const PATTERN = `${RULE_ID}/zero-root-accepted-root-check`;
+const SOURCE = 'x-20220802-nomad-bridge-business-logic-flaw-incorrect-acceptable-merkle-root-checks';
+const BRIDGE_ENTRY_RE = /^(process|handle|execute|withdraw|release|unlock|redeem|exit|finaliz)/i;
+const ACCEPTABLE_ROOT_RE = /^(acceptableRoot|isRootAcceptable|rootAcceptable)$/i;
+const TIME_ROOT_NAMES = new Set(['confirmAt', 'confirmedAt', 'rootConfirmedAt']);
+const ZERO_TYPE_NAMES = new Set(['bytes32', 'uint256', 'uint', 'address']);
+class BridgeBusinessLogicFlawIncorrectAccDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Bridge message processing accepts a storage-default zero root through an acceptable-root check.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'critical',
+        help: 'Reject bytes32(0) or require explicit proof/message existence before accepting storage-derived roots through optimistic root timestamp gates.',
+    };
+    currentFile = '';
+    currentContract = null;
+    stateVars = new Set();
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = null;
+        this.stateVars = new Set();
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node?.kind === 'interface' || node?.kind === 'library' ? null : node;
+        this.stateVars = new Set();
+    }
+    ContractDefinition_post(node) {
+        if (this.currentContract === node) {
+            this.currentContract = null;
+            this.stateVars = new Set();
+        }
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    StateVariableDeclaration(node) {
+        if (!this.currentContract)
+            return;
+        for (const variable of node?.variables || []) {
+            if (typeof variable?.name === 'string' && variable.name)
+                this.stateVars.add(variable.name);
+        }
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContract || !node?.body)
+            return;
+        if (!this.isExternallyReachable(node))
+            return;
+        const fnName = String(node.name || '');
+        if (!BRIDGE_ENTRY_RE.test(fnName))
+            return;
+        const result = this.findCandidates(node.body);
+        const selected = result.candidates.find(candidate => !this.isCandidateGuarded(candidate, node.body, result.rootAliases));
+        if (!selected)
+            return;
+        const loc = (0, ast_1.assertLoc)(selected.node, node);
+        const contractName = this.currentContract.name || '<anonymous>';
+        this.findings.push({
+            file: this.currentFile,
+            contract: contractName,
+            'function': fnName,
+            contractName,
+            functionName: fnName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            sourceLocation: { line: loc.line, column: loc.column },
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'critical',
+            confidence: 'high',
+            category: 'vulnerability',
+            message: `Bridge message processing in '${contractName}.${fnName}' accepts a storage-derived root without rejecting the default zero root.`,
+            rationale: 'Nomad-style bridge processing can treat an unproven message as valid when a storage mapping returns bytes32(0) and that root is accepted by an optimistic root timestamp check.',
+            suggestedFix: 'Reject bytes32(0) for the message root, or require explicit message/proof existence before calling acceptableRoot or checking confirmAt[root].',
+            findingId: '',
+            contractHash: '',
+            source: SOURCE,
+            provenance: SOURCE,
+        });
+    }
+    isExternallyReachable(fn) {
+        const visibility = String(fn.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external' || visibility === 'default';
+    }
+    findCandidates(body) {
+        const rootAliases = new Map();
+        const storageStructAliases = new Set();
+        const timeAliases = new Map();
+        this.walk(body, (node) => {
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+                const init = node.initialValue;
+                for (const variable of node.variables || []) {
+                    const name = typeof variable?.name === 'string' ? variable.name : '';
+                    if (!name || !init)
+                        continue;
+                    const rootSig = this.storageRootSig(init, rootAliases, storageStructAliases);
+                    if (rootSig)
+                        rootAliases.set(name, rootSig);
+                    if (this.isStateIndexAccess(init))
+                        storageStructAliases.add(name);
+                    const timeRoot = this.confirmAtRootSig(init, rootAliases, storageStructAliases);
+                    if (timeRoot)
+                        timeAliases.set(name, timeRoot);
+                }
+            }
+            if ((0, ast_1.isNode)(node, 'ExpressionStatement') && (0, ast_1.isNode)(node.expression, 'BinaryOperation') && node.expression.operator === '=') {
+                const leftName = this.identifierName(node.expression.left);
+                if (!leftName)
+                    return;
+                const rootSig = this.storageRootSig(node.expression.right, rootAliases, storageStructAliases);
+                if (rootSig)
+                    rootAliases.set(leftName, rootSig);
+                if (this.isStateIndexAccess(node.expression.right))
+                    storageStructAliases.add(leftName);
+                const timeRoot = this.confirmAtRootSig(node.expression.right, rootAliases, storageStructAliases);
+                if (timeRoot)
+                    timeAliases.set(leftName, timeRoot);
+            }
+        });
+        const candidates = [];
+        this.walk(body, (node) => {
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = this.callName(node.expression);
+            const args = node.arguments || [];
+            if (callee === 'require' && args[0]) {
+                const fromCondition = this.acceptedStorageRootSig(args[0], rootAliases, storageStructAliases, timeAliases);
+                if (fromCondition)
+                    candidates.push({ node, rootSig: fromCondition });
+            }
+            else if (ACCEPTABLE_ROOT_RE.test(callee)) {
+                for (const arg of args) {
+                    const rootSig = this.storageRootSig(arg, rootAliases, storageStructAliases);
+                    if (rootSig)
+                        candidates.push({ node, rootSig });
+                }
+            }
+        });
+        this.walk(body, (node) => {
+            if (!(0, ast_1.isNode)(node, 'IfStatement'))
+                return;
+            const rootSig = this.acceptedStorageRootSig(node.condition, rootAliases, storageStructAliases, timeAliases);
+            if (rootSig)
+                candidates.push({ node, rootSig });
+        });
+        return { candidates, rootAliases };
+    }
+    acceptedStorageRootSig(node, rootAliases, storageStructAliases, timeAliases) {
+        let rootSig = null;
+        this.walk(node, (child) => {
+            if (rootSig)
+                return;
+            const direct = this.confirmAtRootSig(child, rootAliases, storageStructAliases);
+            if (direct && this.containsTimestampGate(node))
+                rootSig = direct;
+            if ((0, ast_1.isNode)(child, 'Identifier')) {
+                const fromTime = timeAliases.get(child.name);
+                if (fromTime && this.containsTimestampGate(node))
+                    rootSig = fromTime;
+            }
+            if ((0, ast_1.isNode)(child, 'FunctionCall') && ACCEPTABLE_ROOT_RE.test(this.callName(child.expression))) {
+                for (const arg of child.arguments || []) {
+                    const fromArg = this.storageRootSig(arg, rootAliases, storageStructAliases);
+                    if (fromArg) {
+                        rootSig = fromArg;
+                        return;
+                    }
+                }
+            }
+        });
+        return rootSig;
+    }
+    isCandidateGuarded(candidate, body, rootAliases) {
+        if (!body)
+            return false;
+        const statements = body.statements || [];
+        for (const stmt of statements) {
+            if (this.containsNode(stmt, candidate.node)) {
+                return this.isPathTerminatingZeroRootGuard(stmt, candidate.rootSig, rootAliases);
+            }
+            if (this.isPathTerminatingZeroRootGuard(stmt, candidate.rootSig, rootAliases)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    isPathTerminatingZeroRootGuard(stmt, rootSig, rootAliases) {
+        if (!stmt)
+            return false;
+        if ((0, ast_1.isNode)(stmt, 'ExpressionStatement') && (0, ast_1.isNode)(stmt.expression, 'FunctionCall')) {
+            const callee = this.callName(stmt.expression.expression);
+            if (callee === 'require' || callee === 'assert') {
+                const args = stmt.expression.arguments || [];
+                if (args[0] && this.conditionRejectsZeroRoot(args[0], rootSig, rootAliases, 'require')) {
+                    return true;
+                }
+            }
+        }
+        if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+            if (this.conditionRejectsZeroRoot(stmt.condition, rootSig, rootAliases, 'if') &&
+                this.branchTerminates(stmt.trueBody)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    conditionRejectsZeroRoot(cond, rootSig, rootAliases, mode) {
+        const targetOp = mode === 'require' ? '!=' : '==';
+        const chainOp = mode === 'require' ? '&&' : '||';
+        for (const clause of this.flattenChain(cond, chainOp)) {
+            if (!(0, ast_1.isNode)(clause, 'BinaryOperation') || clause.operator !== targetOp)
+                continue;
+            if (this.isZeroLiteral(clause.left) && this.matchesRoot(clause.right, rootSig, rootAliases))
+                return true;
+            if (this.isZeroLiteral(clause.right) && this.matchesRoot(clause.left, rootSig, rootAliases))
+                return true;
+        }
+        return false;
+    }
+    flattenChain(node, op) {
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === op) {
+            return [...this.flattenChain(node.left, op), ...this.flattenChain(node.right, op)];
+        }
+        return [node];
+    }
+    matchesRoot(expr, rootSig, rootAliases) {
+        const sig = this.exprSig(expr);
+        if (!sig)
+            return false;
+        if (sig === rootSig)
+            return true;
+        const aliased = rootAliases.get(sig);
+        return !!aliased && aliased === rootSig;
+    }
+    branchTerminates(node) {
+        if (!node)
+            return false;
+        if ((0, ast_1.isNode)(node, 'Block')) {
+            const stmts = node.statements || [];
+            return stmts.some((s) => this.branchTerminates(s));
+        }
+        if ((0, ast_1.isNode)(node, 'ReturnStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'ThrowStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'RevertStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'BreakStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'ContinueStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'ExpressionStatement') && (0, ast_1.isNode)(node.expression, 'FunctionCall')) {
+            const callee = this.callName(node.expression.expression);
+            return callee === 'revert' || callee === 'assert';
+        }
+        return false;
+    }
+    containsNode(haystack, needle) {
+        if (haystack === needle)
+            return true;
+        if (!haystack || typeof haystack !== 'object')
+            return false;
+        for (const value of Object.values(haystack)) {
+            if (!value)
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (this.containsNode(item, needle))
+                        return true;
+                }
+            }
+            else if (typeof value === 'object' && typeof value.type === 'string') {
+                if (this.containsNode(value, needle))
+                    return true;
+            }
+        }
+        return false;
+    }
+    confirmAtRootSig(node, rootAliases, storageStructAliases) {
+        if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+            return null;
+        const base = this.exprSig(node.base);
+        if (!base || !TIME_ROOT_NAMES.has(base))
+            return null;
+        return this.storageRootSig(node.index, rootAliases, storageStructAliases);
+    }
+    storageRootSig(node, rootAliases, storageStructAliases) {
+        const sig = this.exprSig(node);
+        if (sig && rootAliases.has(sig))
+            return rootAliases.get(sig);
+        if ((0, ast_1.isNode)(node, 'IndexAccess') && this.isStateIndexAccess(node)) {
+            const base = this.exprSig(node.base);
+            return base ? `${base}[*]` : null;
+        }
+        if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+            const baseName = this.exprSig(node.expression);
+            if (baseName && storageStructAliases.has(baseName))
+                return `${baseName}.${node.memberName || '*'}`;
+        }
+        return null;
+    }
+    isStateIndexAccess(node) {
+        if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+            return false;
+        const base = this.exprSig(node.base);
+        return !!base && this.stateVars.has(base);
+    }
+    containsTimestampGate(node) {
+        let found = false;
+        this.walk(node, (child) => {
+            if (found || !(0, ast_1.isNode)(child, 'MemberAccess'))
+                return;
+            const expr = this.exprSig(child.expression);
+            if (expr === 'block' && child.memberName === 'timestamp')
+                found = true;
+        });
+        return found;
+    }
+    isZeroLiteral(node) {
+        if (!node)
+            return false;
+        if ((0, ast_1.isNode)(node, 'NumberLiteral') && String(node.number) === '0')
+            return true;
+        if ((0, ast_1.isNode)(node, 'HexNumber') && /^0x0*$/i.test(String(node.value || node.number || '')))
+            return true;
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const callee = this.callName(node.expression);
+            return ZERO_TYPE_NAMES.has(callee) && (node.arguments || []).some((arg) => this.isZeroLiteral(arg));
+        }
+        return false;
+    }
+    callName(node) {
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node.name || '';
+        if ((0, ast_1.isNode)(node, 'MemberAccess'))
+            return node.memberName || '';
+        if ((0, ast_1.isNode)(node, 'ElementaryTypeName'))
+            return node.name || '';
+        if ((0, ast_1.isNode)(node, 'ElementaryTypeNameExpression'))
+            return node.typeName?.name || '';
+        return '';
+    }
+    identifierName(node) {
+        return (0, ast_1.isNode)(node, 'Identifier') && typeof node.name === 'string' ? node.name : '';
+    }
+    exprSig(node) {
+        if (!node)
+            return null;
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node.name || null;
+        if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+            const base = this.exprSig(node.expression);
+            return base ? `${base}.${node.memberName || '*'}` : null;
+        }
+        if ((0, ast_1.isNode)(node, 'IndexAccess')) {
+            const base = this.exprSig(node.base);
+            return base ? `${base}[*]` : null;
+        }
+        return null;
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const value of Object.values(node)) {
+            if (!value)
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    this.walk(item, visit);
+            }
+            else if (typeof value === 'object' && typeof value.type === 'string') {
+                this.walk(value, visit);
+            }
+        }
+    }
+}
+exports.BridgeBusinessLogicFlawIncorrectAccDetector = BridgeBusinessLogicFlawIncorrectAccDetector;
+//# sourceMappingURL=bridge-business-logic-flaw-incorrect-acc.js.map

package/dist/detectors/bridge-collateral-drain.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class BridgeCollateralDrainDetector {
+    readonly id = "bridge-collateral-drain";
+    readonly patternKey = "bridge-collateral-drain";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}