@snovon/solast 0.2.0

package/dist/detectors/cross-chain-truncation.js

@@ -0,0 +1,422 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CrossChainTruncationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'cross-chain-truncation';
+const MESSAGE_PARAM = /^(payload|message|msgdata|data|packet|proof|encoded|_payload|_message)$/i;
+const MESSAGE_FUNCTION = /(lzreceive|handlemess?age|receivemess?age|receivepayload|xreceive|ccipreceive|anyexecute|sgreceive|onmessage)/i;
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const TRANSFER_MEMBERS = new Set(['transfer', 'transferfrom', 'safetransfer', 'safetransferfrom']);
+const AUTH_NAMES = /(owner|admin|role|auth|allow|approve|permission|operator|guardian|trusted)/i;
+const REPLAY_NAMES = /(nonce|processed|executed|replay|messageid|packetid|guid)/i;
+class CrossChainTruncationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const stateVars = collectStateVars(contract);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition' || !fn.body)
+                    continue;
+                if (!isCrossChainContext(fn))
+                    continue;
+                const ctx = {
+                    contractName: contract.name || '<anonymous>',
+                    functionName: fn.name || '<fallback>',
+                    stateVars,
+                    localTypes: collectParamTypes(fn),
+                    decoded: new Map(),
+                    truncated: new Map(),
+                    guards: new Set(),
+                    reportedCasts: new Set(),
+                    findings,
+                    file,
+                };
+                analyzeBlock(fn.body, ctx);
+            }
+        }
+        return findings;
+    }
+}
+exports.CrossChainTruncationDetector = CrossChainTruncationDetector;
+function analyzeBlock(block, ctx) {
+    for (const stmt of block?.statements || []) {
+        analyzeStatement(stmt, ctx);
+    }
+}
+function analyzeStatement(stmt, ctx) {
+    if (!stmt || typeof stmt !== 'object')
+        return;
+    if (stmt.type === 'ExpressionStatement' && isRequireCall(stmt.expression)) {
+        recordRangeGuards(stmt.expression.arguments?.[0], ctx.guards);
+        return;
+    }
+    if (stmt.type === 'VariableDeclarationStatement') {
+        for (const variable of stmt.variables || []) {
+            if (variable?.name) {
+                const width = parseWidth(variable.typeName);
+                if (width)
+                    ctx.localTypes.set(variable.name, width);
+            }
+        }
+        if (isAbiDecode(stmt.initialValue)) {
+            recordDecodeTargets(stmt.variables || [], stmt.initialValue, ctx);
+            return;
+        }
+        reportExpressionSinks(stmt.initialValue, ctx, false);
+        const pending = findUnsafeCast(stmt.initialValue, ctx);
+        if (pending) {
+            for (const variable of stmt.variables || []) {
+                if (variable?.name)
+                    ctx.truncated.set(variable.name, { cast: pending, reported: false });
+            }
+        }
+        return;
+    }
+    if (stmt.type === 'ExpressionStatement' && stmt.expression?.type === 'BinaryOperation') {
+        const expr = stmt.expression;
+        if (expr.operator === '=' && isAbiDecode(expr.right)) {
+            recordDecodeAssignment(expr.left, expr.right, ctx);
+            return;
+        }
+        const sink = isSensitiveAssignment(expr, ctx);
+        reportExpressionSinks(expr.left, ctx, sink);
+        reportExpressionSinks(expr.right, ctx, sink);
+        if (expr.operator === '=') {
+            const pending = findUnsafeCast(expr.right, ctx);
+            const leftName = getIdentifierName(expr.left);
+            if (pending && leftName)
+                ctx.truncated.set(leftName, { cast: pending, reported: false });
+            if (leftName && containsDecodedTaint(expr.right, ctx)) {
+                const source = firstTaintInExpression(expr.right, ctx);
+                if (source)
+                    ctx.decoded.set(leftName, { name: leftName, width: source.width });
+            }
+        }
+        return;
+    }
+    if (stmt.type === 'IfStatement') {
+        reportExpressionSinks(stmt.condition, ctx, true);
+        analyzeStatement(stmt.trueBody, ctx);
+        analyzeStatement(stmt.falseBody, ctx);
+        return;
+    }
+    if (stmt.type === 'Block') {
+        analyzeBlock(stmt, ctx);
+        return;
+    }
+    reportExpressionSinks(stmt, ctx, false);
+}
+function recordDecodeTargets(variables, decodeCall, ctx) {
+    const decodedTypes = decodeTypes(decodeCall);
+    for (let i = 0; i < variables.length; i++) {
+        const variable = variables[i];
+        if (!variable?.name)
+            continue;
+        const width = parseWidth(decodedTypes[i]) || parseWidth(variable.typeName);
+        if (!width || !isWideDecodedType(width))
+            continue;
+        ctx.decoded.set(variable.name, { name: variable.name, width });
+    }
+}
+function recordDecodeAssignment(left, decodeCall, ctx) {
+    const name = getIdentifierName(left);
+    if (!name)
+        return;
+    const decodedType = decodeTypes(decodeCall)[0];
+    const width = parseWidth(decodedType) || ctx.localTypes.get(name);
+    if (!width || !isWideDecodedType(width))
+        return;
+    ctx.decoded.set(name, { name, width });
+}
+function reportExpressionSinks(expr, ctx, forceSink) {
+    if (!expr)
+        return;
+    const directCast = findUnsafeCast(expr, ctx);
+    if (directCast && (forceSink || isTransferCall(expr) || isAuthorizationExpression(expr))) {
+        emitFinding(ctx, directCast);
+    }
+    for (const name of identifiersIn(expr)) {
+        const pending = ctx.truncated.get(name);
+        if (!pending || pending.reported)
+            continue;
+        if (forceSink || isTransferCall(expr) || isAuthorizationExpression(expr) || isSensitiveName(name)) {
+            emitFinding(ctx, pending.cast);
+            pending.reported = true;
+        }
+    }
+    for (const child of childNodes(expr)) {
+        reportExpressionSinks(child, ctx, forceSink);
+    }
+}
+function findUnsafeCast(expr, ctx) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'FunctionCall') {
+        const target = parseWidth(expr.expression);
+        if (target && isNarrowInteger(target)) {
+            const source = firstTaintInExpression(expr.arguments?.[0], ctx);
+            if (source && source.width.bits > target.bits && !hasRangeGuard(source.name, target, ctx)) {
+                return { node: expr, target, source };
+            }
+        }
+    }
+    for (const child of childNodes(expr)) {
+        const found = findUnsafeCast(child, ctx);
+        if (found)
+            return found;
+    }
+    return null;
+}
+function firstTaintInExpression(expr, ctx) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'Identifier')
+        return ctx.decoded.get(expr.name) || null;
+    for (const child of childNodes(expr)) {
+        const found = firstTaintInExpression(child, ctx);
+        if (found)
+            return found;
+    }
+    return null;
+}
+function containsDecodedTaint(expr, ctx) {
+    return !!firstTaintInExpression(expr, ctx);
+}
+function emitFinding(ctx, cast) {
+    const key = `${cast.node.range?.[0] ?? cast.node.loc?.start?.line}:${cast.target.typeName}:${cast.source.name}`;
+    if (ctx.reportedCasts.has(key))
+        return;
+    ctx.reportedCasts.add(key);
+    const loc = locOf(cast.node);
+    ctx.findings.push({
+        file: ctx.file,
+        contract: ctx.contractName,
+        'function': ctx.functionName,
+        line: loc.line,
+        endLine: loc.endLine,
+        column: loc.column,
+        endColumn: loc.endColumn,
+        pattern: `${RULE_ID}/decoded-downcast-to-sensitive-sink`,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Decoded cross-chain field '${cast.source.name}' is explicitly downcast from ${cast.source.width.typeName} to ${cast.target.typeName} before a sensitive sink.`,
+        contractName: ctx.contractName,
+        functionName: ctx.functionName,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+    });
+}
+function collectStateVars(contract) {
+    const vars = new Set();
+    for (const sub of contract.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                vars.add(variable.name);
+        }
+    }
+    return vars;
+}
+function collectParamTypes(fn) {
+    const types = new Map();
+    for (const param of [...(fn.parameters || []), ...(fn.returnParameters || [])]) {
+        if (!param?.name)
+            continue;
+        const width = parseWidth(param.typeName);
+        if (width)
+            types.set(param.name, width);
+    }
+    return types;
+}
+function isCrossChainContext(fn) {
+    const name = String(fn.name || '').toLowerCase();
+    if (MESSAGE_FUNCTION.test(name))
+        return true;
+    return (fn.parameters || []).some((param) => {
+        const typeName = typeNameString(param.typeName).toLowerCase();
+        return typeName.startsWith('bytes') && MESSAGE_PARAM.test(param.name || '');
+    });
+}
+function isSensitiveAssignment(expr, ctx) {
+    if (!expr || !ASSIGN_OPS.has(expr.operator))
+        return false;
+    const leftName = expressionName(expr.left);
+    if (refersToState(expr.left, ctx.stateVars))
+        return true;
+    return isSensitiveName(leftName);
+}
+function refersToState(expr, stateVars) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (expr.type === 'Identifier')
+        return stateVars.has(expr.name);
+    if (expr.type === 'IndexAccess')
+        return refersToState(expr.base, stateVars);
+    if (expr.type === 'MemberAccess')
+        return refersToState(expr.expression, stateVars);
+    return false;
+}
+function isSensitiveName(name) {
+    return AUTH_NAMES.test(name) || REPLAY_NAMES.test(name) || /(balance|amount|credit|debit|account|supply|value|fee|shares?)/i.test(name);
+}
+function isTransferCall(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (expr.type === 'FunctionCall' && expr.expression?.type === 'MemberAccess') {
+        return TRANSFER_MEMBERS.has(String(expr.expression.memberName || '').toLowerCase());
+    }
+    return childNodes(expr).some(isTransferCall);
+}
+function isAuthorizationExpression(expr) {
+    const text = expressionName(expr);
+    return AUTH_NAMES.test(text);
+}
+function isRequireCall(expr) {
+    return expr?.type === 'FunctionCall' && expr.expression?.type === 'Identifier' &&
+        (expr.expression.name === 'require' || expr.expression.name === 'assert');
+}
+function recordRangeGuards(expr, guards) {
+    if (!expr || typeof expr !== 'object')
+        return;
+    if (expr.type === 'BinaryOperation' && (expr.operator === '<=' || expr.operator === '<')) {
+        const leftName = getIdentifierName(expr.left);
+        const target = typeMaxWidth(expr.right);
+        if (leftName && target)
+            guards.add(`${leftName}:${target.typeName}`);
+    }
+    if (expr.type === 'BinaryOperation' && (expr.operator === '>=' || expr.operator === '>')) {
+        const rightName = getIdentifierName(expr.right);
+        const target = typeMaxWidth(expr.left);
+        if (rightName && target)
+            guards.add(`${rightName}:${target.typeName}`);
+    }
+    for (const child of childNodes(expr))
+        recordRangeGuards(child, guards);
+}
+function hasRangeGuard(name, target, ctx) {
+    return ctx.guards.has(`${name}:${target.typeName}`);
+}
+function typeMaxWidth(expr) {
+    if (expr?.type !== 'MemberAccess' || expr.memberName !== 'max')
+        return null;
+    const inner = expr.expression;
+    if (inner?.type !== 'FunctionCall' || inner.expression?.type !== 'Identifier' || inner.expression.name !== 'type')
+        return null;
+    return parseWidth(inner.arguments?.[0]);
+}
+function isAbiDecode(expr) {
+    return expr?.type === 'FunctionCall' &&
+        expr.expression?.type === 'MemberAccess' &&
+        expr.expression.memberName === 'decode' &&
+        expr.expression.expression?.type === 'Identifier' &&
+        expr.expression.expression.name === 'abi';
+}
+function decodeTypes(decodeCall) {
+    const typeArg = decodeCall?.arguments?.[1];
+    if (!typeArg)
+        return [];
+    if (typeArg.type === 'TupleExpression')
+        return typeArg.components || [];
+    return [typeArg];
+}
+function parseWidth(typeNode) {
+    const name = typeNameString(typeNode).toLowerCase();
+    let match = name.match(/^uint(\d*)$/);
+    if (match)
+        return { kind: 'uint', bits: match[1] ? Number(match[1]) : 256, typeName: match[1] ? `uint${match[1]}` : 'uint256' };
+    match = name.match(/^int(\d*)$/);
+    if (match)
+        return { kind: 'int', bits: match[1] ? Number(match[1]) : 256, typeName: match[1] ? `int${match[1]}` : 'int256' };
+    match = name.match(/^bytes(\d+)$/);
+    if (match)
+        return { kind: 'bytes', bits: Number(match[1]) * 8, typeName: `bytes${match[1]}` };
+    return null;
+}
+function typeNameString(typeNode) {
+    if (!typeNode)
+        return '';
+    if (typeof typeNode === 'string')
+        return typeNode;
+    if (typeNode.type === 'ElementaryTypeName' || typeNode.type === 'ElementaryTypeNameExpression')
+        return String(typeNode.name || '');
+    if (typeNode.type === 'UserDefinedTypeName')
+        return String(typeNode.namePath || typeNode.name || '');
+    if (typeNode.name)
+        return String(typeNode.name);
+    return '';
+}
+function isWideDecodedType(width) {
+    return width.bits >= 128 && (width.kind === 'uint' || width.kind === 'int' || width.kind === 'bytes');
+}
+function isNarrowInteger(width) {
+    return width.kind !== 'bytes' && width.bits < 256;
+}
+function identifiersIn(expr) {
+    const names = [];
+    walk(expr, node => {
+        if (node.type === 'Identifier')
+            names.push(node.name || '');
+    });
+    return names.filter(Boolean);
+}
+function getIdentifierName(expr) {
+    return expr?.type === 'Identifier' ? expr.name || '' : '';
+}
+function expressionName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if (expr.type === 'Identifier')
+        return expr.name || '';
+    if (expr.type === 'MemberAccess')
+        return `${expressionName(expr.expression)}.${expr.memberName || ''}`;
+    if (expr.type === 'IndexAccess')
+        return expressionName(expr.base);
+    if (expr.type === 'FunctionCall')
+        return `${expressionName(expr.expression)}(${(expr.arguments || []).map(expressionName).join(',')})`;
+    if (expr.type === 'BinaryOperation')
+        return `${expressionName(expr.left)} ${expr.operator} ${expressionName(expr.right)}`;
+    return childNodes(expr).map(expressionName).join(' ');
+}
+function locOf(node) {
+    const { line, column, endLine, endColumn } = (0, ast_1.assertLoc)(node);
+    return { line, column, endLine, endColumn };
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node))
+        walk(child, visit);
+}
+function childNodes(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=cross-chain-truncation.js.map

package/dist/detectors/cross-contract-integer-overflow.d.ts

@@ -0,0 +1,76 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class CrossContractIntegerOverflowDetector {
+    readonly id = "cross-contract-integer-overflow";
+    readonly patternKey = "cross-contract-integer-overflow";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private sourceText;
+    private findings;
+    private contracts;
+    private stateTypes;
+    private localTypes;
+    private localFlows;
+    private parameterNames;
+    private guardSigs;
+    private emittedKeys;
+    private currentContract;
+    private currentFunction;
+    private currentFunctionNode;
+    private currentSummary;
+    private currentRecord;
+    private uncheckedDepth;
+    private pragmaAllowsPre08;
+    private sawPragma;
+    private replaying;
+    private suppressFindings;
+    private finalized;
+    private ctx;
+    setFile(file: string): void;
+    setSourceText(sourceText?: string): void;
+    setContext(ctx: DetectorContext): void;
+    getFindings(): ScanResult[];
+    PragmaDirective(node: any): void;
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    UncheckedStatement(_node: any): void;
+    UncheckedStatement_post(_node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    ReturnStatement(node: any): void;
+    FunctionCall(node: any): void;
+    BinaryOperation(node: any): void;
+    private recordType;
+    private userDefinedTypeName;
+    private isArithmeticOperator;
+    private maybeEmitArithmeticFinding;
+    private recordEvent;
+    private finalizeAnalysis;
+    private computeSummaries;
+    private replayFunction;
+    private totalFunctionRecords;
+    private summaryKey;
+    private arithmeticOperandFlow;
+    private arithmeticSignature;
+    private assignFlow;
+    private expressionFlow;
+    private resolveCall;
+    private memberAccessForCall;
+    private resolveFunctionSummary;
+    private markSummaryTainted;
+    private dependsOnParameter;
+    private isRequireCall;
+    private recordGuard;
+    private expressionLooksLikeMaxMinusLiteral;
+    private isTypeMax;
+    private snippet;
+}