@snovon/solast 0.2.0

package/dist/detectors/cross-chain-input-validation.js

@@ -0,0 +1,347 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CrossChainInputValidationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'cross-chain-input-validation';
+const MIN_AMOUNT_NAME_RE = /^(?:minAmountLD|amountOutMin)$/;
+const DEDUCTION_KEYWORD_RE = /(?:fee|dust|relayer|shareddecimal|toshared|fromshared)/i;
+const SINK_CALL_NAME_RE = /^_?(?:lzSend|lzReceive|lzCompose|oftSend|sgSend|oftBridge)$/i;
+const SINK_LOWLEVEL_HOST_RE = /(?:endpoint|messenger|router|relayer)/i;
+const SINK_LOWLEVEL_METHOD_RE = /^(?:call|delegatecall|staticcall|send)$/;
+const CROSS_CHAIN_ENTRYPOINT_NAME_RE = /^_?(?:lzReceive|sgReceive|onOFTReceived|lzCompose|onCompose|lzReceiveAndRevert)$/;
+const TRIVIAL_MODIFIER_RE = /^(?:nonReentrant|payable|override|virtual|view|pure|external|public|internal|private|whennotpaused|initializer)$/i;
+class CrossChainInputValidationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Cross-chain entry point bypasses restrictions or validates min-amount before fee/dust deduction.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+    };
+    currentFile = '';
+    findings = [];
+    currentContract = null;
+    contractFunctions = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = null;
+        this.contractFunctions = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface') {
+            this.currentContract = null;
+            this.contractFunctions = [];
+            return;
+        }
+        this.currentContract = node;
+        this.contractFunctions = [];
+    }
+    ContractDefinition_post(_node) {
+        if (this.currentContract) {
+            this.processRestrictionBypass();
+        }
+        this.currentContract = null;
+        this.contractFunctions = [];
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContract)
+            return;
+        if (!node?.body)
+            return;
+        this.contractFunctions.push(node);
+        this.analyzeMinAmountOrdering(node);
+    }
+    analyzeMinAmountOrdering(fnNode) {
+        const minSet = new Set();
+        for (const p of fnNode.parameters || []) {
+            if (p?.name && MIN_AMOUNT_NAME_RE.test(p.name))
+                minSet.add(p.name);
+        }
+        if (minSet.size === 0)
+            return;
+        let firstMinUse = Infinity;
+        let firstDeduction = Infinity;
+        let hasSink = false;
+        let counter = 0;
+        const visit = (n) => {
+            if (!n || typeof n !== 'object')
+                return;
+            counter += 1;
+            const myIndex = counter;
+            if (n.type === 'FunctionCall') {
+                if (this.isSinkCall(n))
+                    hasSink = true;
+                const calleeName = this.getCalleeName(n);
+                if (calleeName && DEDUCTION_KEYWORD_RE.test(calleeName)) {
+                    if (myIndex < firstDeduction)
+                        firstDeduction = myIndex;
+                }
+            }
+            if (n.type === 'BinaryOperation' && n.operator === '-') {
+                if (this.containsDeductionKeyword(n.left) || this.containsDeductionKeyword(n.right)) {
+                    if (myIndex < firstDeduction)
+                        firstDeduction = myIndex;
+                }
+            }
+            if (n.type === 'Identifier' && minSet.has(n.name)) {
+                if (myIndex < firstMinUse)
+                    firstMinUse = myIndex;
+            }
+            for (const key of Object.keys(n)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                const value = n[key];
+                if (Array.isArray(value)) {
+                    for (const item of value)
+                        visit(item);
+                }
+                else if (value && typeof value === 'object') {
+                    visit(value);
+                }
+            }
+        };
+        visit(fnNode.body);
+        if (!hasSink)
+            return;
+        if (firstMinUse === Infinity || firstDeduction === Infinity)
+            return;
+        if (firstMinUse >= firstDeduction)
+            return;
+        this.emit(fnNode, `Cross-chain function '${fnNode.name}' compares or forwards a minimum-amount parameter before fee, dust, or shared-decimal deduction.`);
+    }
+    processRestrictionBypass() {
+        const primary = [];
+        const crossChain = [];
+        for (const fn of this.contractFunctions) {
+            const visibility = fn.visibility;
+            if (visibility !== 'external' && visibility !== 'public')
+                continue;
+            const name = fn.name || '';
+            if (CROSS_CHAIN_ENTRYPOINT_NAME_RE.test(name)) {
+                crossChain.push(fn);
+            }
+            else {
+                primary.push(fn);
+            }
+        }
+        for (const ccFn of crossChain) {
+            const ccCalls = this.collectInternalCallNames(ccFn);
+            if (ccCalls.size === 0)
+                continue;
+            if (this.hasRestriction(ccFn))
+                continue;
+            let bypassedSibling = null;
+            let sharedCallName = '';
+            for (const pFn of primary) {
+                if (!this.hasRestriction(pFn))
+                    continue;
+                const pCalls = this.collectInternalCallNames(pFn);
+                let shared = '';
+                for (const callName of ccCalls) {
+                    if (pCalls.has(callName)) {
+                        shared = callName;
+                        break;
+                    }
+                }
+                if (shared) {
+                    bypassedSibling = pFn;
+                    sharedCallName = shared;
+                    break;
+                }
+            }
+            if (!bypassedSibling)
+                continue;
+            this.emit(ccFn, `Cross-chain entry point '${ccFn.name}' bypasses restriction present on sibling '${bypassedSibling.name}' before calling '${sharedCallName}'.`);
+        }
+    }
+    emit(fnNode, message) {
+        const loc = (0, ast_1.tryLoc)(fnNode);
+        if (!loc)
+            return;
+        const contractName = this.currentContract?.name || '';
+        this.findings.push({
+            file: this.currentFile,
+            contract: contractName,
+            contractName,
+            'function': fnNode.name,
+            functionName: fnNode.name,
+            line: loc.line,
+            column: loc.column,
+            endLine: loc.endLine,
+            endColumn: loc.endColumn,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'medium',
+            message,
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    isSinkCall(call) {
+        let expr = call.expression;
+        while (expr?.type === 'FunctionCallOptions' || expr?.type === 'NameValueExpression')
+            expr = expr.expression;
+        if (!expr)
+            return false;
+        if (expr.type === 'Identifier') {
+            return SINK_CALL_NAME_RE.test(expr.name);
+        }
+        if (expr.type === 'MemberAccess') {
+            const memberName = expr.memberName || '';
+            if (memberName && SINK_CALL_NAME_RE.test(memberName))
+                return true;
+            if (memberName && SINK_LOWLEVEL_METHOD_RE.test(memberName)) {
+                const base = expr.expression;
+                if (base?.type === 'Identifier' && SINK_LOWLEVEL_HOST_RE.test(base.name))
+                    return true;
+            }
+        }
+        return false;
+    }
+    getCalleeName(call) {
+        let expr = call.expression;
+        while (expr?.type === 'FunctionCallOptions' || expr?.type === 'NameValueExpression')
+            expr = expr.expression;
+        if (!expr)
+            return null;
+        if (expr.type === 'Identifier')
+            return expr.name || null;
+        if (expr.type === 'MemberAccess')
+            return expr.memberName || null;
+        return null;
+    }
+    containsDeductionKeyword(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier' && DEDUCTION_KEYWORD_RE.test(node.name || ''))
+            return true;
+        if (node.type === 'MemberAccess' && DEDUCTION_KEYWORD_RE.test(node.memberName || ''))
+            return true;
+        for (const key of Object.keys(node)) {
+            if (key === 'loc' || key === 'range')
+                continue;
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    if (this.containsDeductionKeyword(item))
+                        return true;
+            }
+            else if (value && typeof value === 'object') {
+                if (this.containsDeductionKeyword(value))
+                    return true;
+            }
+        }
+        return false;
+    }
+    collectInternalCallNames(fnNode) {
+        const names = new Set();
+        const visit = (n) => {
+            if (!n || typeof n !== 'object')
+                return;
+            if (n.type === 'FunctionCall' && n.expression?.type === 'Identifier') {
+                const name = n.expression.name;
+                if (name && !/^(?:require|assert|revert|abi|keccak256|sha256|ecrecover|address|payable|uint\d*|int\d*|bytes\d*|string)$/.test(name)) {
+                    names.add(name);
+                }
+            }
+            for (const key of Object.keys(n)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                const value = n[key];
+                if (Array.isArray(value)) {
+                    for (const item of value)
+                        visit(item);
+                }
+                else if (value && typeof value === 'object') {
+                    visit(value);
+                }
+            }
+        };
+        visit(fnNode.body);
+        return names;
+    }
+    hasRestriction(fnNode) {
+        for (const mod of fnNode.modifiers || []) {
+            const name = mod?.name || (mod?.modifierName && mod.modifierName.name);
+            if (name && !TRIVIAL_MODIFIER_RE.test(name))
+                return true;
+        }
+        let restricted = false;
+        const visit = (n) => {
+            if (!n || typeof n !== 'object' || restricted)
+                return;
+            if (n.type === 'FunctionCall'
+                && n.expression?.type === 'Identifier'
+                && n.expression.name === 'require') {
+                if (this.requireExpressesRestriction(n)) {
+                    restricted = true;
+                    return;
+                }
+            }
+            for (const key of Object.keys(n)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                if (restricted)
+                    return;
+                const value = n[key];
+                if (Array.isArray(value)) {
+                    for (const item of value)
+                        visit(item);
+                }
+                else if (value && typeof value === 'object') {
+                    visit(value);
+                }
+            }
+        };
+        visit(fnNode.body);
+        return restricted;
+    }
+    requireExpressesRestriction(requireCall) {
+        if (!requireCall.arguments || requireCall.arguments.length === 0)
+            return false;
+        const cond = requireCall.arguments[0];
+        let found = false;
+        const visit = (n) => {
+            if (!n || typeof n !== 'object' || found)
+                return;
+            if (n.type === 'IndexAccess') {
+                found = true;
+                return;
+            }
+            if (n.type === 'MemberAccess' && n.memberName === 'sender') {
+                found = true;
+                return;
+            }
+            for (const key of Object.keys(n)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                if (found)
+                    return;
+                const value = n[key];
+                if (Array.isArray(value)) {
+                    for (const item of value)
+                        visit(item);
+                }
+                else if (value && typeof value === 'object') {
+                    visit(value);
+                }
+            }
+        };
+        visit(cond);
+        return found;
+    }
+}
+exports.CrossChainInputValidationDetector = CrossChainInputValidationDetector;
+// Alias `_post` handlers to `:exit` so that `parser.visit` (which fires
+// `<Type>:exit`) and the solc-walker (which fires `<Type>_post`) both
+// reach the same handler.
+const _crossChainProto = CrossChainInputValidationDetector.prototype;
+_crossChainProto['ContractDefinition:exit'] = _crossChainProto.ContractDefinition_post;
+//# sourceMappingURL=cross-chain-input-validation.js.map

package/dist/detectors/cross-chain-intent-replay.d.ts

@@ -0,0 +1,38 @@
+import type { ScanResult } from '../index';
+import type { DetectorAstKind } from './types';
+export declare class CrossChainIntentReplayDetector {
+    readonly id = "cross-chain-intent-replay";
+    readonly patternKey = "cross-chain-intent-replay";
+    readonly supportedAstKinds: DetectorAstKind[];
+    private findings;
+    private file;
+    private currentContract;
+    private currentContractKind;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    FunctionDefinition(node: any): void;
+    private walkBody;
+    private walkStatement;
+    private handleVarDecl;
+    private handleExprStmt;
+    private walkExpression;
+    private handleFunctionCall;
+    private scanGuard;
+    private branchIsRevert;
+    private scanNegatedGuard;
+    private callRefsTaint;
+    private isBytes4Selector;
+    private isLiteralish;
+    private isConsumptionWrite;
+    private isAbiDecodeOf;
+    private bodyHasAbiDecodeOf;
+    private directCalleeName;
+    private memberName;
+    private identifierName;
+    private childNodes;
+    private locOf;
+    private emit;
+    private push;
+}