@snovon/solast 0.2.0

package/dist/detectors/check-permit-missing-chainid.d.ts

@@ -0,0 +1,27 @@
+import type { ScanResult } from '../index';
+export declare class CheckPermitMissingChainIdDetector {
+    readonly id = "check-permit-missing-chainid";
+    readonly patternKey = "check-permit-missing-chainid";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private contract;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    private collectPermitDigestHelperDomains;
+    private domainStatus;
+    private abiEncodeDomainStatus;
+    private functionDomainStatus;
+    private isRuntimeChainIdHelper;
+    private makeFinding;
+}

package/dist/detectors/check-permit-missing-chainid.js

@@ -0,0 +1,456 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CheckPermitMissingChainIdDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'check-permit-missing-chainid';
+const PATTERN = `${RULE_ID}/domain-not-bound-to-runtime-chainid`;
+const PROVENANCE = 'issue-3037-erc2612-permit-replay';
+class CheckPermitMissingChainIdDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'ERC-2612 permit signatures are accepted with an EIP-712 domain that is not bound to the active runtime chain id.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    contract = null;
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.contract = null;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.contract = null;
+            return;
+        }
+        const functions = new Map();
+        const stateVars = new Map();
+        let constructorNode = null;
+        for (const sub of node?.subNodes || []) {
+            if ((0, ast_1.isNode)(sub, 'FunctionDefinition')) {
+                if (sub.isConstructor)
+                    constructorNode = sub;
+                if (sub.name)
+                    functions.set(String(sub.name), sub);
+            }
+            else if ((0, ast_1.isNode)(sub, 'StateVariableDeclaration')) {
+                for (const variable of sub.variables || []) {
+                    if (!variable?.name)
+                        continue;
+                    stateVars.set(variable.name, {
+                        node: variable,
+                        initialValue: variable.expression || sub.initialValue || null,
+                        constructorValue: null,
+                        isConstant: !!variable.isDeclaredConst,
+                    });
+                }
+            }
+        }
+        if (constructorNode?.body) {
+            walk(constructorNode.body, current => {
+                if (!(0, ast_1.isNode)(current, 'BinaryOperation') || current.operator !== '=')
+                    return;
+                if (!(0, ast_1.isNode)(current.left, 'Identifier'))
+                    return;
+                const entry = stateVars.get(current.left.name);
+                if (entry)
+                    entry.constructorValue = current.right;
+            });
+        }
+        this.contract = {
+            name: node?.name || '<anonymous>',
+            node,
+            functions,
+            stateVars,
+            constructorNode,
+        };
+    }
+    ContractDefinition_post(_node) {
+        this.contract = null;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        if (!this.contract || !node?.body)
+            return;
+        if (String(node.name || '').toLowerCase() !== 'permit')
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        if (!containsSignatureAcceptance(node.body))
+            return;
+        const localInitializers = collectLocalInitializers(node.body);
+        let domainExprs = collectPermitDomainExpressions(node.body, localInitializers);
+        if (domainExprs.length === 0) {
+            domainExprs = this.collectPermitDigestHelperDomains(node.body, localInitializers);
+        }
+        if (domainExprs.length === 0)
+            return;
+        const status = combineStatuses(domainExprs.map(expr => this.domainStatus(expr, localInitializers, new Set())));
+        if (status === 'safe' || status === 'unknown')
+            return;
+        this.findings.push(this.makeFinding(node, domainExprs[0], status));
+    }
+    // Fallback for permit flows that delegate digest construction to a same-contract
+    // helper (e.g. OpenZeppelin-style `_hashTypedDataV4`). Resolution is scoped to the
+    // digest argument of `ecrecover`/`recover`, same-contract only, and depth-1.
+    collectPermitDigestHelperDomains(body, locals) {
+        if (!this.contract)
+            return [];
+        const helpers = [];
+        walk(body, current => {
+            if (!(0, ast_1.isNode)(current, 'FunctionCall'))
+                return;
+            const name = callName(current).toLowerCase();
+            if (name !== 'ecrecover' && name !== 'recover' && !name.endsWith('.recover'))
+                return;
+            const helperCall = resolveHelperCall((current.arguments || [])[0], locals);
+            if (!helperCall)
+                return;
+            const helperName = callName(helperCall);
+            const helperFn = helperName ? this.contract.functions.get(helperName) : undefined;
+            if (helperFn?.body)
+                helpers.push(helperFn);
+        });
+        const domains = [];
+        for (const helper of helpers) {
+            const helperLocals = collectLocalInitializers(helper.body);
+            domains.push(...collectPermitDomainExpressions(helper.body, helperLocals));
+        }
+        return domains;
+    }
+    domainStatus(expr, locals, seen) {
+        if (!expr || typeof expr !== 'object' || !this.contract)
+            return 'unknown';
+        if (isRuntimeChainId(expr))
+            return 'safe';
+        if (isLiteralChainId(expr))
+            return 'stale';
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const local = locals.get(expr.name);
+            if (local)
+                return this.domainStatus(local, locals, addSeen(seen, `local:${expr.name}`));
+            const stateVar = this.contract.stateVars.get(expr.name);
+            if (stateVar) {
+                if (stateVar.isConstant && stateVar.initialValue && isChainIdName(expr.name))
+                    return 'stale';
+                if (stateVar.constructorValue || stateVar.initialValue)
+                    return 'stale';
+            }
+            return 'unknown';
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            const name = callName(expr);
+            if (name && this.isRuntimeChainIdHelper(name, seen))
+                return 'safe';
+            // Route any same-contract zero-arg domain helper (DOMAIN_SEPARATOR,
+            // _domainSeparatorV4, ...) through the shared return-expression analysis.
+            const domainFn = name ? this.contract?.functions.get(name) : undefined;
+            if (domainFn?.body && (expr.arguments || []).length === 0) {
+                return this.functionDomainStatus(name, domainFn, seen);
+            }
+            const args = expr.arguments || [];
+            if (isKeccakAbiEncode(expr))
+                return this.abiEncodeDomainStatus(argsOfAbiEncode(expr), locals, seen);
+            if (args.length === 1 && isLiteralChainId(args[0]))
+                return 'stale';
+        }
+        if (containsRuntimeChainId(expr, name => this.isRuntimeChainIdHelper(name, seen)))
+            return 'safe';
+        return this.abiEncodeDomainStatus(collectAbiEncodeArgs(expr), locals, seen);
+    }
+    abiEncodeDomainStatus(args, locals, seen) {
+        if (args.length === 0)
+            return 'unknown';
+        let sawStale = false;
+        for (const arg of args) {
+            if (containsRuntimeChainId(arg, name => this.isRuntimeChainIdHelper(name, seen)))
+                return 'safe';
+            if (isLiteralChainId(arg))
+                sawStale = true;
+            if ((0, ast_1.isNode)(arg, 'Identifier')) {
+                const local = locals.get(arg.name);
+                if (local && containsRuntimeChainId(local, name => this.isRuntimeChainIdHelper(name, seen)))
+                    return 'safe';
+                const stateVar = this.contract?.stateVars.get(arg.name);
+                if ((stateVar?.isConstant || stateVar?.constructorValue) && isChainIdName(arg.name))
+                    sawStale = true;
+            }
+        }
+        return sawStale ? 'stale' : 'missing';
+    }
+    functionDomainStatus(name, fn, seen) {
+        if (seen.has(`fn:${name}`))
+            return 'unknown';
+        const nextSeen = addSeen(seen, `fn:${name}`);
+        const locals = collectLocalInitializers(fn.body);
+        const returns = collectReturnExpressions(fn.body);
+        if (returns.length === 0) {
+            return containsRuntimeChainId(fn.body, helper => this.isRuntimeChainIdHelper(helper, nextSeen)) ? 'safe' : 'unknown';
+        }
+        const returnStatuses = returns.map(expr => this.domainStatus(expr, locals, nextSeen));
+        if (hasChainRefreshGuard(fn.body) && returnStatuses.includes('safe'))
+            return 'safe';
+        return combineStatuses(returnStatuses);
+    }
+    isRuntimeChainIdHelper(name, seen) {
+        const fn = this.contract?.functions.get(name);
+        if (!fn?.body || seen.has(`fn:${name}`))
+            return false;
+        return containsAssemblyChainId(fn.body) || containsBlockChainId(fn.body);
+    }
+    makeFinding(fn, domainExpr, status) {
+        const loc = (0, ast_1.assertLoc)(domainExpr, fn);
+        const contractName = this.contract?.name || '<anonymous>';
+        const functionName = fn?.name || '<fallback>';
+        const issue = status === 'stale' ? 'uses a hard-coded or constructor-cached chain id' : 'omits runtime chain id';
+        return {
+            file: this.currentFile,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern: PATTERN,
+            confidence: 'high',
+            category: 'replay',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Permit replay risk in '${contractName}.${functionName}': the EIP-712 domain ${issue}.`,
+            rationale: 'ERC-2612 approvals rely on EIP-712 domain separation. If the domain is not bound to the active block.chainid, the same signed approval can replay across chains or forks.',
+            suggestedFix: 'Build the permit domain from block.chainid or the chainid() opcode at verification time, or use a cached DOMAIN_SEPARATOR() implementation that refreshes whenever block.chainid changes.',
+            contractName,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+            provenance: PROVENANCE,
+            source: PROVENANCE,
+        };
+    }
+}
+exports.CheckPermitMissingChainIdDetector = CheckPermitMissingChainIdDetector;
+function collectPermitDomainExpressions(body, locals) {
+    const domains = [];
+    walk(body, current => {
+        if (!(0, ast_1.isNode)(current, 'FunctionCall'))
+            return;
+        const domain = extractTypedDataDomainExpression(current, locals);
+        if (domain)
+            domains.push(domain);
+    });
+    return domains;
+}
+function extractTypedDataDomainExpression(call, locals) {
+    const args = call.arguments || [];
+    if (callName(call) === 'abi.encodePacked') {
+        if (args.length < 2 || !isEip712Prefix(args[0]))
+            return null;
+        return resolveLocal(args[1], locals, new Set());
+    }
+    if (isTypedDataHashCall(call)) {
+        if (args.length < 1)
+            return null;
+        return resolveLocal(args[0], locals, new Set());
+    }
+    return null;
+}
+function resolveHelperCall(expr, locals) {
+    let current = expr;
+    if ((0, ast_1.isNode)(current, 'Identifier')) {
+        current = resolveLocal(current, locals, new Set());
+    }
+    return (0, ast_1.isNode)(current, 'FunctionCall') ? current : null;
+}
+function collectLocalInitializers(body) {
+    const locals = new Map();
+    walk(body, current => {
+        if (!(0, ast_1.isNode)(current, 'VariableDeclarationStatement') || !current.initialValue)
+            return;
+        for (const variable of current.variables || []) {
+            if (variable?.name)
+                locals.set(variable.name, current.initialValue);
+        }
+    });
+    return locals;
+}
+function collectReturnExpressions(body) {
+    const returns = [];
+    walk(body, current => {
+        if ((0, ast_1.isNode)(current, 'ReturnStatement') && current.expression)
+            returns.push(current.expression);
+    });
+    return returns;
+}
+function resolveLocal(expr, locals, seen) {
+    let current = expr;
+    while ((0, ast_1.isNode)(current, 'Identifier') && locals.has(current.name)) {
+        const key = `local:${current.name}`;
+        if (seen.has(key))
+            return current;
+        seen.add(key);
+        current = locals.get(current.name);
+    }
+    return current;
+}
+function combineStatuses(statuses) {
+    if (statuses.includes('safe'))
+        return 'safe';
+    if (statuses.includes('stale'))
+        return 'stale';
+    if (statuses.includes('missing'))
+        return 'missing';
+    return 'unknown';
+}
+function containsSignatureAcceptance(node) {
+    let found = false;
+    walk(node, current => {
+        if (!(0, ast_1.isNode)(current, 'FunctionCall'))
+            return;
+        const name = callName(current).toLowerCase();
+        if (name === 'ecrecover' || name === 'recover' || name.endsWith('.recover'))
+            found = true;
+    });
+    return found;
+}
+function isExternallyCallable(fn) {
+    return fn.visibility === 'public' || fn.visibility === 'external';
+}
+function isKeccakAbiEncode(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall') && callName(node) === 'keccak256' && isAbiEncodeCall(node.arguments?.[0]);
+}
+function collectAbiEncodeArgs(node) {
+    const out = [];
+    walk(node, current => {
+        if (isAbiEncodeCall(current))
+            out.push(...(current.arguments || []));
+    });
+    return out;
+}
+function argsOfAbiEncode(node) {
+    if (!isKeccakAbiEncode(node))
+        return [];
+    return node.arguments?.[0]?.arguments || [];
+}
+function isAbiEncodeCall(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall') && (callName(node) === 'abi.encode' || callName(node) === 'abi.encodePacked');
+}
+function isTypedDataHashCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const name = callName(node);
+    return name === 'toTypedDataHash' || name.endsWith('.toTypedDataHash');
+}
+function isEip712Prefix(node) {
+    if (!node)
+        return false;
+    if ((0, ast_1.isNode)(node, 'StringLiteral')) {
+        const value = String(node.value || node.parts?.join('') || node.literal || '');
+        return value.includes('\\x19\\x01') || value.includes('\x19\x01');
+    }
+    return false;
+}
+function containsRuntimeChainId(node, helperIsRuntime) {
+    return containsBlockChainId(node) || containsAssemblyChainId(node) || containsChainIdHelperCall(node, helperIsRuntime);
+}
+function isRuntimeChainId(node) {
+    return containsBlockChainId(node) || containsAssemblyChainId(node);
+}
+function containsBlockChainId(node) {
+    let found = false;
+    walk(node, current => {
+        if ((0, ast_1.isNode)(current, 'MemberAccess') &&
+            current.memberName === 'chainid' &&
+            (0, ast_1.isNode)(current.expression, 'Identifier') &&
+            current.expression.name === 'block') {
+            found = true;
+        }
+    });
+    return found;
+}
+function containsAssemblyChainId(node) {
+    let found = false;
+    walk(node, current => {
+        if ((0, ast_1.isNode)(current, 'AssemblyCall') && String(current.functionName || '').toLowerCase() === 'chainid')
+            found = true;
+    });
+    return found;
+}
+function containsChainIdHelperCall(node, helperIsRuntime) {
+    let found = false;
+    walk(node, current => {
+        if (!(0, ast_1.isNode)(current, 'FunctionCall'))
+            return;
+        const name = callName(current);
+        if (name && helperIsRuntime(name))
+            found = true;
+    });
+    return found;
+}
+function hasChainRefreshGuard(node) {
+    let found = false;
+    walk(node, current => {
+        if (!(0, ast_1.isNode)(current, 'BinaryOperation'))
+            return;
+        const op = String(current.operator || '');
+        if ((op === '==' || op === '!=') && (containsBlockChainId(current.left) || containsBlockChainId(current.right))) {
+            found = true;
+        }
+    });
+    return found;
+}
+function isLiteralChainId(node) {
+    if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'FunctionCall') && (node.arguments || []).length === 1 && isLiteralChainId(node.arguments[0])) {
+        const name = callName(node).toLowerCase();
+        return name === 'uint256' || name === 'uint' || name === 'uint64' || name === 'uint32';
+    }
+    return false;
+}
+function isChainIdName(name) {
+    return /^_?cachedChainId$/i.test(name) || /^_?chain_?id$/i.test(name) || /^_?chainid$/i.test(name);
+}
+function callName(call) {
+    const expr = call?.expression || call;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return expr.name || '';
+    if ((0, ast_1.isNode)(expr, 'ElementaryTypeName'))
+        return expr.name || '';
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const base = callName(expr.expression);
+        return base ? `${base}.${expr.memberName || ''}` : expr.memberName || '';
+    }
+    return '';
+}
+function addSeen(seen, key) {
+    const next = new Set(seen);
+    next.add(key);
+    return next;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const value of Object.values(node)) {
+        if (!value)
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                walk(item, visit);
+        }
+        else if (typeof value === 'object') {
+            walk(value, visit);
+        }
+    }
+}
+//# sourceMappingURL=check-permit-missing-chainid.js.map

package/dist/detectors/classic-reentrancy.d.ts

@@ -0,0 +1,93 @@
+/**
+ * Classic intra-function reentrancy detector. Extracted from
+ * `src/index.ts` per roadmap item 1.1 (split god-file into focused
+ * modules). Public API surface is unchanged — `src/index.ts`
+ * re-exports `ReentrancyDetector` so downstream consumers
+ * (`createDefaultDetectorRegistry`, third-party imports) continue to
+ * see it at the same path.
+ *
+ * The detector class flags an external call (call/delegatecall/
+ * staticcall/send/transfer) followed by a state-modifying operation
+ * in the same function — the canonical CEI violation. See
+ * `docs/detectors/check-effects-interactions.md` for the user-facing
+ * description.
+ */
+import type { ScanResult } from '../index';
+import type { SemanticModel } from '../semantic/model';
+/**
+ * Detects classic reentrancy vulnerabilities:
+ * 1. An external call (call/delegatecall/staticcall/send/transfer)
+ * 2. Followed by a state-modifying operation in the same function
+ *
+ * This violates Checks-Effects-Interactions (CEI). To reduce false
+ * positives we only flag when state modification *follows* a detected
+ * external call — not when state is modified before the call (which is
+ * the safe CEI pattern).
+ */
+export declare class ReentrancyDetector {
+    readonly id = "classic-reentrancy";
+    readonly patternKey = "classic-reentrancy";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    findings: ScanResult[];
+    currentFile: string;
+    private currentContract;
+    private currentContractNode;
+    private currentFunction;
+    private skipCurrentFunction;
+    private stateVariablesByContract;
+    private localVariables;
+    private externalCalls;
+    private inTryBodyDepth;
+    private semantic;
+    setFile(file: string): void;
+    setSemanticModel(model: SemanticModel | undefined): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(node: any): void;
+    private walkInheritedFunctions;
+    private isExternallyCallableForInherited;
+    private dispatchStatementForInherited;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    /**
+     * Catch variable declarations where the initializer is an external call.
+     * E.g. (bool success, ) = msg.sender.call{value: amount}("");
+     */
+    VariableDeclarationStatement(node: any): void;
+    /**
+     * Catch expression statements that are direct external calls.
+     * E.g. msg.sender.call{value: amount}(""); (without tuple assignment)
+     */
+    ExpressionStatement(node: any): void;
+    /**
+     * Solidity `try X.f(...) { ... } catch { ... }` always wraps an external call
+     * (or contract creation), so the try expression is itself the call site for
+     * classic-reentrancy purposes regardless of whether it parses as a low-level
+     * `.call(...)`. We scan success and catch bodies for the first state write
+     * and emit a single finding per try statement to avoid duplicating findings
+     * across paths that share the same underlying call. The try expression is
+     * also recorded as an external call in `TryStatement_post` so that a state
+     * write in the enclosing function *after* the try/catch is flagged via the
+     * normal post-call traversal — covering the `try f() { } catch { } x -= 1;`
+     * pattern that has empty (or emit-only) bodies but a real post-call write.
+     */
+    TryStatement(node: any): void;
+    TryStatement_post(node: any): void;
+    private findFirstStateMutationStatement;
+    /**
+     * Check if an expression is an external call (call/delegatecall/staticcall/send/transfer)
+     */
+    private isExternalCall;
+    private findExternalCall;
+    /**
+     * Check if an expression modifies contract state.
+     * Heuristic: assignment operators only count when their left side resolves
+     * to a known state variable in the current contract.
+     */
+    private isStateModification;
+    private getCurrentStateVariables;
+    private hasReentrancyGuardModifier;
+    private getNodeName;
+    private isStateReference;
+}