@snovon/solast 0.2.0

package/dist/detectors/capital-cross-contract-reentrancy.js

@@ -0,0 +1,481 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CapitalCrossContractReentrancyDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'capital-cross-contract-reentrancy';
+const PATTERN = `${RULE_ID}/cross-contract-reflection`;
+// Cross-contract accounting reads. Two subsets:
+//
+//   SELF_REFLECTING_READS — per-account accessors. These reflect own
+//   capital only when `address(this)` (or `this`) is the queried
+//   account. `pool.balanceOf(arbitraryUser)` is a quote, not a
+//   self-reflection, and must not match.
+//
+//   CROSS_CONTRACT_RATE_READS — protocol-level rate/price/supply
+//   accessors that are inherently cross-contract reflections of the
+//   sibling's valuation. These take no per-user argument, so the
+//   self-reflection test is meaningless; the call itself is the
+//   reflection signal. These are the Rari Capital 2021-05-08 surface
+//   (`exchangeRate()`, `pricePerShare()`, `totalSupply()`, ...) plus
+//   the same surface as observed in adjacent cross-contract
+//   reentrancy postmortems.
+const SELF_REFLECTING_READS = new Set([
+    'balanceof',
+    'sharesof',
+    'balance',
+    'getunderlyingbalance',
+    'underlyingbalance',
+    'totalbalance',
+]);
+const CROSS_CONTRACT_RATE_READS = new Set([
+    'totalsupply',
+    'totalassets',
+    'getreserves',
+    'getprice',
+    'getrate',
+    'exchangerate',
+    'exchangeratestored',
+    'exchangeratecurrent',
+    'pricepershare',
+    'getpricepershare',
+]);
+// Recognised reentrancy-guard modifier names (substring match, mirrors
+// the pattern used by `flashloan-reentrancy-rari.ts`).
+const REENTRANCY_GUARD_RE = /reentran|mutex|^lock$|^locked$/i;
+class CapitalCrossContractReentrancyDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    findings = [];
+    file = '';
+    currentContract = '';
+    currentContractKind = '';
+    stateVarTypes = new Map();
+    contractTypeNames = new Set();
+    emittedKey = new Set();
+    setFile(file) {
+        this.findings = [];
+        this.file = file;
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.stateVarTypes = new Map();
+        this.contractTypeNames = new Set();
+        this.emittedKey = new Set();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    SourceUnit(node) {
+        this.contractTypeNames = new Set();
+        for (const child of node?.children || []) {
+            if ((0, ast_1.isNode)(child, 'ContractDefinition')) {
+                const name = String(child?.name || '');
+                if (!name)
+                    continue;
+                const kind = String(child?.kind || '').toLowerCase();
+                if (kind === 'contract' || kind === 'interface') {
+                    this.contractTypeNames.add(name);
+                }
+            }
+            else if ((0, ast_1.isNode)(child, 'ImportDirective')) {
+                const aliases = child?.symbolAliases;
+                if (Array.isArray(aliases)) {
+                    for (const entry of aliases) {
+                        if (!Array.isArray(entry) || entry.length < 1)
+                            continue;
+                        const original = String(entry[0] || '');
+                        if (!original)
+                            continue;
+                        const localAlias = entry.length > 1 && entry[1] != null
+                            ? String(entry[1])
+                            : original;
+                        if (localAlias)
+                            this.contractTypeNames.add(localAlias);
+                    }
+                }
+                const unitAlias = String(child?.unitAlias || '');
+                if (unitAlias)
+                    this.contractTypeNames.add(unitAlias);
+                if (!Array.isArray(aliases) && !unitAlias) {
+                    const bare = String(child?.path || '');
+                    if (bare) {
+                        const lastSlash = bare.lastIndexOf('/');
+                        const stem = lastSlash >= 0 ? bare.slice(lastSlash + 1) : bare;
+                        const dot = stem.lastIndexOf('.');
+                        const name = dot >= 0 ? stem.slice(0, dot) : stem;
+                        if (name)
+                            this.contractTypeNames.add(name);
+                    }
+                }
+            }
+        }
+    }
+    ContractDefinition(node) {
+        this.currentContract = String(node?.name || '');
+        this.currentContractKind = String(node?.kind || '').toLowerCase();
+        this.stateVarTypes = new Map();
+        if (this.currentContractKind === 'contract' || this.currentContractKind === 'library') {
+            for (const sub of node?.subNodes || []) {
+                if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+                    continue;
+                for (const v of sub.variables || []) {
+                    if (!v?.name)
+                        continue;
+                    const typeName = this.typeNameOf(v.typeName);
+                    if (typeName)
+                        this.stateVarTypes.set(String(v.name), typeName);
+                }
+            }
+        }
+    }
+    'ContractDefinition:exit'() {
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.stateVarTypes = new Map();
+    }
+    FunctionDefinition(node) {
+        if (!node?.body)
+            return;
+        if (this.currentContractKind === 'interface' || this.currentContractKind === 'library')
+            return;
+        if (node.isConstructor || String(node.kind || '').toLowerCase() === 'constructor')
+            return;
+        const visibility = String(node.visibility || '').toLowerCase();
+        if (visibility !== 'public' && visibility !== 'external')
+            return;
+        const stateMutability = String(node.stateMutability || '').toLowerCase();
+        if (stateMutability === 'view' || stateMutability === 'pure')
+            return;
+        if (this.hasReentrancyGuardModifier(node))
+            return;
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node))
+            return;
+        const fnName = String(node.name || '');
+        if (!fnName)
+            return;
+        const state = {
+            contractName: this.currentContract,
+            fnName,
+            stateVarTypes: this.stateVarTypes,
+            contractTypeNames: this.contractTypeNames,
+            paramAddressLikeNames: this.collectAddressLikeParamNames(node),
+            capitalReadLoc: null,
+            capitalReadDescription: '',
+            externalCallLoc: null,
+            externalCallDescription: '',
+        };
+        this.walk(node.body, state);
+        if (state.capitalReadLoc && state.externalCallLoc) {
+            const key = `${state.contractName}.${state.fnName}`;
+            if (this.emittedKey.has(key))
+                return;
+            this.emittedKey.add(key);
+            const loc = state.capitalReadLoc;
+            this.findings.push({
+                file: this.file,
+                contract: state.contractName,
+                'function': state.fnName,
+                line: loc.line,
+                endLine: loc.line,
+                column: loc.column,
+                pattern: PATTERN,
+                confidence: 'medium',
+                ruleId: RULE_ID,
+                severity: 'high',
+                message: `'${state.contractName}.${state.fnName}' reads ${state.capitalReadDescription} from a sibling contract and ` +
+                    `then ${state.externalCallDescription}, exposing the function to a Rari Capital 2021-05-08 style cross-contract reentrancy.`,
+                rationale: 'A function reflects its own share/capital state by reading balance, total supply, or exchange-rate data from ' +
+                    'a sibling contract while still allowing control to yield (transfer, low-level call, or send). An attacker can ' +
+                    'reenter the sibling between the read and the value-bearing call to distort the reflected accounting.',
+                suggestedFix: 'Cache the cross-contract accounting once outside the reentrancy surface, gate the function with a proven ' +
+                    'nonReentrant modifier, restrict to a trusted role via access control, or settle the value transfer before ' +
+                    'reading the cross-contract state.',
+                contractName: state.contractName,
+                functionName: state.fnName,
+                sourceLocation: loc,
+                findingId: '',
+                contractHash: '',
+            });
+        }
+    }
+    walk(node, state) {
+        if (!node || typeof node !== 'object')
+            return;
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            this.classifyCall(node, state);
+        }
+        for (const child of this.childNodes(node)) {
+            this.walk(child, state);
+        }
+    }
+    classifyCall(call, state) {
+        let callee = call.expression;
+        while (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions') {
+            callee = callee.expression;
+        }
+        if (!callee || !(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return;
+        const member = String(callee.memberName || '').toLowerCase();
+        const baseExpr = callee.expression;
+        // Cross-contract capital read. Two cases:
+        //   1. Per-account accessor (`balanceOf`, `sharesOf`, ...) requires
+        //      the call to reflect `address(this)`. Otherwise it's a quote
+        //      for an arbitrary user, not a self-reflection.
+        //   2. Rate / supply / price accessor (`exchangeRate`,
+        //      `pricePerShare`, `totalSupply`, ...) is inherently a
+        //      cross-contract reflection of valuation; no self-reflection
+        //      argument is required.
+        if (this.isExternalLikeBase(baseExpr, state)) {
+            const isSelfReflecting = SELF_REFLECTING_READS.has(member) && this.callRefersToSelf(call);
+            const isRateRead = CROSS_CONTRACT_RATE_READS.has(member);
+            if ((isSelfReflecting || isRateRead) && !state.capitalReadLoc) {
+                state.capitalReadLoc = this.locOf(call);
+                const baseLabel = this.describeBase(baseExpr);
+                state.capitalReadDescription = baseLabel ? `${baseLabel}.${member}` : `external ${member}`;
+            }
+        }
+        // Reentrancy surface: low-level value-bearing call OR transfer/send to
+        // attacker-controllable destination (msg.sender or parameter).
+        if (member === 'call' || member === 'delegatecall' || member === 'send' || member === 'transfer') {
+            if (this.callIsValueBearing(call) || this.destinationIsAttackerControlled(baseExpr, state)) {
+                if (!state.externalCallLoc) {
+                    state.externalCallLoc = this.locOf(call);
+                    state.externalCallDescription = `yields control through .${member}(...)`;
+                }
+            }
+        }
+    }
+    isExternalLikeBase(expr, state) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const name = String(expr.name || '');
+            if (!name)
+                return false;
+            // State variable typed as a contract / interface.
+            const declaredType = state.stateVarTypes.get(name);
+            if (declaredType && state.contractTypeNames.has(declaredType))
+                return true;
+            // Inline reference to a known contract/interface name (typically only
+            // valid as a static-call base in Solidity, but we still recognise the
+            // shape for completeness).
+            if (state.contractTypeNames.has(name))
+                return true;
+            return false;
+        }
+        // Inline cast: `IFace(addr).balanceOf(...)`
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const inner = expr.expression;
+            if (inner && (0, ast_1.isNode)(inner, 'Identifier')) {
+                const name = String(inner.name || '');
+                if (state.contractTypeNames.has(name))
+                    return true;
+            }
+        }
+        return false;
+    }
+    // Recognise calls that reflect the caller's own state via address(this) /
+    // this. The 2021-05-08 Rari incident hinges on this exact reflection: the
+    // pool asks the sibling "how much of you do I hold?" mid-transaction.
+    callRefersToSelf(call) {
+        for (const arg of call.arguments || []) {
+            if (this.exprIsSelf(arg))
+                return true;
+        }
+        return false;
+    }
+    exprIsSelf(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(expr, 'Identifier') && String(expr.name || '') === 'this')
+            return true;
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            // `address(this)` and `payable(this)`: parser shape is a
+            // `FunctionCall` whose expression is either an
+            // `ElementaryTypeNameExpression` (solc) or a bare `Identifier`
+            // named `address` / `payable` (parser).
+            const inner = expr.expression;
+            if (inner && (0, ast_1.isNode)(inner, 'ElementaryTypeNameExpression')) {
+                const tname = inner.typeName;
+                if (tname && (0, ast_1.isNode)(tname, 'ElementaryTypeName')
+                    && String(tname.name || '').toLowerCase() === 'address') {
+                    for (const arg of expr.arguments || []) {
+                        if (this.exprIsSelf(arg))
+                            return true;
+                    }
+                }
+            }
+            if (inner && (0, ast_1.isNode)(inner, 'Identifier')) {
+                const name = String(inner.name || '').toLowerCase();
+                if (name === 'address' || name === 'payable') {
+                    for (const arg of expr.arguments || []) {
+                        if (this.exprIsSelf(arg))
+                            return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    callIsValueBearing(call) {
+        let callee = call.expression;
+        while (callee && (callee.type === 'NameValueExpression' || callee.type === 'FunctionCallOptions')) {
+            const opts = callee.arguments || callee.options || [];
+            const names = callee.names || [];
+            // FunctionCallOptions form: parallel arrays of names + values.
+            if (Array.isArray(names)) {
+                for (const n of names) {
+                    if (String(n || '').toLowerCase() === 'value')
+                        return true;
+                }
+            }
+            // NameValueExpression form: { arguments: { value: <expr>, gas: <expr> } }.
+            const argsObj = callee.arguments;
+            if (argsObj && typeof argsObj === 'object' && !Array.isArray(argsObj)) {
+                if ('value' in argsObj)
+                    return true;
+            }
+            if (Array.isArray(opts)) {
+                // FunctionCallOptions: array form. Each entry is an expression — we
+                // only know which corresponds to which name via the parallel `names`
+                // array, handled above.
+            }
+            callee = callee.expression;
+        }
+        return false;
+    }
+    destinationIsAttackerControlled(base, state) {
+        if (!base || typeof base !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(base, 'MemberAccess')) {
+            // msg.sender / tx.origin
+            if (String(base.memberName || '') === 'sender') {
+                const inner = base.expression;
+                if (inner && (0, ast_1.isNode)(inner, 'Identifier') && String(inner.name || '') === 'msg')
+                    return true;
+            }
+        }
+        if ((0, ast_1.isNode)(base, 'Identifier')) {
+            const name = String(base.name || '');
+            if (state.paramAddressLikeNames.has(name))
+                return true;
+        }
+        if ((0, ast_1.isNode)(base, 'FunctionCall')) {
+            // `address(x)` / `payable(x)` cast wrapping an attacker-controlled
+            // operand. Parser emits this as `FunctionCall` whose expression is
+            // either an `ElementaryTypeNameExpression` or a bare `Identifier`.
+            const inner = base.expression;
+            if (inner && (0, ast_1.isNode)(inner, 'ElementaryTypeNameExpression')) {
+                const tname = inner.typeName;
+                if (tname && (0, ast_1.isNode)(tname, 'ElementaryTypeName')
+                    && String(tname.name || '').toLowerCase() === 'address') {
+                    for (const arg of base.arguments || []) {
+                        if (this.destinationIsAttackerControlled(arg, state))
+                            return true;
+                    }
+                }
+            }
+            if (inner && (0, ast_1.isNode)(inner, 'Identifier')) {
+                const name = String(inner.name || '').toLowerCase();
+                if (name === 'address' || name === 'payable') {
+                    for (const arg of base.arguments || []) {
+                        if (this.destinationIsAttackerControlled(arg, state))
+                            return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    collectAddressLikeParamNames(fn) {
+        const out = new Set();
+        for (const p of fn.parameters || []) {
+            if (!p?.name)
+                continue;
+            const t = p.typeName;
+            if (!t || typeof t !== 'object')
+                continue;
+            if ((0, ast_1.isNode)(t, 'ElementaryTypeName')) {
+                const tn = String(t.name || '').toLowerCase();
+                if (tn === 'address')
+                    out.add(String(p.name));
+            }
+            else if ((0, ast_1.isNode)(t, 'UserDefinedTypeName')) {
+                // Treat any contract / interface parameter as attacker-controllable
+                // when its address can be supplied at call time.
+                out.add(String(p.name));
+            }
+        }
+        return out;
+    }
+    hasReentrancyGuardModifier(fn) {
+        for (const m of fn?.modifiers || []) {
+            const name = this.modifierName(m);
+            if (!name)
+                continue;
+            if (REENTRANCY_GUARD_RE.test(name))
+                return true;
+        }
+        return false;
+    }
+    modifierName(modifier) {
+        if (!modifier)
+            return '';
+        if (typeof modifier === 'string')
+            return modifier;
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name && typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+            return modifier.modifierName.name;
+        return '';
+    }
+    typeNameOf(typeName) {
+        if (!typeName || typeof typeName !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(typeName, 'UserDefinedTypeName')) {
+            const head = String(typeName.namePath || typeName.name || '').split('.')[0];
+            return head || '';
+        }
+        return '';
+    }
+    describeBase(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const inner = expr.expression;
+            if (inner && (0, ast_1.isNode)(inner, 'Identifier'))
+                return String(inner.name || '');
+        }
+        return '';
+    }
+    locOf(node) {
+        const loc = (0, ast_1.tryLoc)(node) ?? { line: 1, endLine: 1, column: 0 };
+        return { line: loc.line, column: loc.column };
+    }
+    childNodes(node) {
+        const out = [];
+        if (!node || typeof node !== 'object')
+            return out;
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range' || key === 'typeName')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+}
+exports.CapitalCrossContractReentrancyDetector = CapitalCrossContractReentrancyDetector;
+//# sourceMappingURL=capital-cross-contract-reentrancy.js.map

package/dist/detectors/cartel-custom-approval-logic.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class CartelCustomApprovalLogicDetector {
+    readonly id = "cartel-custom-approval-logic";
+    readonly patternKey = "cartel-custom-approval-logic";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}