@snovon/solast 0.2.0

package/dist/detectors/bridge-missing-message-nonce.d.ts

@@ -0,0 +1,57 @@
+import type { ScanResult } from '../index';
+export declare class BridgeMissingMessageNonceDetector {
+    readonly id = "bridge-missing-message-nonce";
+    readonly patternKey = "bridge-missing-message-nonce";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private currentContract;
+    private contracts;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    SourceUnit(node: any): void;
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    FunctionDefinition(node: any): void;
+    private collectContractDefinitions;
+    private recordContractInfo;
+    private baseContractNames;
+    private isBridgeMessageHandler;
+    private hasCrossChainMessageData;
+    private isMessageLikeUserDefinedParameter;
+    private isMessageLikeName;
+    private hasSourceOrOriginParameter;
+    private isSourceOrOriginName;
+    private hasBridgeAccessGuard;
+    private isCanonicalBridgeEntrypoint;
+    private containsAccessControlRequireBeforePlaceholder;
+    private containsBridgeSpecificAccessGuardBeforePlaceholder;
+    private containsAccessControlRequire;
+    private containsBridgeSpecificAccessGuard;
+    private isAccessControlRequire;
+    private isBridgeSpecificAccessRequire;
+    private containsBridgePrivilegedReference;
+    private hasReplayProtectionBeforePlaceholder;
+    private walkBody;
+    private walkInternalHelperCall;
+    private resolveFunctionDefinitions;
+    private getInternalHelperCallName;
+    private isAssetRelease;
+    private isRequireOrRevert;
+    private containsPayloadDecode;
+    private isAbiDecodeCall;
+    private replayMarkersInExpression;
+    private replayMarkerKey;
+    private indexAccessBaseName;
+    private indexAccessKeySignature;
+    private hasMessageIdentityEvidence;
+    private isExcludedMarkerName;
+    private expressionSignature;
+    private bodyContainsRevert;
+    private getDirectCallName;
+    private appliedModifierDefinitions;
+    private resolveModifierDefinition;
+    private modifierNames;
+    private walkUntilPlaceholder;
+    private childNodes;
+}

package/dist/detectors/bridge-missing-message-nonce.js

@@ -0,0 +1,638 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BridgeMissingMessageNonceDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const BRIDGE_PRIVILEGED_KEYWORDS = Object.freeze([
+    ...access_control_1.DEFAULT_PRIVILEGED_KEYWORDS,
+    'bridge',
+    'endpoint',
+    'gateway',
+    'messenger',
+    'relayer',
+    'remote',
+    'trusted',
+]);
+const BRIDGE_ENTRYPOINT_NAMES = new Set([
+    'lzReceive',
+    '_lzReceive',
+    '_nonblockingLzReceive',
+    'receiveMessage',
+    'executeMessage',
+    'processMessage',
+    'handle',
+    'handleMessage',
+    'finalizeWithdraw',
+]);
+const MESSAGE_IDENTITY_KEYWORDS = [
+    'nonce',
+    'messageid',
+    'msgid',
+    'guid',
+    'payloadhash',
+    'messagehash',
+    'hash',
+    'id',
+];
+const STRUCT_MESSAGE_KEYWORDS = [
+    'message',
+    'payload',
+    'packet',
+    'bridge',
+    'crosschain',
+    'xchain',
+    'lz',
+    'any2evm',
+    'withdrawal',
+];
+const REPLAY_MARKER_KEYWORDS = [
+    'processed',
+    'consumed',
+    'executed',
+    'used',
+    'seen',
+    'replay',
+    'nonce',
+    'finalized',
+    'finalised',
+    'completed',
+    'relayed',
+    'delivered',
+    'successful',
+    'spent',
+];
+const NON_REPLAY_MARKER_KEYWORDS = [
+    'trusted',
+    'remote',
+    'endpoint',
+    'bridge',
+    'released',
+    'balance',
+    'balances',
+    'account',
+    'accounting',
+    'credit',
+    'credits',
+    'debit',
+    'debts',
+    'claim',
+    'claimed',
+];
+class BridgeMissingMessageNonceDetector {
+    id = 'bridge-missing-message-nonce';
+    patternKey = 'bridge-missing-message-nonce';
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    currentContract = '';
+    contracts = new Map();
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.contracts = new Map();
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    SourceUnit(node) {
+        this.contracts = new Map();
+        this.collectContractDefinitions(node);
+    }
+    ContractDefinition(node) {
+        this.currentContract = (0, ast_1.getName)(node);
+        this.recordContractInfo(node);
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        if (!node.body)
+            return;
+        if (node.isConstructor || node.kind === 'constructor')
+            return;
+        const mutability = String(node.stateMutability || '').toLowerCase();
+        if (mutability === 'view' || mutability === 'pure')
+            return;
+        if (!this.isBridgeMessageHandler(node))
+            return;
+        if (!this.hasBridgeAccessGuard(node) && !this.isCanonicalBridgeEntrypoint(node))
+            return;
+        const state = {
+            checkedMarkers: new Set(),
+            protectedMarkers: new Set(),
+            firstAssetReleaseLoc: null,
+            validProtectionBeforeRelease: false
+        };
+        this.walkBody(node.body, state, false, new Set(), 0);
+        if (state.firstAssetReleaseLoc) {
+            const hasModifierProtection = this.appliedModifierDefinitions(node)
+                .some((modifier) => this.hasReplayProtectionBeforePlaceholder(modifier.body));
+            if (!(state.validProtectionBeforeRelease || hasModifierProtection)) {
+                const loc = (0, ast_1.assertLoc)(state.firstAssetReleaseLoc, node);
+                const functionName = (0, ast_1.getName)(node) || '<anonymous>';
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    function: functionName,
+                    line: loc.line,
+                    column: loc.column,
+                    pattern: this.patternKey,
+                    confidence: 'high',
+                    ruleId: this.id,
+                    severity: 'high',
+                    message: `Missing cross-chain nonce/message ID check in bridge handler '${functionName}'. Inbound message executes without verifying a consumed-marker.`,
+                    contractName: this.currentContract,
+                    functionName: functionName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    trace: 'missing-nonce',
+                    findingId: '',
+                    contractHash: ''
+                });
+            }
+        }
+    }
+    collectContractDefinitions(node) {
+        if (!node || typeof node !== 'object')
+            return;
+        if ((0, ast_1.isNode)(node, 'ContractDefinition')) {
+            this.recordContractInfo(node);
+            return;
+        }
+        for (const child of this.childNodes(node)) {
+            this.collectContractDefinitions(child);
+        }
+    }
+    recordContractInfo(node) {
+        const name = (0, ast_1.getName)(node);
+        if (!name)
+            return;
+        const modifiers = new Map();
+        const functions = new Map();
+        for (const child of node.subNodes || node.nodes || []) {
+            if ((0, ast_1.isNode)(child, 'ModifierDefinition')) {
+                const modifierName = (0, ast_1.getName)(child);
+                if (modifierName)
+                    modifiers.set(modifierName, child);
+            }
+            if ((0, ast_1.isNode)(child, 'FunctionDefinition')) {
+                const functionName = (0, ast_1.getName)(child);
+                if (!functionName)
+                    continue;
+                const overloads = functions.get(functionName) || [];
+                overloads.push(child);
+                functions.set(functionName, overloads);
+            }
+        }
+        this.contracts.set(name, {
+            bases: this.baseContractNames(node),
+            modifiers,
+            functions,
+        });
+    }
+    baseContractNames(node) {
+        const out = [];
+        for (const base of node.baseContracts || []) {
+            const name = base?.baseName?.namePath || base?.baseName?.name || base?.namePath || base?.name;
+            if (name)
+                out.push(String(name));
+        }
+        return out;
+    }
+    isBridgeMessageHandler(node) {
+        if (!this.hasCrossChainMessageData(node))
+            return false;
+        const functionName = (0, ast_1.getName)(node);
+        return BRIDGE_ENTRYPOINT_NAMES.has(functionName)
+            || this.hasSourceOrOriginParameter(node)
+            || this.containsPayloadDecode(node.body)
+            || this.containsBridgeSpecificAccessGuard(node.body)
+            || this.appliedModifierDefinitions(node)
+                .some((modifier) => this.containsBridgeSpecificAccessGuardBeforePlaceholder(modifier.body));
+    }
+    // Primary gate for bridge handlers: a function only carries a cross-chain
+    // message if it has concrete message-shape evidence — a `bytes` payload
+    // parameter or a message-like struct parameter. Source/origin parameter
+    // names are NEVER standalone evidence here; they only contribute as a
+    // secondary signal in isBridgeMessageHandler, after this gate has passed.
+    hasCrossChainMessageData(node) {
+        for (const p of node.parameters || []) {
+            const typeName = p.typeName;
+            if ((0, ast_1.isNode)(typeName, 'ElementaryTypeName') && typeName.name === 'bytes')
+                return true;
+            if ((0, ast_1.isNode)(typeName, 'UserDefinedTypeName') && this.isMessageLikeUserDefinedParameter(p))
+                return true;
+        }
+        return false;
+    }
+    isMessageLikeUserDefinedParameter(node) {
+        const names = [
+            (0, ast_1.getName)(node),
+            node?.typeName?.namePath,
+            node?.typeName?.name,
+        ];
+        return names.some((name) => this.isMessageLikeName(String(name || '')));
+    }
+    isMessageLikeName(name) {
+        const normalized = name.replace(/[^a-z0-9]/gi, '').toLowerCase();
+        return STRUCT_MESSAGE_KEYWORDS.some((keyword) => normalized.includes(keyword));
+    }
+    hasSourceOrOriginParameter(node) {
+        for (const p of node.parameters || []) {
+            if (this.isSourceOrOriginName((0, ast_1.getName)(p)))
+                return true;
+        }
+        return false;
+    }
+    isSourceOrOriginName(name) {
+        return /(^|_)(src|source|origin)(chain|chainid|sender|address|addr)?$/i.test(name)
+            || /^(src|source|origin)(Chain|ChainId|Sender|Address|Addr)/.test(name);
+    }
+    hasBridgeAccessGuard(node) {
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node))
+            return true;
+        if (this.containsAccessControlRequire(node.body))
+            return true;
+        return this.appliedModifierDefinitions(node)
+            .some((modifier) => this.containsAccessControlRequireBeforePlaceholder(modifier.body));
+    }
+    isCanonicalBridgeEntrypoint(node) {
+        return BRIDGE_ENTRYPOINT_NAMES.has((0, ast_1.getName)(node));
+    }
+    containsAccessControlRequireBeforePlaceholder(node) {
+        return this.walkUntilPlaceholder(node, (child) => this.isAccessControlRequire(child));
+    }
+    containsBridgeSpecificAccessGuardBeforePlaceholder(node) {
+        return this.walkUntilPlaceholder(node, (child) => this.isBridgeSpecificAccessRequire(child));
+    }
+    containsAccessControlRequire(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (this.isAccessControlRequire(node))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.containsAccessControlRequire(child))
+                return true;
+        }
+        return false;
+    }
+    containsBridgeSpecificAccessGuard(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (this.isBridgeSpecificAccessRequire(node))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.containsBridgeSpecificAccessGuard(child))
+                return true;
+        }
+        return false;
+    }
+    isAccessControlRequire(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const name = this.getDirectCallName(node.expression);
+        if (name !== 'require' && name !== 'assert')
+            return false;
+        return (0, access_control_1.requireExpressesAccessControl)(node.arguments?.[0], isBridgePrivilegedName);
+    }
+    isBridgeSpecificAccessRequire(node) {
+        if (!this.isAccessControlRequire(node))
+            return false;
+        return this.containsBridgePrivilegedReference(node.arguments?.[0]);
+    }
+    containsBridgePrivilegedReference(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'Identifier') && isBridgeSpecificName(String(node.name || '')))
+            return true;
+        if ((0, ast_1.isNode)(node, 'MemberAccess') && isBridgeSpecificName(String(node.memberName || '')))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.containsBridgePrivilegedReference(child))
+                return true;
+        }
+        return false;
+    }
+    hasReplayProtectionBeforePlaceholder(node) {
+        const state = {
+            checkedMarkers: new Set(),
+            protectedMarkers: new Set(),
+            firstAssetReleaseLoc: null,
+            validProtectionBeforeRelease: false,
+        };
+        this.walkBody(node, state, true, new Set(), 0);
+        return state.validProtectionBeforeRelease || state.protectedMarkers.size > 0;
+    }
+    walkBody(node, state, stopAtPlaceholder, helperStack, helperDepth) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (stopAtPlaceholder && (0, ast_1.isNode)(node, 'PlaceholderStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'IfStatement')) {
+            if (node.condition) {
+                if (this.bodyContainsRevert(node.trueBody)) {
+                    for (const marker of this.replayMarkersInExpression(node.condition)) {
+                        state.checkedMarkers.add(marker);
+                    }
+                }
+                if (this.walkBody(node.condition, state, stopAtPlaceholder, helperStack, helperDepth))
+                    return true;
+            }
+            if (node.trueBody && this.walkBody(node.trueBody, state, stopAtPlaceholder, helperStack, helperDepth))
+                return true;
+            if (node.falseBody && this.walkBody(node.falseBody, state, stopAtPlaceholder, helperStack, helperDepth))
+                return true;
+            return false;
+        }
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            if (this.isAssetRelease(node)) {
+                if (!state.firstAssetReleaseLoc) {
+                    state.firstAssetReleaseLoc = node;
+                    state.validProtectionBeforeRelease = state.protectedMarkers.size > 0;
+                }
+            }
+            if (this.isRequireOrRevert(node)) {
+                for (const marker of this.replayMarkersInExpression(node.arguments?.[0])) {
+                    state.checkedMarkers.add(marker);
+                }
+            }
+            if (!this.isAssetRelease(node) && this.walkInternalHelperCall(node, state, stopAtPlaceholder, helperStack, helperDepth)) {
+                return true;
+            }
+        }
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === '=') {
+            const marker = this.replayMarkerKey(node.left);
+            if (marker && state.checkedMarkers.has(marker)) {
+                state.protectedMarkers.add(marker);
+            }
+        }
+        for (const child of this.childNodes(node)) {
+            if (this.walkBody(child, state, stopAtPlaceholder, helperStack, helperDepth))
+                return true;
+        }
+        return false;
+    }
+    walkInternalHelperCall(node, state, stopAtPlaceholder, helperStack, helperDepth) {
+        const calleeName = this.getInternalHelperCallName(node.expression);
+        if (!calleeName || helperDepth > 8)
+            return false;
+        if (calleeName === 'require' || calleeName === 'assert' || calleeName === 'revert')
+            return false;
+        const callees = this.resolveFunctionDefinitions(this.currentContract, calleeName, new Set());
+        for (const callee of callees) {
+            if (!callee?.body)
+                continue;
+            const key = `${this.currentContract}.${calleeName}:${callee.loc?.start?.line || 0}:${callee.loc?.start?.column || 0}`;
+            if (helperStack.has(key))
+                continue;
+            helperStack.add(key);
+            const releaseBefore = state.firstAssetReleaseLoc;
+            const stopped = this.walkBody(callee.body, state, stopAtPlaceholder, helperStack, helperDepth + 1);
+            if (!releaseBefore && state.firstAssetReleaseLoc) {
+                state.firstAssetReleaseLoc = node;
+            }
+            helperStack.delete(key);
+            if (stopped)
+                return true;
+        }
+        return false;
+    }
+    resolveFunctionDefinitions(contractName, functionName, seen) {
+        if (!contractName || seen.has(contractName))
+            return [];
+        seen.add(contractName);
+        const info = this.contracts.get(contractName);
+        if (!info)
+            return [];
+        const out = [...(info.functions.get(functionName) || [])];
+        for (const base of info.bases) {
+            out.push(...this.resolveFunctionDefinitions(base, functionName, seen));
+        }
+        return out;
+    }
+    getInternalHelperCallName(expr) {
+        const direct = this.getDirectCallName(expr);
+        if (direct)
+            return direct;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return '';
+        const receiver = expr.expression;
+        if (!(0, ast_1.isNode)(receiver, 'Identifier'))
+            return '';
+        const receiverName = String(receiver.name || '');
+        if (receiverName !== 'this' && receiverName !== 'super')
+            return '';
+        return String(expr.memberName || '');
+    }
+    isAssetRelease(node) {
+        const expr = node.expression;
+        if (!expr)
+            return false;
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            const member = String(expr.memberName || '').toLowerCase();
+            if (member === 'transfer' || member === 'safetransfer' || member === 'mint')
+                return true;
+        }
+        return false;
+    }
+    isRequireOrRevert(node) {
+        const name = this.getDirectCallName(node.expression);
+        return name === 'require' || name === 'revert' || name === 'assert';
+    }
+    containsPayloadDecode(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'FunctionCall') && this.isAbiDecodeCall(node))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.containsPayloadDecode(child))
+                return true;
+        }
+        return false;
+    }
+    isAbiDecodeCall(node) {
+        const expr = node.expression;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return false;
+        if (String(expr.memberName || '') !== 'decode')
+            return false;
+        const base = expr.expression;
+        return !!base && (0, ast_1.isNode)(base, 'Identifier') && String(base.name || '') === 'abi';
+    }
+    replayMarkersInExpression(node) {
+        const out = new Set();
+        if (!node || typeof node !== 'object')
+            return out;
+        const marker = this.replayMarkerKey(node);
+        if (marker)
+            out.add(marker);
+        for (const child of this.childNodes(node)) {
+            for (const nested of this.replayMarkersInExpression(child)) {
+                out.add(nested);
+            }
+        }
+        return out;
+    }
+    replayMarkerKey(node) {
+        if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+            return '';
+        const base = this.indexAccessBaseName(node);
+        if (!base || this.isExcludedMarkerName(base))
+            return '';
+        const key = this.indexAccessKeySignature(node);
+        if (!key || !this.hasMessageIdentityEvidence(base, key))
+            return '';
+        return `${base}:${key}`;
+    }
+    indexAccessBaseName(node) {
+        let cur = node;
+        while ((0, ast_1.isNode)(cur, 'IndexAccess')) {
+            cur = cur.base;
+        }
+        if ((0, ast_1.isNode)(cur, 'Identifier'))
+            return String(cur.name || '');
+        if ((0, ast_1.isNode)(cur, 'MemberAccess'))
+            return String(cur.memberName || '');
+        return '';
+    }
+    indexAccessKeySignature(node) {
+        const keys = [];
+        let cur = node;
+        while ((0, ast_1.isNode)(cur, 'IndexAccess')) {
+            keys.unshift(this.expressionSignature(cur.index));
+            cur = cur.base;
+        }
+        return keys.join('|');
+    }
+    hasMessageIdentityEvidence(base, key) {
+        const normalized = `${base}|${key}`.replace(/[^a-z0-9]/gi, '').toLowerCase();
+        const normalizedBase = base.replace(/[^a-z0-9]/gi, '').toLowerCase();
+        return MESSAGE_IDENTITY_KEYWORDS.some((keyword) => normalized.includes(keyword))
+            && REPLAY_MARKER_KEYWORDS.some((keyword) => normalizedBase.includes(keyword));
+    }
+    isExcludedMarkerName(name) {
+        const normalized = name.toLowerCase();
+        return NON_REPLAY_MARKER_KEYWORDS.some((keyword) => normalized.includes(keyword));
+    }
+    expressionSignature(node) {
+        if (!node || typeof node !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return String(node.name || '');
+        if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+            return String(node.number || node.value || '');
+        if ((0, ast_1.isNode)(node, 'StringLiteral'))
+            return String(node.value || '');
+        if ((0, ast_1.isNode)(node, 'BooleanLiteral'))
+            return String(node.value || '');
+        if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+            return `${this.expressionSignature(node.expression)}.${String(node.memberName || '')}`;
+        }
+        if ((0, ast_1.isNode)(node, 'IndexAccess')) {
+            return `${this.expressionSignature(node.base)}[${this.expressionSignature(node.index)}]`;
+        }
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const args = (node.arguments || []).map((arg) => this.expressionSignature(arg)).join(',');
+            return `${this.expressionSignature(node.expression)}(${args})`;
+        }
+        if ((0, ast_1.isNode)(node, 'TupleExpression')) {
+            return (node.components || []).map((part) => this.expressionSignature(part)).join(',');
+        }
+        return String(node.name || node.value || node.type || '');
+    }
+    bodyContainsRevert(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'RevertStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'FunctionCall') && this.isRequireOrRevert(node))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.bodyContainsRevert(child))
+                return true;
+        }
+        return false;
+    }
+    getDirectCallName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        return '';
+    }
+    appliedModifierDefinitions(fn) {
+        const out = [];
+        for (const modifierName of this.modifierNames(fn)) {
+            const definition = this.resolveModifierDefinition(this.currentContract, modifierName, new Set());
+            if (definition)
+                out.push(definition);
+        }
+        return out;
+    }
+    resolveModifierDefinition(contractName, modifierName, seen) {
+        if (!contractName || seen.has(contractName))
+            return null;
+        seen.add(contractName);
+        const info = this.contracts.get(contractName);
+        if (!info)
+            return null;
+        const local = info.modifiers.get(modifierName);
+        if (local)
+            return local;
+        for (const base of info.bases) {
+            const inherited = this.resolveModifierDefinition(base, modifierName, seen);
+            if (inherited)
+                return inherited;
+        }
+        return null;
+    }
+    modifierNames(fn) {
+        const out = [];
+        for (const modifier of fn.modifiers || []) {
+            const name = modifier?.name || modifier?.modifierName?.name || modifier?.modifierName?.namePath;
+            if (name)
+                out.push(String(name));
+        }
+        return out;
+    }
+    walkUntilPlaceholder(node, predicate) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'PlaceholderStatement'))
+            return false;
+        if (predicate(node))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.walkUntilPlaceholder(child, predicate))
+                return true;
+        }
+        return false;
+    }
+    childNodes(node) {
+        const out = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range' || key === 'typeName')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+}
+exports.BridgeMissingMessageNonceDetector = BridgeMissingMessageNonceDetector;
+function isBridgePrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, { keywords: BRIDGE_PRIVILEGED_KEYWORDS });
+}
+function isBridgeSpecificName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: ['bridge', 'endpoint', 'gateway', 'messenger', 'relayer', 'remote', 'trusted'],
+    });
+}
+//# sourceMappingURL=bridge-missing-message-nonce.js.map