@snovon/solast 0.2.0

package/dist/detectors/cross-chain-messaging.js

@@ -0,0 +1,663 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CrossChainMessagingLoopholeDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'cross-chain-messaging';
+const PATTERN_ARBITRARY_CALL = `${RULE_ID}/arbitrary-call-handler`;
+const PATTERN_DISPATCHER = `${RULE_ID}/unrestricted-command-dispatcher`;
+const PATTERN_APPROVAL = `${RULE_ID}/stale-unlimited-approval-consumption`;
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyowners',
+    'onlyrole',
+    'onlyadmin',
+    'onlyadmins',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlyoperators',
+    'onlyprotocol',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+    'onlysigner',
+    'onlytss',
+    'onlyrelayer',
+    'onlybridge',
+    'onlymessenger',
+    'onlygateway',
+    'onlytrusted',
+]);
+const SENSITIVE_TOKEN_METHODS = new Set(['transferFrom', 'approve', 'transfer']);
+const LOW_LEVEL_METHODS = new Set(['call', 'delegatecall']);
+class CrossChainMessagingLoopholeDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            if (isAbstractContract(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const fnMap = buildFunctionMap(contract, file, contractName);
+            for (const fn of fnMap.values()) {
+                if (!fn.body)
+                    continue;
+                if (!fn.isExternallyCallable)
+                    continue;
+                if (fn.modifierGuarded)
+                    continue;
+                const sink = findStaleApprovalConsumption(fn) ||
+                    findCommandDispatcher(fn) ||
+                    findArbitraryCallHandler(fn, fnMap);
+                if (!sink)
+                    continue;
+                const loc = getLoc(fn.node, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fn.name,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: sink.pattern,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Cross-chain messaging loophole in '${contractName}.${fn.name}': ${sink.rationale}`,
+                    rationale: sink.rationale,
+                    suggestedFix: 'Gate cross-chain message handlers behind protocol-level access control, restrict the executable target/selector set with explicit allowlists, and never let a cross-chain payload select a `transferFrom` source other than `msg.sender` (or bound it to a per-sender cap).',
+                    contractName,
+                    functionName: fn.name,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                    instance_key: fn.instanceKey,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.CrossChainMessagingLoopholeDetector = CrossChainMessagingLoopholeDetector;
+function findStaleApprovalConsumption(fn) {
+    if (!fn.body)
+        return null;
+    const allowanceFromIdents = collectFirstArgIdents(fn.body, 'allowance');
+    if (allowanceFromIdents.size === 0)
+        return null;
+    if (!bodyReferencesUint256Max(fn.body))
+        return null;
+    const transferFromIdents = collectFirstArgIdents(fn.body, 'transferFrom');
+    if (transferFromIdents.size === 0)
+        return null;
+    for (const name of transferFromIdents) {
+        if (!allowanceFromIdents.has(name))
+            continue;
+        return {
+            pattern: PATTERN_APPROVAL,
+            rationale: 'Cross-chain message handler reads an existing unlimited ERC-20 approval (`allowance(...) == type(uint256).max`) from a non-`msg.sender` wallet and forwards it through `transferFrom`, allowing a cross-chain payload to drain pre-existing operational/third-party approvals.',
+        };
+    }
+    return null;
+}
+function findCommandDispatcher(fn) {
+    if (!fn.body)
+        return null;
+    if (fn.bytes32Params.size === 0 && fn.stringParams.size === 0)
+        return null;
+    if (!bodyHasSensitiveExternalCall(fn.body))
+        return null;
+    if (!bodyHasCommandComparison(fn.body, fn.bytes32Params, fn.stringParams))
+        return null;
+    if (bodyHasCommandAllowlist(fn.body, fn.bytes32Params, fn.stringParams))
+        return null;
+    return {
+        pattern: PATTERN_DISPATCHER,
+        rationale: 'Gateway-style command dispatcher branches on a caller-supplied `string`/`bytes32` command and routes into ERC-20 transfers, approvals, or low-level calls without command-level access control, letting any sender invoke sensitive operations through cross-chain messages.',
+    };
+}
+function findArbitraryCallHandler(fn, fnMap) {
+    if (!fn.body)
+        return null;
+    const reachable = collectReachableBodies(fn, fnMap);
+    let foundLowLevelCall = false;
+    for (const { body, info } of reachable) {
+        const recognized = new Set(info.addressParams);
+        collectAbiDecodeAddressLocals(body, recognized);
+        if (recognized.size === 0)
+            continue;
+        if (bodyHasLowLevelCallOnIdent(body, recognized)) {
+            foundLowLevelCall = true;
+            break;
+        }
+    }
+    if (!foundLowLevelCall)
+        return null;
+    for (const { body, info } of reachable) {
+        const recognized = new Set(info.addressParams);
+        collectAbiDecodeAddressLocals(body, recognized);
+        if (bodyHasTargetAllowlist(body, recognized))
+            return null;
+        if (bodyHasSelectorAllowlist(body, info.bytesParams))
+            return null;
+    }
+    return {
+        pattern: PATTERN_ARBITRARY_CALL,
+        rationale: 'Cross-chain message handler forwards an attacker-controlled target address and calldata to a low-level `call`/`delegatecall` without authorization, target allowlist, or selector filter, letting a malicious cross-chain message execute arbitrary code through this contract.',
+    };
+}
+function bodyHasSensitiveExternalCall(body) {
+    return walkAny(body, node => {
+        if (!isFunctionCall(node))
+            return false;
+        const callee = unwrapCallOptions(node.expression);
+        if (!isNode(callee, 'MemberAccess'))
+            return false;
+        const member = String(callee.memberName || '');
+        return SENSITIVE_TOKEN_METHODS.has(member) || LOW_LEVEL_METHODS.has(member);
+    });
+}
+function bodyHasLowLevelCallOnIdent(body, identNames) {
+    return walkAny(body, node => {
+        if (!isFunctionCall(node))
+            return false;
+        const callee = unwrapCallOptions(node.expression);
+        if (!isNode(callee, 'MemberAccess'))
+            return false;
+        const member = String(callee.memberName || '');
+        if (!LOW_LEVEL_METHODS.has(member))
+            return false;
+        const obj = callee.expression;
+        if (!isNode(obj, 'Identifier'))
+            return false;
+        return identNames.has(getName(obj));
+    });
+}
+function unwrapCallOptions(callee) {
+    if (!callee || typeof callee !== 'object')
+        return callee;
+    if (isNode(callee, 'NameValueExpression'))
+        return unwrapCallOptions(callee.expression);
+    if (isNode(callee, 'FunctionCallOptions'))
+        return unwrapCallOptions(callee.expression);
+    return callee;
+}
+function bodyHasCommandComparison(body, bytes32Params, stringParams) {
+    return walkAny(body, node => {
+        if (!isNode(node, 'BinaryOperation'))
+            return false;
+        if (node.operator !== '==')
+            return false;
+        const sides = binaryOperationSides(node);
+        return sides.some(s => sideMentionsCommand(s, bytes32Params, stringParams));
+    });
+}
+function sideMentionsCommand(node, bytes32Params, stringParams) {
+    return walkAny(node, n => {
+        if (isNode(n, 'Identifier')) {
+            const name = getName(n);
+            if (bytes32Params.has(name) || stringParams.has(name))
+                return true;
+        }
+        if (isFunctionCall(n)) {
+            const callee = n.expression;
+            if (isNode(callee, 'Identifier') && getName(callee) === 'keccak256')
+                return true;
+        }
+        return false;
+    });
+}
+function bodyHasCommandAllowlist(body, bytes32Params, stringParams) {
+    return walkAny(body, node => {
+        if (!isNode(node, 'IndexAccess'))
+            return false;
+        const index = node.indexExpression || node.index;
+        if (!isNode(index, 'Identifier'))
+            return false;
+        const name = getName(index);
+        return bytes32Params.has(name) || stringParams.has(name);
+    });
+}
+function bodyHasTargetAllowlist(body, addressIdents) {
+    return walkAny(body, node => {
+        if (isNode(node, 'IndexAccess')) {
+            const index = node.indexExpression || node.index;
+            if (isNode(index, 'Identifier') && addressIdents.has(getName(index)))
+                return true;
+        }
+        if (isNode(node, 'BinaryOperation') && node.operator === '==') {
+            const sides = binaryOperationSides(node);
+            for (const s of sides) {
+                if (isNode(s, 'Identifier') && addressIdents.has(getName(s))) {
+                    const other = sides.find(x => x !== s);
+                    if (other && !sideMentionsBytes4(other))
+                        return true;
+                }
+            }
+        }
+        return false;
+    });
+}
+function sideMentionsBytes4(node) {
+    return walkAny(node, n => {
+        if (!isFunctionCall(n))
+            return false;
+        const callee = n.expression;
+        return resolveCalleeTypeName(callee) === 'bytes4';
+    });
+}
+function bodyHasSelectorAllowlist(body, bytesIdents) {
+    return walkAny(body, node => {
+        if (!isNode(node, 'BinaryOperation'))
+            return false;
+        if (node.operator !== '==')
+            return false;
+        const sides = binaryOperationSides(node);
+        return sides.some(s => looksLikeBytes4SelectorOf(s, bytesIdents));
+    });
+}
+function looksLikeBytes4SelectorOf(node, bytesIdents) {
+    if (!isFunctionCall(node))
+        return false;
+    const callee = node.expression;
+    if (resolveCalleeTypeName(callee) !== 'bytes4')
+        return false;
+    return walkAny(node, child => isNode(child, 'Identifier') && bytesIdents.has(getName(child)));
+}
+function resolveCalleeTypeName(callee) {
+    if (!callee || typeof callee !== 'object')
+        return '';
+    if (isNode(callee, 'ElementaryTypeNameExpression')) {
+        const t = callee.typeName;
+        if (typeof t === 'string')
+            return t;
+        if (t && typeof t === 'object')
+            return String(t.name || '');
+        return '';
+    }
+    if (isNode(callee, 'ElementaryTypeName'))
+        return String(callee.name || '');
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '');
+    return '';
+}
+function binaryOperationSides(node) {
+    const sides = [];
+    if (node?.left !== undefined)
+        sides.push(node.left);
+    if (node?.right !== undefined)
+        sides.push(node.right);
+    if (node?.leftExpression !== undefined)
+        sides.push(node.leftExpression);
+    if (node?.rightExpression !== undefined)
+        sides.push(node.rightExpression);
+    return sides;
+}
+function collectFirstArgIdents(body, methodName) {
+    const out = new Set();
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = unwrapCallOptions(n.expression);
+        if (!isNode(callee, 'MemberAccess'))
+            return;
+        if (String(callee.memberName || '') !== methodName)
+            return;
+        const args = getCallArguments(n);
+        if (args.length === 0)
+            return;
+        const first = args[0];
+        if (isNode(first, 'Identifier')) {
+            const name = getName(first);
+            if (name && name !== 'msg' && name !== 'tx')
+                out.add(name);
+        }
+    });
+    return out;
+}
+function bodyReferencesUint256Max(body) {
+    return walkAny(body, node => {
+        if (!isNode(node, 'MemberAccess'))
+            return false;
+        if (node.memberName !== 'max')
+            return false;
+        const inner = node.expression;
+        if (!isFunctionCall(inner))
+            return false;
+        const innerCallee = inner.expression;
+        if (!isNode(innerCallee, 'Identifier'))
+            return false;
+        if (getName(innerCallee) !== 'type')
+            return false;
+        const innerArgs = getCallArguments(inner);
+        if (innerArgs.length !== 1)
+            return false;
+        const arg = innerArgs[0];
+        const typeName = resolveCalleeTypeName(arg);
+        return typeName === 'uint256' || typeName === 'uint';
+    });
+}
+function collectAbiDecodeAddressLocals(body, sink) {
+    walk(body, n => {
+        if (!isVariableDeclarationStatement(n))
+            return;
+        const initial = n.initialValue || n.initialValueExpression || null;
+        if (!initial || !isAbiDecodeCall(initial))
+            return;
+        const decls = getDeclarations(n);
+        for (const d of decls) {
+            if (!d)
+                continue;
+            if (isElementaryType(d.typeName, 'address')) {
+                const name = String(d.name || '');
+                if (name)
+                    sink.add(name);
+            }
+        }
+    });
+}
+function isAbiDecodeCall(node) {
+    if (!isFunctionCall(node))
+        return false;
+    const callee = node.expression;
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    if (String(callee.memberName || '') !== 'decode')
+        return false;
+    const inner = callee.expression;
+    return isNode(inner, 'Identifier') && getName(inner) === 'abi';
+}
+function isVariableDeclarationStatement(node) {
+    return isNode(node, 'VariableDeclarationStatement');
+}
+function getDeclarations(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if (Array.isArray(node.variables))
+        return node.variables;
+    if (Array.isArray(node.declarations))
+        return node.declarations;
+    return [];
+}
+function buildFunctionMap(contract, file, contractName) {
+    const map = new Map();
+    for (const fn of getContractFunctions(contract)) {
+        const params = getFunctionParameters(fn);
+        const addressParams = new Set();
+        const bytesParams = new Set();
+        const bytes32Params = new Set();
+        const stringParams = new Set();
+        for (const p of params) {
+            const paramName = getParamName(p);
+            if (!paramName)
+                continue;
+            if (isElementaryType(p?.typeName, 'address'))
+                addressParams.add(paramName);
+            else if (isElementaryType(p?.typeName, 'bytes'))
+                bytesParams.add(paramName);
+            else if (isElementaryType(p?.typeName, 'bytes32'))
+                bytes32Params.add(paramName);
+            else if (isElementaryType(p?.typeName, 'string'))
+                stringParams.add(paramName);
+        }
+        const body = getFunctionBody(fn);
+        const internalCallees = body ? collectInternalCallNames(body) : new Set();
+        const fnName = functionDisplayName(fn);
+        // Dedup-key site (roadmap 2.14.c JSDoc): `fnStartLine` is hashed
+        // into an instance key, not emitted in a finding. `tryLoc` floor
+        // matches legacy `|| 0` behaviour; `assertLoc` would crash on
+        // synthetic AST input.
+        const fnStartLine = (0, ast_1.tryLoc)(fn)?.line ?? 0;
+        const instanceKey = `${file}|${contractName}|${fnName}|${fnStartLine}`;
+        map.set(fnName, {
+            node: fn,
+            name: fnName,
+            body,
+            isExternallyCallable: isExternallyCallable(fn),
+            modifierGuarded: hasRecognizedAccessControlModifier(fn),
+            addressParams,
+            bytesParams,
+            bytes32Params,
+            stringParams,
+            internalCallees,
+            instanceKey,
+        });
+    }
+    return map;
+}
+function collectReachableBodies(start, fnMap) {
+    const seen = new Set([start.name]);
+    const queue = [start];
+    const out = [];
+    while (queue.length > 0) {
+        const info = queue.shift();
+        if (info.body)
+            out.push({ body: info.body, info });
+        for (const callee of info.internalCallees) {
+            if (seen.has(callee))
+                continue;
+            const next = fnMap.get(callee);
+            if (!next)
+                continue;
+            seen.add(callee);
+            queue.push(next);
+        }
+    }
+    return out;
+}
+function collectInternalCallNames(body) {
+    const out = new Set();
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (callee && isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name)
+                out.add(name);
+        }
+    });
+    return out;
+}
+function isElementaryType(typeName, name) {
+    if (!typeName)
+        return false;
+    if (!isNode(typeName, 'ElementaryTypeName'))
+        return false;
+    return typeName.name === name;
+}
+function hasRecognizedAccessControlModifier(fn) {
+    const modifiers = fn?.modifiers || fn?.modifierList || [];
+    if (!Array.isArray(modifiers))
+        return false;
+    return modifiers.some((m) => ACCESS_CONTROL_MODIFIERS.has(getModifierName(m).toLowerCase()));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function isAbstractContract(contract) {
+    const kind = String(contract?.kind || '').toLowerCase();
+    if (kind === 'abstract')
+        return true;
+    if (contract?.abstract === true)
+        return true;
+    return false;
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getFunctionParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function getParamName(p) {
+    if (!p || typeof p !== 'object')
+        return '';
+    return typeof p.name === 'string' ? p.name : '';
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(c => walkAny(c, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const c of childrenOf(node))
+        walk(c, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' ||
+            key === 'src' ||
+            key === 'range' ||
+            key === 'typeDescriptions' ||
+            key === 'id') {
+            continue;
+        }
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    return getName(fn) || '<anonymous>';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=cross-chain-messaging.js.map

package/dist/detectors/cross-chain-msg-truncation.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class CrossChainMsgTruncationDetector {
+    readonly id = "cross-chain-msg-truncation";
+    readonly patternKey = "cross-chain-msg-truncation";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}