@snovon/solast 0.2.0

package/dist/detectors/delegated-authorization-bypass.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class DelegatedAuthorizationBypassDetector {
+    readonly id = "delegated-authorization-bypass";
+    readonly patternKey = "delegated-authorization-bypass";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}

package/dist/detectors/delegated-authorization-bypass.js

@@ -0,0 +1,370 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DelegatedAuthorizationBypassDetector = void 0;
+const source_text_1 = require("./_common/source-text");
+const RULE_ID = 'delegated-authorization-bypass';
+class DelegatedAuthorizationBypassDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                const functionName = getName(fn);
+                if (!functionName || !isExternallyCallable(fn) || !getFunctionBody(fn))
+                    continue;
+                const functionText = getNodeSource(fn, sourceText);
+                const bodyText = getNodeSource(getFunctionBody(fn), sourceText) || functionText;
+                const normalized = stripCommentsAndStrings(bodyText).toLowerCase();
+                if (!isDelegatedAuthorizationFlow(fn, normalized))
+                    continue;
+                const params = collectParameterNames(fn);
+                const signer = pickParam(params, ['signer', 'owner', 'authorizer', 'from']);
+                const delegate = pickParam(params, ['delegate', 'executor', 'operator', 'spender']);
+                const target = pickParam(params, ['target', 'to', 'destination']);
+                const action = pickParam(params, ['data', 'calldata', 'payload', 'call']);
+                const digestArgs = collectDigestArguments(normalized);
+                const replayProtected = bodyHasReplayProtectionAst(getFunctionBody(fn))
+                    || hasReplayProtection(normalized);
+                const pattern = classifyIssue(normalized, digestArgs, replayProtected, { signer, delegate, target, action });
+                if (!pattern)
+                    continue;
+                const loc = getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': functionName,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: messageFor(pattern, contractName, functionName),
+                    rationale: 'A delegated authorization signature is recovered and then used to execute caller-selected work, but the signed digest or local checks do not bind every authorization dimension needed to prevent executor substitution or replay.',
+                    suggestedFix: 'Bind the signed digest to the signer, expected delegate/executor, target contract, calldata/action hash, nonce or consumed authorization id, deadline, address(this), and chain id; check the recovered signer against the authorizing signer before executing the action.',
+                    contractName,
+                    functionName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.DelegatedAuthorizationBypassDetector = DelegatedAuthorizationBypassDetector;
+function classifyIssue(normalized, digestArgs, replayProtected, names) {
+    if (names.signer && hasWrongSignerCheck(normalized, names.signer)) {
+        return 'delegated-authorization-bypass/wrong-signer-binding';
+    }
+    if (names.signer && !hasSignerCheck(normalized, names.signer)) {
+        return 'delegated-authorization-bypass/wrong-signer-binding';
+    }
+    if (names.delegate && !hasName(digestArgs, names.delegate) && !hasDelegateGuard(normalized, names.delegate)) {
+        return 'delegated-authorization-bypass/missing-delegate-binding';
+    }
+    if (!replayProtected) {
+        return 'delegated-authorization-bypass/missing-replay-protection';
+    }
+    if (!hasDeadlineProtection(normalized, digestArgs)) {
+        return 'delegated-authorization-bypass/missing-deadline';
+    }
+    if ((names.target && !hasName(digestArgs, names.target)) || (names.action && !hasActionBinding(digestArgs, names.action))) {
+        return 'delegated-authorization-bypass/missing-target-action-binding';
+    }
+    return null;
+}
+function isDelegatedAuthorizationFlow(fn, normalized) {
+    if (!/\b(ecrecover|recover)\s*\(/.test(normalized) && !/\.recover\s*\(/.test(normalized))
+        return false;
+    if (!/\.\s*(call|delegatecall)\s*\(/.test(normalized))
+        return false;
+    const params = collectParameterNames(fn).join(' ').toLowerCase();
+    return /\b(sig|signature|v|r|s)\b/.test(params + ' ' + normalized);
+}
+function collectDigestArguments(normalized) {
+    const args = [];
+    for (const match of normalized.matchAll(/abi\s*\.\s*encode(?:packed)?\s*\(([^;]*)\)/g)) {
+        args.push(match[1] || '');
+    }
+    return args.join(' ');
+}
+function hasWrongSignerCheck(normalized, signer) {
+    const recoveredVsSender = /\brecovered\s*={1,2}[^;]*ecrecover/.test(normalized) && /\brecovered\s*={2,3}\s*msg\s*\.\s*sender/.test(normalized);
+    return recoveredVsSender && !new RegExp(`\\brecovered\\s*={2,3}\\s*${escapeRegExp(signer)}\\b`).test(normalized);
+}
+function hasSignerCheck(normalized, signer) {
+    const s = escapeRegExp(signer);
+    return new RegExp(`\\b(ecrecover|recover)\\s*\\([^;]*={2,3}\\s*${s}\\b`).test(normalized)
+        || new RegExp(`\\.recover\\s*\\([^;]*={2,3}\\s*${s}\\b`).test(normalized)
+        || new RegExp(`\\b${s}\\b\\s*={2,3}\\s*\\b(ecrecover|recover)\\s*\\(`).test(normalized)
+        || new RegExp(`\\b${s}\\b\\s*={2,3}\\s*[a-z0-9_.$\\[\\]]+\\s*\\.\\s*recover\\s*\\(`).test(normalized)
+        || new RegExp(`\\brecovered\\s*={2,3}\\s*${s}\\b`).test(normalized)
+        || new RegExp(`\\b${s}\\b\\s*={2,3}\\s*recovered\\b`).test(normalized);
+}
+function hasDelegateGuard(normalized, delegate) {
+    const d = escapeRegExp(delegate);
+    return new RegExp(`msg\\s*\\.\\s*sender\\s*={2,3}\\s*${d}\\b`).test(normalized)
+        || new RegExp(`\\b${d}\\s*={2,3}\\s*msg\\s*\\.\\s*sender\\b`).test(normalized);
+}
+function hasReplayProtection(normalized) {
+    return /\bnonce\b/.test(normalized) && (/\+\+/.test(normalized)
+        || /\bused\s*\[[^\]]+\]\s*(?:\[[^\]]+\]\s*)?=\s*true\b/.test(normalized)
+        || /!\s*used\s*\[/.test(normalized));
+}
+/**
+ * AST predicate for the same property hasReplayProtection() checks against
+ * the regex-flattened body, but applied directly to the AST so it survives
+ * formatting changes and never matches inside string literals or comments.
+ *
+ * Two halves, both required:
+ *   - The function references an identifier whose root name matches /nonce/i
+ *     somewhere in its body. The string-form regex was `\bnonce\b`.
+ *   - At least one of the consume markers is present:
+ *       * a `++` UnaryOperation (any subject)
+ *       * an `IndexAccess` whose root identifier is named `used`, used as
+ *         the LHS of an assignment to BooleanLiteral(true) or as the
+ *         operand of a `!` UnaryOperation.
+ */
+function bodyHasReplayProtectionAst(body) {
+    if (!body)
+        return false;
+    let mentionsNonce = false;
+    let hasIncrement = false;
+    let hasUsedFlag = false;
+    walkAll(body, node => {
+        if (mentionsNonce && hasIncrement && hasUsedFlag)
+            return;
+        if (isNode(node, 'Identifier')) {
+            const name = String(node.name || '');
+            if (/nonce/i.test(name))
+                mentionsNonce = true;
+            return;
+        }
+        if (isNode(node, 'UnaryOperation') && node.operator === '++') {
+            hasIncrement = true;
+            return;
+        }
+        // !used[...] — UnaryOperation('!', IndexAccess { base: 'used' })
+        if (isNode(node, 'UnaryOperation') && node.operator === '!') {
+            const inner = node.subExpression;
+            if (inner && isNode(inner, 'IndexAccess')) {
+                const root = indexAccessRootName(inner);
+                if (root === 'used')
+                    hasUsedFlag = true;
+            }
+            return;
+        }
+        // used[...] = true (parser models assignments as BinaryOperation `=`)
+        if (isNode(node, 'BinaryOperation') && node.operator === '=') {
+            const left = node.left || node.leftExpression;
+            const right = node.right || node.rightExpression;
+            if (left && isNode(left, 'IndexAccess') &&
+                indexAccessRootName(left) === 'used' &&
+                right && ((isNode(right, 'BooleanLiteral') && right.value === true)
+                || (isNode(right, 'Literal') && right.kind === 'bool' && right.value === 'true'))) {
+                hasUsedFlag = true;
+            }
+            return;
+        }
+        // used[...] = true under solc compact JSON (Assignment node, not BinaryOperation)
+        if (isNode(node, 'Assignment') && node.operator === '=') {
+            const left = node.leftHandSide || node.left;
+            const right = node.rightHandSide || node.right;
+            if (left && isNode(left, 'IndexAccess') &&
+                indexAccessRootName(left) === 'used' &&
+                right && isNode(right, 'Literal') && right.kind === 'bool' && right.value === 'true') {
+                hasUsedFlag = true;
+            }
+        }
+    });
+    return mentionsNonce && (hasIncrement || hasUsedFlag);
+}
+function indexAccessRootName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return String(node.name || '');
+    if (isNode(node, 'IndexAccess')) {
+        return indexAccessRootName(node.base || node.baseExpression);
+    }
+    if (isNode(node, 'MemberAccess')) {
+        return indexAccessRootName(node.expression);
+    }
+    return '';
+}
+function walkAll(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walkAll(child, visit);
+}
+function hasDeadlineProtection(normalized, digestArgs) {
+    return /\b(deadline|expiry|expires|expiration|validuntil)\b/.test(digestArgs)
+        && (/(block\s*\.\s*timestamp|now)\s*(<=|<)\s*\b(deadline|expiry|expires|expiration|validuntil)\b/.test(normalized)
+            || /\b(deadline|expiry|expires|expiration|validuntil)\b\s*(>=|>)\s*(block\s*\.\s*timestamp|now)/.test(normalized));
+}
+function hasActionBinding(digestArgs, action) {
+    const a = escapeRegExp(action);
+    return new RegExp(`\\b${a}\\b`).test(digestArgs) || new RegExp(`keccak256\\s*\\(\\s*${a}\\s*\\)`).test(digestArgs);
+}
+function hasName(text, name) {
+    return !!name && new RegExp(`\\b${escapeRegExp(name)}\\b`).test(text);
+}
+function messageFor(pattern, contractName, functionName) {
+    const scope = `${contractName}.${functionName}`;
+    if (pattern.endsWith('missing-delegate-binding'))
+        return `Delegated authorization in '${scope}' does not bind the signature to the expected delegate/executor.`;
+    if (pattern.endsWith('missing-replay-protection'))
+        return `Delegated authorization in '${scope}' has no recognized nonce or consumed-authorization tracking.`;
+    if (pattern.endsWith('missing-deadline'))
+        return `Delegated authorization in '${scope}' has no recognized deadline/expiry binding and check.`;
+    if (pattern.endsWith('missing-target-action-binding'))
+        return `Delegated authorization in '${scope}' does not bind the signature to the target/action being executed.`;
+    return `Delegated authorization in '${scope}' checks the recovered signer against the wrong principal.`;
+}
+function collectParameterNames(fn) {
+    const params = [];
+    const list = fn.parameters?.parameters || fn.parameters || [];
+    for (const param of list) {
+        const name = getName(param);
+        if (name)
+            params.push(name.toLowerCase());
+    }
+    return params;
+}
+function pickParam(params, candidates) {
+    return params.find(p => candidates.includes(p)) || '';
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (Array.isArray(contract?.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract?.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function isExternallyCallable(fn) {
+    const kind = String(fn.kind || (fn.isConstructor ? 'constructor' : '') || 'function').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn?.isConstructor === true || fn?.isFallback === true || fn?.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getNodeSource(node, sourceText) {
+    if (!sourceText || !node)
+        return '';
+    if (Array.isArray(node.range) && node.range.length >= 2) {
+        return sourceText.slice(node.range[0], node.range[1]);
+    }
+    if (typeof node.src === 'string') {
+        const [startRaw, lenRaw] = node.src.split(':');
+        const start = Number(startRaw);
+        const len = Number(lenRaw);
+        if (Number.isFinite(start) && Number.isFinite(len))
+            return sourceText.slice(start, start + len);
+    }
+    return '';
+}
+function stripCommentsAndStrings(input) {
+    // Delegate to the shared linear-scan stripper. The earlier regex form
+    // could miss a quote-escape sequence and leave string content visible
+    // to the downstream regexes; the linear scanner keeps state across
+    // backslash escapes inside string literals.
+    return (0, source_text_1.stripCommentsAndStrings)(input);
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+function escapeRegExp(input) {
+    return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+//# sourceMappingURL=delegated-authorization-bypass.js.map

package/dist/detectors/denial-of-service.d.ts

@@ -0,0 +1,117 @@
+import type { ScanResult } from '../index';
+export declare class DenialOfServiceDetector {
+    readonly id = "denial-of-service";
+    readonly patternKey = "denial-of-service";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+        help: string;
+    };
+    private currentFile;
+    private findings;
+    private currentContract;
+    private currentFunction;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionCall(node: any): void;
+    ForStatement(node: any): void;
+    WhileStatement(node: any): void;
+    DoWhileStatement(node: any): void;
+    private analyzeLoop;
+    /** SWC-113/SWC-128 shapes for a loop that iterates a caller-growable dynamic array. */
+    private analyzeArrayLoop;
+    /**
+     * SWC-128 block-gas-limit shape for a loop bounded by a caller-growable integer
+     * state counter rather than a dynamic `array.length`. Only the unbounded
+     * state-changing case is reported; the caller-growability filter in
+     * ContractDefinition_post keeps this from firing on bounded counters.
+     */
+    private analyzeCounterLoop;
+    /** The upper-bound identifier of a loop condition when it is a non-array state counter. */
+    private counterBoundName;
+    private counterLoopHasIndependentCap;
+    /** Record integer state counters this function grows without an inherent bound. */
+    private collectCounterGrowth;
+    private growableStateCounter;
+    private expressionAddsToCounter;
+    /**
+     * Classic SWC-113 failed-call DoS that does not involve a loop: an externally
+     * reachable state-changing function performs a revert-prone push call to a
+     * recipient held in contract state that an attacker can become. A reverting
+     * recipient permanently bricks the core state transition (e.g. an auction
+     * refunding the previous highest bidder before accepting a new bid).
+     */
+    private analyzeSingleCallFunction;
+    private finalizeUnprivilegedGrowth;
+    private loopHasIndependentCap;
+    private flattenConjunction;
+    private upperBoundComparison;
+    private isCollectionLength;
+    private isSafeCapExpression;
+    private validatedCapNamesBefore;
+    private collectValidatedCapNames;
+    private parameterNames;
+    /** Record state variables assigned from caller-controllable input (`msg.sender` or a parameter). */
+    private collectCallerAssignedRecipients;
+    private referencesCallerInput;
+    /** Revert-prone push calls reachable outside loops and try/catch isolation. */
+    private collectSinglePushCalls;
+    private singlePushRecipient;
+    /** Root identifier of a push recipient, unwrapping `payable(...)`/`address(...)` casts. */
+    private recipientStateRoot;
+    private bodyHasStateMutation;
+    private inspectLoopBody;
+    private isPushPaymentCall;
+    private isExternalLivenessCall;
+    private memberCall;
+    private hasValueOption;
+    private assignedSuccessVariable;
+    /** True when the success boolean stored in `variable` is enforced by a revert-on-false guard. */
+    private requiresSuccessVariable;
+    /**
+     * True when `targetCall` is itself consumed by a revert-on-false guard without an
+     * intervening success variable — `require(x.send(...))`, `assert(x.send(...))`, or
+     * `if (!x.send(...)) revert/throw`. This is the common required-success SWC-113
+     * shape (the boolean result is checked directly rather than assigned-then-checked).
+     * Bare ignored calls (`x.send(...)` as a statement) match nothing here and stay
+     * non-reporting.
+     */
+    private isDirectlyRequiredCall;
+    /**
+     * Shared guard-recognition predicate for both the assigned-then-checked and the
+     * direct-required paths: returns true when an expression satisfying `matches` is
+     * consumed by a revert-on-false guard reachable from `root` — the first argument
+     * of a `require`/`assert` call, or the negated condition of an `if` that
+     * reverts/throws on failure.
+     */
+    private guardedByRevertOnFalse;
+    private containsRevert;
+    private isStateMutation;
+    private isStateReference;
+    private isLocalName;
+    private isAssignmentOperator;
+    private lengthCollectionName;
+    private pushedCollectionName;
+    private sameContractFunctionCallName;
+    private referencesCollectionElement;
+    private isDynamicArrayType;
+    private isExternallyReachableStateChanging;
+    private hasAccessControl;
+    private isPrivilegedName;
+    private makeFinding;
+    private locOf;
+    private directCallName;
+    private firstVariableName;
+    private isNumericLiteral;
+    private identifierName;
+    private rootIdentifier;
+    private childNodes;
+}