@snovon/solast 0.2.0

package/dist/detectors/delegatecall-untrusted-implementation.js

@@ -0,0 +1,888 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DelegatecallUntrustedImplementationDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'delegatecall-untrusted-implementation';
+class DelegatecallUntrustedImplementationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Delegatecall target implementation resolves to untrusted or unresolved provenance.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Delegate only to fixed or admin-controlled implementation addresses whose upgrade path validates deployed code.',
+    };
+    file = '';
+    ctx;
+    findings = [];
+    contract = null;
+    fn = null;
+    setFile(file) {
+        this.file = file;
+        this.ctx = undefined;
+        this.findings = [];
+        this.contract = null;
+        this.fn = null;
+    }
+    setContext(ctx) {
+        this.ctx = ctx;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'ContractDefinition') || node.kind === 'interface' || node.kind === 'library') {
+            this.contract = null;
+            return;
+        }
+        this.contract = {
+            name: String(node.name || '<anonymous>'),
+            node,
+            stateVars: collectStateVars(node),
+            modifierGuards: collectModifierGuards(node, this.ctx),
+            senderInfluencedState: new Set(),
+            functions: new Map(),
+            writes: [],
+            delegatecalls: [],
+            emitted: new Set(),
+        };
+    }
+    ContractDefinition_post(_node) {
+        if (this.contract) {
+            this.includeInheritedContractBodies(this.contract);
+            this.evaluateContract(this.contract);
+        }
+        this.contract = null;
+        this.fn = null;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.fn = null;
+        if (!this.contract || !(0, ast_1.isNode)(node, 'FunctionDefinition'))
+            return;
+        const paramList = collectParameters(node);
+        const params = new Set(paramList);
+        const guardRefs = new Set();
+        let accessControlled = (0, access_control_1.hasRecognisedAccessControlModifier)(node);
+        for (const modifierName of modifierNames(node)) {
+            const refs = this.contract.modifierGuards.get(modifierName);
+            if (!refs)
+                continue;
+            accessControlled = true;
+            for (const ref of refs)
+                guardRefs.add(ref);
+        }
+        this.fn = {
+            node,
+            name: functionDisplayName(node),
+            externallyCallable: isExternallyCallable(node),
+            isConstructor: !!node.isConstructor,
+            accessControlled,
+            guardRefs,
+            params,
+            paramList,
+            returnList: collectReturnParameters(node),
+            codeValidatedParams: new Set(),
+            aliases: new Map(),
+            internalCalls: [],
+        };
+        this.contract.functions.set(this.fn.name, this.fn);
+    }
+    FunctionDefinition_post(_node) {
+        if (this.fn && !this.fn.returnTarget) {
+            for (const returnName of this.fn.returnList) {
+                const target = this.fn.aliases.get(returnName);
+                if (target) {
+                    this.fn.returnTarget = target;
+                    break;
+                }
+            }
+        }
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    FunctionCall(node) {
+        if (!this.contract || !this.fn || !(0, ast_1.isNode)(node, 'FunctionCall'))
+            return;
+        if (isRequireOrAssert(node)) {
+            const condition = node.arguments?.[0];
+            if ((0, access_control_1.requireExpressesAccessControl)(condition, isPrivilegedName)) {
+                this.fn.accessControlled = true;
+                for (const ref of collectGuardReferences(condition))
+                    this.fn.guardRefs.add(ref);
+            }
+            for (const param of this.fn.params) {
+                if (containsCodeValidationFor(condition, param))
+                    this.fn.codeValidatedParams.add(param);
+            }
+        }
+        if (isTrustedUpgradeHelperCall(node)) {
+            for (const arg of node.arguments || []) {
+                const name = identifierName(arg);
+                if (name && this.fn.params.has(name))
+                    this.fn.codeValidatedParams.add(name);
+            }
+        }
+        const internalCallee = internalFunctionCallName(node.expression);
+        if (internalCallee) {
+            this.fn.internalCalls.push({
+                calleeName: internalCallee,
+                argNames: (node.arguments || []).map(identifierName),
+                argExpressions: node.arguments || [],
+            });
+        }
+        const targetExpr = delegatecallTargetExpression(node);
+        if (!targetExpr)
+            return;
+        const target = this.resolveTarget(targetExpr);
+        this.contract.delegatecalls.push({ target, node, fn: this.fn });
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.fn || !(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+            return;
+        const initial = node.initialValue;
+        if (!initial)
+            return;
+        const target = this.resolveTarget(initial);
+        if (target.kind === 'unresolved')
+            return;
+        for (const variable of node.variables || []) {
+            const name = variableName(variable);
+            if (name)
+                this.fn.aliases.set(name, target);
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.contract || !this.fn || !(0, ast_1.isNode)(node, 'BinaryOperation') || node.operator !== '=')
+            return;
+        this.recordWrite(node.left, node.right, node);
+        const leftName = identifierName(node.left);
+        if (leftName && this.contract.stateVars.has(leftName) && isMsgSender(node.right) && this.fn.externallyCallable && !this.fn.accessControlled) {
+            this.contract.senderInfluencedState.add(leftName);
+        }
+        if (leftName) {
+            const target = this.resolveTarget(node.right);
+            if (target.kind !== 'unresolved')
+                this.fn.aliases.set(leftName, target);
+        }
+    }
+    AssemblyAssignment(node) {
+        if (!this.fn || !(0, ast_1.isNode)(node, 'AssemblyAssignment'))
+            return;
+        const targetName = variableName(node.names?.[0]);
+        const source = assemblySloadRef(node.expression);
+        if (targetName && source)
+            this.fn.aliases.set(targetName, source);
+    }
+    AssemblyLocalDefinition(node) {
+        if (!this.fn || !(0, ast_1.isNode)(node, 'AssemblyLocalDefinition'))
+            return;
+        const targetName = variableName(node.names?.[0]);
+        const source = assemblySloadRef(node.expression);
+        if (targetName && source)
+            this.fn.aliases.set(targetName, source);
+    }
+    ReturnStatement(node) {
+        if (!this.fn || !(0, ast_1.isNode)(node, 'ReturnStatement'))
+            return;
+        const target = this.resolveTarget(node.expression);
+        if (target.kind !== 'unresolved')
+            this.fn.returnTarget = target;
+    }
+    AssemblyCall(node) {
+        if (!this.contract || !this.fn || !(0, ast_1.isNode)(node, 'AssemblyCall'))
+            return;
+        const functionName = String(node.functionName || '');
+        if (functionName === 'delegatecall') {
+            const target = this.resolveTarget(node.arguments?.[1]);
+            this.contract.delegatecalls.push({ target, node, fn: this.fn });
+            return;
+        }
+        if (functionName === 'sstore') {
+            const slot = assemblySlotName(node.arguments?.[0]);
+            if (!slot)
+                return;
+            const valueName = assemblyValueName(node.arguments?.[1]);
+            this.contract.writes.push({
+                target: { kind: 'slot', name: slot },
+                valueName,
+                fn: this.fn,
+                node,
+            });
+        }
+    }
+    recordWrite(left, right, node) {
+        const targetName = identifierName(left);
+        if (!targetName || !this.contract?.stateVars.has(targetName))
+            return;
+        this.contract.writes.push({
+            target: { kind: 'state', name: targetName },
+            valueName: identifierName(right),
+            fn: this.fn,
+            node,
+        });
+    }
+    resolveTarget(expr) {
+        if (!expr || typeof expr !== 'object')
+            return { kind: 'unresolved', name: '<unknown>' };
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const name = String(expr.name || '');
+            const alias = this.fn?.aliases.get(name);
+            if (alias)
+                return alias;
+            if (this.fn?.params.has(name)) {
+                return this.fn.externallyCallable ? { kind: 'calldata', name } : { kind: 'param', name };
+            }
+            if (this.contract?.stateVars.has(name))
+                return { kind: 'state', name };
+            return { kind: 'unresolved', name: name || '<identifier>' };
+        }
+        if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+            if (isAddressCast(expr))
+                return this.resolveTarget(expr.arguments?.[0]);
+            if (isAddressThis(expr))
+                return { kind: 'trusted', name: 'address(this)' };
+            const internalCallee = internalFunctionCallName(expr.expression);
+            const returnTarget = internalCallee ? this.contract?.functions.get(internalCallee)?.returnTarget : undefined;
+            if (returnTarget)
+                return returnTarget;
+            return { kind: 'unresolved', name: callName(expr.expression) || '<call>' };
+        }
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            if (String(expr.memberName || '') === 'code')
+                return this.resolveTarget(expr.expression);
+            return { kind: 'unresolved', name: expressionName(expr) || '<member>' };
+        }
+        if ((0, ast_1.isNode)(expr, 'AssemblyCall')) {
+            const name = String(expr.functionName || '');
+            const alias = this.fn?.aliases.get(name);
+            if (alias)
+                return alias;
+            if (this.fn?.params.has(name)) {
+                return this.fn.externallyCallable ? { kind: 'calldata', name } : { kind: 'param', name };
+            }
+            if (this.contract?.stateVars.has(name))
+                return { kind: 'state', name };
+            return { kind: 'unresolved', name: name || '<assembly-call>' };
+        }
+        return { kind: 'unresolved', name: expressionName(expr) || '<expression>' };
+    }
+    evaluateContract(contract) {
+        for (const call of contract.delegatecalls) {
+            const classification = classifyTarget(contract, call);
+            if (!classification)
+                continue;
+            const key = `${call.fn.name}:${call.target.kind}:${call.target.name}:${classification}`;
+            if (contract.emitted.has(key))
+                continue;
+            contract.emitted.add(key);
+            this.findings.push(this.makeFinding(contract, call, classification));
+        }
+    }
+    includeInheritedContractBodies(contract) {
+        const semantic = this.ctx?.semantic;
+        if (!semantic)
+            return;
+        const contractInfo = semantic.contracts.get(`${this.file}::${contract.name}`);
+        if (!contractInfo || contractInfo.bases.length === 0)
+            return;
+        const linearized = semantic.linearize(contractInfo.id);
+        const ids = linearized?.mro || [contractInfo.id];
+        const seenFunctions = new Set(contract.functions.keys());
+        for (const id of ids) {
+            const info = semantic.contracts.get(id);
+            if (!info)
+                continue;
+            for (const variable of info.stateVariables) {
+                const name = variableName(variable.node);
+                if (!name || contract.stateVars.has(name))
+                    continue;
+                contract.stateVars.set(name, {
+                    name,
+                    immutable: !!variable.node?.isImmutable,
+                    constant: !!variable.node?.isDeclaredConst,
+                    addressLike: isAddressType(variable.node?.typeName),
+                });
+            }
+            if (id === contractInfo.id)
+                continue;
+            for (const fn of info.functions) {
+                if (!fn.node?.body || fn.node.isConstructor)
+                    continue;
+                const name = functionDisplayName(fn.node);
+                if (seenFunctions.has(name))
+                    continue;
+                seenFunctions.add(name);
+                this.analyzeInheritedFunctionBody(contract, fn.node);
+            }
+        }
+    }
+    analyzeInheritedFunctionBody(contract, fnNode) {
+        const previousContract = this.contract;
+        const previousFn = this.fn;
+        this.contract = contract;
+        this.FunctionDefinition(fnNode);
+        if (this.fn) {
+            walk(fnNode.body, node => {
+                if ((0, ast_1.isNode)(node, 'FunctionCall'))
+                    this.FunctionCall(node);
+                else if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+                    this.VariableDeclarationStatement(node);
+                else if ((0, ast_1.isNode)(node, 'BinaryOperation'))
+                    this.BinaryOperation(node);
+                else if ((0, ast_1.isNode)(node, 'AssemblyAssignment'))
+                    this.AssemblyAssignment(node);
+                else if ((0, ast_1.isNode)(node, 'AssemblyLocalDefinition'))
+                    this.AssemblyLocalDefinition(node);
+                else if ((0, ast_1.isNode)(node, 'ReturnStatement'))
+                    this.ReturnStatement(node);
+                else if ((0, ast_1.isNode)(node, 'AssemblyCall'))
+                    this.AssemblyCall(node);
+            });
+            this.FunctionDefinition_post(fnNode);
+        }
+        this.contract = previousContract;
+        this.fn = previousFn;
+    }
+    makeFinding(contract, call, classification) {
+        const loc = (0, ast_1.tryLoc)(call.node, call.fn.node) ?? { line: 1, endLine: 1, column: 0, endColumn: 0 };
+        const target = call.target.name || '<unknown>';
+        return {
+            file: this.file,
+            contract: contract.name,
+            'function': call.fn.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'high',
+            category: 'access-control',
+            message: `Delegatecall target '${target}' in '${contract.name}.${call.fn.name}' has ${classification} implementation provenance.`,
+            rationale: 'delegatecall executes the target code in the caller storage context; a calldata-derived, externally writable, sender-influenceable, constructor-unvalidated, or unresolved implementation address can corrupt proxy state or seize authority.',
+            suggestedFix: 'Use an immutable or constant trusted implementation, or restrict upgrades to a recognized admin/role guard that validates the new implementation has code before storing it.',
+            contractName: contract.name,
+            functionName: call.fn.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            delegateTarget: target,
+            trace: `target=${call.target.kind}:${target}; classification=${classification}`,
+            operationType: 'delegatecall',
+            externalCallNode: call.node,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.DelegatecallUntrustedImplementationDetector = DelegatecallUntrustedImplementationDetector;
+function classifyTarget(contract, call) {
+    const target = call.target;
+    if (target.kind === 'trusted')
+        return null;
+    if (target.kind === 'param')
+        return classifyInternalParamTarget(contract, call, target.name);
+    if (target.kind === 'calldata') {
+        if (call.fn.accessControlled
+            && call.fn.codeValidatedParams.has(target.name)
+            && !guardIsSenderInfluenced(contract, call.fn)) {
+            return null;
+        }
+        return 'calldata-derived';
+    }
+    if (target.kind === 'unresolved')
+        return 'unresolved';
+    const writes = contract.writes.filter(write => write.target.kind === target.kind && write.target.name === target.name);
+    if (target.kind === 'state') {
+        const stateVar = contract.stateVars.get(target.name);
+        if (stateVar?.constant)
+            return null;
+        if (stateVar?.immutable) {
+            return writes.every(write => isTrustedWrite(write, contract)) ? null : 'constructor-unvalidated';
+        }
+    }
+    if (writes.length === 0)
+        return 'unresolved';
+    if (writes.some(write => isConstructorReachableWrite(write, contract) && !isTrustedWrite(write, contract)))
+        return 'constructor-unvalidated';
+    if (writes.some(isExternallyWritable))
+        return 'externally writable';
+    if (writes.some(write => write.fn.externallyCallable && write.fn.accessControlled && guardIsSenderInfluenced(contract, write.fn))) {
+        return 'sender-influenceable';
+    }
+    const externalWrites = writes.filter(write => write.fn.externallyCallable && !write.fn.isConstructor);
+    if (externalWrites.length > 0 && externalWrites.every(write => isTrustedWrite(write, contract)))
+        return null;
+    if (writes.every(write => isTrustedWrite(write, contract)))
+        return null;
+    return 'externally mutable';
+}
+function classifyInternalParamTarget(contract, call, paramName) {
+    const origins = internalParamOrigins(contract, call.fn, paramName);
+    if (origins.length === 0)
+        return 'unresolved';
+    for (const origin of origins) {
+        const classification = classifyTarget(contract, { ...call, target: origin.target, fn: origin.fn });
+        if (classification)
+            return classification;
+    }
+    return null;
+}
+function internalParamOrigins(contract, targetFn, paramName, seen = new Set()) {
+    const key = `${targetFn.name}:${paramName}`;
+    if (seen.has(key))
+        return [];
+    seen.add(key);
+    const index = targetFn.paramList.indexOf(paramName);
+    if (index < 0)
+        return [];
+    const origins = [];
+    for (const caller of contract.functions.values()) {
+        for (const call of caller.internalCalls) {
+            if (call.calleeName !== targetFn.name)
+                continue;
+            const argExpr = call.argExpressions[index];
+            const target = resolveTargetInFunction(contract, caller, argExpr);
+            if (target.kind === 'param') {
+                origins.push(...internalParamOrigins(contract, caller, target.name, new Set(seen)));
+            }
+            else {
+                origins.push({ target, fn: caller });
+            }
+        }
+    }
+    return origins;
+}
+function isExternallyWritable(write) {
+    return write.fn.externallyCallable && !write.fn.isConstructor && !write.fn.accessControlled;
+}
+function isTrustedWrite(write, contract) {
+    if (!write.valueName)
+        return false;
+    const selfValidated = write.fn.codeValidatedParams.has(write.valueName);
+    if (write.fn.isConstructor)
+        return selfValidated;
+    if (write.fn.externallyCallable)
+        return selfValidated && isTrustedUpgradeEntrypoint(write.fn, contract);
+    const entrypoints = [...contract.functions.values()]
+        .filter(fn => fn.isConstructor || fn.externallyCallable)
+        .filter(fn => valueOriginsForTarget(contract, fn, write.fn.name, write.valueName).size > 0);
+    if (entrypoints.length === 0)
+        return false;
+    return entrypoints.every(fn => {
+        const origins = valueOriginsForTarget(contract, fn, write.fn.name, write.valueName);
+        const okExternal = fn.isConstructor || isTrustedUpgradeEntrypoint(fn, contract);
+        const validated = selfValidated || [...origins].some(origin => fn.codeValidatedParams.has(origin));
+        return okExternal && validated;
+    });
+}
+function isConstructorReachableWrite(write, contract) {
+    if (write.fn.isConstructor)
+        return true;
+    if (!write.valueName)
+        return false;
+    return [...contract.functions.values()]
+        .some(fn => fn.isConstructor && valueOriginsForTarget(contract, fn, write.fn.name, write.valueName).size > 0);
+}
+function isTrustedUpgradeEntrypoint(fn, contract) {
+    return fn.accessControlled && !guardIsSenderInfluenced(contract, fn);
+}
+function valueOriginsForTarget(contract, current, targetFnName, targetValueName, seen = new Set()) {
+    const key = `${current.name}->${targetFnName}:${targetValueName}`;
+    if (seen.has(key))
+        return new Set();
+    seen.add(key);
+    if (current.name === targetFnName)
+        return new Set([targetValueName]);
+    const origins = new Set();
+    for (const call of current.internalCalls) {
+        const callee = contract.functions.get(call.calleeName);
+        if (!callee)
+            continue;
+        const calleeOrigins = valueOriginsForTarget(contract, callee, targetFnName, targetValueName, new Set(seen));
+        for (const calleeOrigin of calleeOrigins) {
+            const index = callee.paramList.indexOf(calleeOrigin);
+            const callerArg = index >= 0 ? call.argNames[index] : '';
+            if (callerArg)
+                origins.add(callerArg);
+        }
+    }
+    return origins;
+}
+function guardIsSenderInfluenced(contract, fn) {
+    for (const ref of fn.guardRefs) {
+        if (contract.senderInfluencedState.has(ref))
+            return true;
+    }
+    return false;
+}
+function collectStateVars(contractNode) {
+    const vars = new Map();
+    for (const sub of contractNode.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of sub.variables || []) {
+            const name = variableName(variable);
+            if (!name)
+                continue;
+            vars.set(name, {
+                name,
+                immutable: !!variable.isImmutable,
+                constant: !!variable.isDeclaredConst,
+                addressLike: isAddressType(variable.typeName),
+            });
+        }
+    }
+    return vars;
+}
+function collectModifierGuards(contractNode, ctx) {
+    const guards = new Map();
+    for (const sub of contractNode.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'ModifierDefinition'))
+            continue;
+        const refs = collectAccessControlReferences(sub.body);
+        if (refs.size > 0)
+            guards.set(String(sub.name || ''), refs);
+    }
+    const semantic = ctx?.semantic;
+    if (!semantic)
+        return guards;
+    const contractInfo = semantic.contracts.get(`${ctx.file}::${String(contractNode.name || '')}`);
+    if (!contractInfo)
+        return guards;
+    const linearized = semantic.linearize(contractInfo.id);
+    const ids = linearized?.mro || [contractInfo.id];
+    for (const id of ids) {
+        const info = semantic.contracts.get(id);
+        if (!info)
+            continue;
+        for (const mod of info.modifiers) {
+            if (guards.has(mod.name))
+                continue;
+            const refs = collectAccessControlReferences(mod.node?.body);
+            if (refs.size > 0)
+                guards.set(mod.name, refs);
+        }
+    }
+    return guards;
+}
+function collectAccessControlReferences(body) {
+    const refs = new Set();
+    walk(body, node => {
+        const condition = isRequireOrAssert(node)
+            ? node.arguments?.[0]
+            : (0, ast_1.isNode)(node, 'IfStatement')
+                ? node.condition
+                : null;
+        if (!condition)
+            return;
+        if (!(0, access_control_1.requireExpressesAccessControl)(condition, isPrivilegedName))
+            return;
+        for (const ref of collectGuardReferences(condition))
+            refs.add(ref);
+    });
+    return refs;
+}
+function collectParameters(fn) {
+    const params = [];
+    for (const param of fn.parameters || []) {
+        const name = variableName(param);
+        if (name)
+            params.push(name);
+    }
+    return params;
+}
+function collectReturnParameters(fn) {
+    const params = [];
+    for (const param of fn.returnParameters || []) {
+        const name = variableName(param);
+        if (name)
+            params.push(name);
+    }
+    return params;
+}
+function resolveTargetInFunction(contract, fn, expr) {
+    if (!expr || typeof expr !== 'object')
+        return { kind: 'unresolved', name: '<unknown>' };
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        const alias = fn.aliases.get(name);
+        if (alias)
+            return alias;
+        if (fn.params.has(name))
+            return fn.externallyCallable ? { kind: 'calldata', name } : { kind: 'param', name };
+        if (contract.stateVars.has(name))
+            return { kind: 'state', name };
+        return { kind: 'unresolved', name: name || '<identifier>' };
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+        if (isAddressCast(expr))
+            return resolveTargetInFunction(contract, fn, expr.arguments?.[0]);
+        if (isAddressThis(expr))
+            return { kind: 'trusted', name: 'address(this)' };
+        const internalCallee = internalFunctionCallName(expr.expression);
+        const returnTarget = internalCallee ? contract.functions.get(internalCallee)?.returnTarget : undefined;
+        if (returnTarget)
+            return returnTarget;
+        return { kind: 'unresolved', name: callName(expr.expression) || '<call>' };
+    }
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        if (String(expr.memberName || '') === 'code')
+            return resolveTargetInFunction(contract, fn, expr.expression);
+        return { kind: 'unresolved', name: expressionName(expr) || '<member>' };
+    }
+    if ((0, ast_1.isNode)(expr, 'AssemblyCall')) {
+        const name = String(expr.functionName || '');
+        const alias = fn.aliases.get(name);
+        if (alias)
+            return alias;
+        if (fn.params.has(name))
+            return fn.externallyCallable ? { kind: 'calldata', name } : { kind: 'param', name };
+        if (contract.stateVars.has(name))
+            return { kind: 'state', name };
+        return { kind: 'unresolved', name: name || '<assembly-call>' };
+    }
+    return { kind: 'unresolved', name: expressionName(expr) || '<expression>' };
+}
+function modifierNames(fn) {
+    const out = [];
+    for (const modifier of fn.modifiers || []) {
+        if (typeof modifier?.name === 'string')
+            out.push(modifier.name);
+        else if (typeof modifier?.modifierName?.name === 'string')
+            out.push(modifier.modifierName.name);
+    }
+    return out;
+}
+function delegatecallTargetExpression(call) {
+    const callee = unwrapCallOptions(call.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess') || String(callee.memberName || '') !== 'delegatecall')
+        return null;
+    return callee.expression;
+}
+function unwrapCallOptions(expr) {
+    if ((0, ast_1.isNode)(expr, 'FunctionCallOptions') || (0, ast_1.isNode)(expr, 'NameValueExpression'))
+        return expr.expression;
+    return expr;
+}
+function internalFunctionCallName(expr) {
+    expr = unwrapCallOptions(expr);
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')
+        && (0, ast_1.isNode)(expr.expression, 'Identifier')
+        && String(expr.expression.name || '') === 'this') {
+        return String(expr.memberName || '');
+    }
+    return '';
+}
+function isRequireOrAssert(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const expr = node.expression;
+    return (0, ast_1.isNode)(expr, 'Identifier') && (expr.name === 'require' || expr.name === 'assert');
+}
+function isTrustedUpgradeHelperCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const name = callName(node.expression).toLowerCase();
+    const tail = name.includes('.') ? name.split('.').pop() || name : name;
+    return tail === 'upgradeto' || tail === '_upgradeto' || tail === 'upgrade_to';
+}
+function containsCodeValidationFor(condition, param) {
+    let found = false;
+    walk(condition, node => {
+        if (isCodeLengthExpression(node, param))
+            found = true;
+        if (isIsContractCall(node, param))
+            found = true;
+    });
+    return found;
+}
+function isCodeLengthExpression(node, param) {
+    if (!(0, ast_1.isNode)(node, 'MemberAccess') || String(node.memberName || '') !== 'length')
+        return false;
+    const code = node.expression;
+    if (!(0, ast_1.isNode)(code, 'MemberAccess') || String(code.memberName || '') !== 'code')
+        return false;
+    return expressionReferencesName(code.expression, param);
+}
+function isIsContractCall(node, param) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const name = callName(node.expression).toLowerCase();
+    if (!name.endsWith('iscontract'))
+        return false;
+    return expressionReferencesName(node.arguments?.[0], param);
+}
+function collectGuardReferences(expr) {
+    const refs = new Set();
+    walk(expr, node => {
+        if (!(0, ast_1.isNode)(node, 'BinaryOperation') || (node.operator !== '==' && node.operator !== '!=' && node.operator !== '==='))
+            return;
+        const left = node.left || node.leftExpression;
+        const right = node.right || node.rightExpression;
+        if (isMsgSender(left))
+            addPrivilegedNames(right, refs);
+        if (isMsgSender(right))
+            addPrivilegedNames(left, refs);
+    });
+    return refs;
+}
+function addPrivilegedNames(expr, out) {
+    if (!expr || typeof expr !== 'object')
+        return;
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        if (isPrivilegedName(name))
+            out.add(name);
+        return;
+    }
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const name = String(expr.memberName || '');
+        if (isPrivilegedName(name))
+            out.add(name);
+        addPrivilegedNames(expr.expression, out);
+        return;
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        addPrivilegedNames(expr.base || expr.baseExpression, out);
+    }
+}
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: ['owner', 'admin', 'role', 'authority', 'authorized', 'governance', 'governor', 'guardian', 'manager', 'operator', 'upgrader'],
+        mode: 'word-boundary',
+    });
+}
+function assemblySloadRef(expr) {
+    if (!(0, ast_1.isNode)(expr, 'AssemblyCall') || String(expr.functionName || '') !== 'sload')
+        return null;
+    const slot = assemblySlotName(expr.arguments?.[0]);
+    return slot ? { kind: 'slot', name: slot } : null;
+}
+function assemblySlotName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'AssemblyCall'))
+        return String(expr.functionName || '');
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    return expressionName(expr);
+}
+function assemblyValueName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'AssemblyCall'))
+        return String(expr.functionName || '');
+    return identifierName(expr);
+}
+function isExternallyCallable(fn) {
+    if (fn.isConstructor)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external' || visibility === 'default';
+}
+function isAddressType(typeName) {
+    return (0, ast_1.isNode)(typeName, 'ElementaryTypeName') && String(typeName.name || '').startsWith('address');
+}
+function isAddressCast(call) {
+    return (0, ast_1.isNode)(call.expression, 'Identifier') && String(call.expression.name || '').toLowerCase() === 'address';
+}
+function isAddressThis(call) {
+    if (!isAddressCast(call))
+        return false;
+    const arg = call.arguments?.[0];
+    return (0, ast_1.isNode)(arg, 'Identifier') && String(arg.name || '') === 'this';
+}
+function isMsgSender(expr) {
+    return (0, ast_1.isNode)(expr, 'MemberAccess')
+        && String(expr.memberName || '') === 'sender'
+        && (0, ast_1.isNode)(expr.expression, 'Identifier')
+        && String(expr.expression.name || '') === 'msg';
+}
+function expressionReferencesName(expr, name) {
+    let found = false;
+    walk(expr, node => {
+        if ((0, ast_1.isNode)(node, 'Identifier') && String(node.name || '') === name)
+            found = true;
+    });
+    return found;
+}
+function identifierName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function variableName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    if ((0, ast_1.isNode)(node.identifier, 'Identifier'))
+        return String(node.identifier.name || '');
+    return '';
+}
+function callName(expr) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const prefix = callName(expr.expression);
+        const member = String(expr.memberName || '');
+        return prefix ? `${prefix}.${member}` : member;
+    }
+    return '';
+}
+function expressionName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const base = expressionName(expr.expression);
+        return base ? `${base}.${String(expr.memberName || '')}` : String(expr.memberName || '');
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall'))
+        return callName(expr.expression);
+    return '';
+}
+function functionDisplayName(fn) {
+    if (!(0, ast_1.isNode)(fn, 'FunctionDefinition'))
+        return '<unknown>';
+    if (fn.isConstructor)
+        return '<constructor>';
+    if (fn.isReceiveEther)
+        return '<receive>';
+    if (fn.isFallback)
+        return '<fallback>';
+    return String(fn.name || '<anonymous>');
+}
+function walk(node, visit, seen = new Set()) {
+    if (!node || typeof node !== 'object' || seen.has(node))
+        return;
+    seen.add(node);
+    visit(node);
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'comments')
+            continue;
+        if (Array.isArray(value)) {
+            for (const child of value)
+                walk(child, visit, seen);
+        }
+        else if (value && typeof value === 'object') {
+            walk(value, visit, seen);
+        }
+    }
+}
+//# sourceMappingURL=delegatecall-untrusted-implementation.js.map