@snovon/solast 0.2.0

package/dist/detectors/denial-of-service.js

@@ -0,0 +1,947 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DenialOfServiceDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const loop_call_stack_1 = require("./_common/loop-call-stack");
+const RULE_ID = 'denial-of-service';
+const PATTERN_UNBOUNDED_LOOP = `${RULE_ID}/unbounded-caller-growable-loop`;
+const PATTERN_PUSH_PAYMENT = `${RULE_ID}/push-payment-loop`;
+const PATTERN_EXTERNAL_LIVENESS = `${RULE_ID}/unchecked-external-call-liveness`;
+const PATTERN_SINGLE_CALL = `${RULE_ID}/single-recipient-failed-call`;
+class DenialOfServiceDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Denial of service through unbounded loops or failed external calls',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+        help: 'Flags SWC-113/SWC-128 denial-of-service patterns: state-changing loops over caller-growable collections, push-payment loops, revert-prone external callbacks in batch processing, and single-call failed-call liveness dependencies on attacker-influenceable state recipients.',
+    };
+    currentFile = '';
+    findings = [];
+    currentContract = null;
+    currentFunction = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = null;
+        this.currentFunction = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'ContractDefinition') || node.kind === 'interface' || node.kind === 'library') {
+            this.currentContract = null;
+            return;
+        }
+        this.currentContract = {
+            name: node.name || '<anonymous>',
+            node,
+            dynamicArrays: new Set(),
+            unprivilegedGrowth: new Set(),
+            stateVariables: new Set(),
+            callerAssignedRecipients: new Set(),
+            functions: new Map(),
+            loops: [],
+            singleCalls: [],
+        };
+    }
+    ContractDefinition_post(node) {
+        if (!this.currentContract)
+            return;
+        this.finalizeUnprivilegedGrowth(this.currentContract);
+        for (const loop of this.currentContract.loops) {
+            if (!this.currentContract.unprivilegedGrowth.has(loop.collection))
+                continue;
+            this.findings.push(this.makeFinding(this.currentContract, loop));
+        }
+        for (const candidate of this.currentContract.singleCalls) {
+            if (!this.currentContract.callerAssignedRecipients.has(candidate.recipientRoot))
+                continue;
+            if (!this.currentContract.stateVariables.has(candidate.recipientRoot))
+                continue;
+            this.findings.push(this.makeFinding(this.currentContract, candidate));
+        }
+        if (this.currentContract.node === node)
+            this.currentContract = null;
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContract || !(0, ast_1.isNode)(node, 'FunctionDefinition') || !node.body) {
+            this.currentFunction = null;
+            return;
+        }
+        this.currentFunction = {
+            name: node.name || (node.isConstructor ? '<constructor>' : '<anonymous>'),
+            node,
+            accessControlled: this.hasAccessControl(node),
+            pushes: new Set(),
+            counterGrowth: new Set(),
+            calls: new Set(),
+        };
+        this.currentContract.functions.set(this.currentFunction.name, this.currentFunction);
+        this.collectCounterGrowth(node.body);
+        this.analyzeSingleCallFunction(node);
+    }
+    FunctionDefinition_post(_node) {
+        this.currentFunction = null;
+    }
+    StateVariableDeclaration(node) {
+        if (!this.currentContract || !(0, ast_1.isNode)(node, 'StateVariableDeclaration'))
+            return;
+        for (const variable of node.variables || []) {
+            const name = String(variable?.name || variable?.identifier?.name || '');
+            if (!name)
+                continue;
+            this.currentContract.stateVariables.add(name);
+            if (this.isDynamicArrayType(variable?.typeName)) {
+                this.currentContract.dynamicArrays.add(name);
+            }
+        }
+    }
+    FunctionCall(node) {
+        if (!this.currentContract || !this.currentFunction)
+            return;
+        const collection = this.pushedCollectionName(node);
+        if (collection) {
+            if (this.currentContract.dynamicArrays.has(collection)) {
+                this.currentFunction.pushes.add(collection);
+            }
+            return;
+        }
+        const callee = this.sameContractFunctionCallName(node);
+        if (callee)
+            this.currentFunction.calls.add(callee);
+    }
+    ForStatement(node) {
+        this.analyzeLoop(node, node?.conditionExpression, node?.body);
+    }
+    WhileStatement(node) {
+        this.analyzeLoop(node, node?.condition, node?.body);
+    }
+    DoWhileStatement(node) {
+        this.analyzeLoop(node, node?.condition, node?.body);
+    }
+    analyzeLoop(node, condition, body) {
+        if (!this.currentContract || !this.currentFunction)
+            return;
+        if (!this.isExternallyReachableStateChanging(this.currentFunction.node))
+            return;
+        const collection = this.lengthCollectionName(condition);
+        if (collection && this.currentContract.dynamicArrays.has(collection)) {
+            this.analyzeArrayLoop(node, condition, body, collection);
+            return;
+        }
+        // SWC-128: a loop whose upper bound is an integer state counter that any
+        // unprivileged caller can grow without limit (e.g. `for (i; i < userCount; i++)`
+        // where `userCount` is incremented in a public registration path). This is the
+        // keyset/queue-cursor shape that does not iterate a dynamic `array.length`
+        // directly. Caller-growability is enforced in ContractDefinition_post.
+        const counter = this.counterBoundName(condition);
+        if (counter)
+            this.analyzeCounterLoop(node, condition, body, counter);
+    }
+    /** SWC-113/SWC-128 shapes for a loop that iterates a caller-growable dynamic array. */
+    analyzeArrayLoop(node, condition, body, collection) {
+        if (!this.currentContract || !this.currentFunction)
+            return;
+        const bodyInfo = this.inspectLoopBody(body, collection, false);
+        let pattern = null;
+        let confidence = 'medium';
+        let message = '';
+        if (bodyInfo.hasPushPayment) {
+            pattern = PATTERN_PUSH_PAYMENT;
+            confidence = 'high';
+            message = `Push-payment loop in '${this.currentFunction.name}' iterates caller-growable '${collection}'; one reverting recipient can block the whole batch.`;
+        }
+        else if (bodyInfo.hasExternalLivenessCall) {
+            pattern = PATTERN_EXTERNAL_LIVENESS;
+            message = `External callback in '${this.currentFunction.name}' depends on caller-growable '${collection}' and can revert the batch path.`;
+        }
+        else if (bodyInfo.hasStateMutation) {
+            if (this.loopHasIndependentCap(node, condition, collection))
+                return;
+            pattern = PATTERN_UNBOUNDED_LOOP;
+            message = `State-changing loop in '${this.currentFunction.name}' iterates unbounded caller-growable '${collection}' and can exceed the block gas limit.`;
+        }
+        if (!pattern)
+            return;
+        this.currentContract.loops.push({
+            collection,
+            functionInfo: this.currentFunction,
+            node,
+            pattern,
+            confidence,
+            message,
+        });
+    }
+    /**
+     * SWC-128 block-gas-limit shape for a loop bounded by a caller-growable integer
+     * state counter rather than a dynamic `array.length`. Only the unbounded
+     * state-changing case is reported; the caller-growability filter in
+     * ContractDefinition_post keeps this from firing on bounded counters.
+     */
+    analyzeCounterLoop(node, condition, body, counter) {
+        if (!this.currentContract || !this.currentFunction)
+            return;
+        if (this.counterLoopHasIndependentCap(node, condition, counter))
+            return;
+        const bodyInfo = this.inspectLoopBody(body, '', false);
+        if (!bodyInfo.hasStateMutation)
+            return;
+        this.currentContract.loops.push({
+            collection: counter,
+            functionInfo: this.currentFunction,
+            node,
+            pattern: PATTERN_UNBOUNDED_LOOP,
+            confidence: 'medium',
+            message: `State-changing loop in '${this.currentFunction.name}' is bounded by caller-growable state counter '${counter}' and can exceed the block gas limit.`,
+        });
+    }
+    /** The upper-bound identifier of a loop condition when it is a non-array state counter. */
+    counterBoundName(condition) {
+        if (!this.currentContract || !condition)
+            return null;
+        for (const comparison of this.flattenConjunction(condition)) {
+            const bound = this.upperBoundComparison(comparison);
+            if (!bound)
+                continue;
+            const name = this.identifierName(bound.bound);
+            if (!name || this.isLocalName(name))
+                continue;
+            if (!this.currentContract.stateVariables.has(name))
+                continue;
+            if (this.currentContract.dynamicArrays.has(name))
+                continue;
+            return name;
+        }
+        return null;
+    }
+    counterLoopHasIndependentCap(loopNode, condition, counter) {
+        if (!this.currentFunction || !condition)
+            return false;
+        const comparisons = this.flattenConjunction(condition).filter((expr) => (0, ast_1.isNode)(expr, 'BinaryOperation'));
+        const counterIndexes = new Set();
+        for (const comparison of comparisons) {
+            const bound = this.upperBoundComparison(comparison);
+            if (bound && this.identifierName(bound.bound) === counter)
+                counterIndexes.add(bound.index);
+        }
+        if (counterIndexes.size === 0)
+            return false;
+        const validatedCaps = this.validatedCapNamesBefore(this.currentFunction.node.body, loopNode);
+        for (const comparison of comparisons) {
+            const bound = this.upperBoundComparison(comparison);
+            if (!bound || !counterIndexes.has(bound.index))
+                continue;
+            if (this.identifierName(bound.bound) === counter)
+                continue;
+            if (this.isSafeCapExpression(bound.bound, validatedCaps))
+                return true;
+        }
+        return false;
+    }
+    /** Record integer state counters this function grows without an inherent bound. */
+    collectCounterGrowth(body) {
+        if (!this.currentFunction)
+            return;
+        const visit = (node) => {
+            if (!node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'UnaryOperation') && node.operator === '++') {
+                const name = this.growableStateCounter(node.subExpression);
+                if (name)
+                    this.currentFunction?.counterGrowth.add(name);
+            }
+            else if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === '+=') {
+                const name = this.growableStateCounter(node.left);
+                if (name)
+                    this.currentFunction?.counterGrowth.add(name);
+            }
+            else if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === '=') {
+                const name = this.growableStateCounter(node.left);
+                if (name && this.expressionAddsToCounter(node.right, name)) {
+                    this.currentFunction?.counterGrowth.add(name);
+                }
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(body);
+    }
+    growableStateCounter(expr) {
+        const name = this.identifierName(expr);
+        if (!name || this.isLocalName(name))
+            return null;
+        if (!this.currentContract?.stateVariables.has(name))
+            return null;
+        if (this.currentContract?.dynamicArrays.has(name))
+            return null;
+        return name;
+    }
+    expressionAddsToCounter(expr, name) {
+        if (!(0, ast_1.isNode)(expr, 'BinaryOperation') || expr.operator !== '+')
+            return false;
+        return this.identifierName(expr.left) === name || this.identifierName(expr.right) === name;
+    }
+    /**
+     * Classic SWC-113 failed-call DoS that does not involve a loop: an externally
+     * reachable state-changing function performs a revert-prone push call to a
+     * recipient held in contract state that an attacker can become. A reverting
+     * recipient permanently bricks the core state transition (e.g. an auction
+     * refunding the previous highest bidder before accepting a new bid).
+     */
+    analyzeSingleCallFunction(fnNode) {
+        if (!this.currentContract || !this.currentFunction)
+            return;
+        if (!this.isExternallyReachableStateChanging(fnNode))
+            return;
+        if (this.currentFunction.accessControlled)
+            return;
+        const body = fnNode.body;
+        if (!body)
+            return;
+        const params = this.parameterNames(fnNode);
+        this.collectCallerAssignedRecipients(body, params);
+        const calls = this.collectSinglePushCalls(body);
+        if (calls.length === 0)
+            return;
+        if (!this.bodyHasStateMutation(body))
+            return;
+        for (const call of calls) {
+            this.currentContract.singleCalls.push({
+                functionInfo: this.currentFunction,
+                node: call.node,
+                pattern: PATTERN_SINGLE_CALL,
+                confidence: 'medium',
+                message: `Function '${this.currentFunction.name}' sends to attacker-influenceable recipient '${call.recipientRoot}' with a revert-prone push call as part of its state transition; a reverting recipient can permanently block this path (SWC-113).`,
+                recipientRoot: call.recipientRoot,
+            });
+        }
+    }
+    finalizeUnprivilegedGrowth(contract) {
+        const reachable = new Set();
+        const stack = [];
+        for (const fn of contract.functions.values()) {
+            if (!this.isExternallyReachableStateChanging(fn.node))
+                continue;
+            if (fn.accessControlled)
+                continue;
+            reachable.add(fn.name);
+            stack.push(fn.name);
+        }
+        while (stack.length > 0) {
+            const name = stack.pop();
+            const fn = name ? contract.functions.get(name) : null;
+            if (!fn)
+                continue;
+            for (const callee of fn.calls) {
+                if (reachable.has(callee))
+                    continue;
+                if (!contract.functions.has(callee))
+                    continue;
+                reachable.add(callee);
+                stack.push(callee);
+            }
+        }
+        for (const name of reachable) {
+            const fn = contract.functions.get(name);
+            if (!fn)
+                continue;
+            for (const collection of fn.pushes) {
+                contract.unprivilegedGrowth.add(collection);
+            }
+            for (const counter of fn.counterGrowth) {
+                contract.unprivilegedGrowth.add(counter);
+            }
+        }
+    }
+    loopHasIndependentCap(loopNode, condition, collection) {
+        if (!this.currentFunction || !condition)
+            return false;
+        const comparisons = this.flattenConjunction(condition).filter((expr) => (0, ast_1.isNode)(expr, 'BinaryOperation'));
+        const lengthIndexes = new Set();
+        for (const comparison of comparisons) {
+            const bound = this.upperBoundComparison(comparison);
+            if (!bound)
+                continue;
+            if (this.isCollectionLength(bound.bound, collection)) {
+                lengthIndexes.add(bound.index);
+            }
+        }
+        if (lengthIndexes.size === 0)
+            return false;
+        const validatedCaps = this.validatedCapNamesBefore(this.currentFunction.node.body, loopNode);
+        for (const comparison of comparisons) {
+            const bound = this.upperBoundComparison(comparison);
+            if (!bound || !lengthIndexes.has(bound.index))
+                continue;
+            if (this.isCollectionLength(bound.bound, collection))
+                continue;
+            if (this.isSafeCapExpression(bound.bound, validatedCaps))
+                return true;
+        }
+        return false;
+    }
+    flattenConjunction(expr) {
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation') && expr.operator === '&&') {
+            return [...this.flattenConjunction(expr.left), ...this.flattenConjunction(expr.right)];
+        }
+        return [expr];
+    }
+    upperBoundComparison(expr) {
+        if (!(0, ast_1.isNode)(expr, 'BinaryOperation'))
+            return null;
+        const op = String(expr.operator || '');
+        if (op === '<' || op === '<=') {
+            const index = this.identifierName(expr.left);
+            return index ? { index, bound: expr.right } : null;
+        }
+        if (op === '>' || op === '>=') {
+            const index = this.identifierName(expr.right);
+            return index ? { index, bound: expr.left } : null;
+        }
+        return null;
+    }
+    isCollectionLength(expr, collection) {
+        return ((0, ast_1.isNode)(expr, 'MemberAccess') &&
+            String(expr.memberName || '') === 'length' &&
+            this.identifierName(expr.expression) === collection);
+    }
+    isSafeCapExpression(expr, validatedCaps) {
+        if (this.isNumericLiteral(expr))
+            return true;
+        const name = this.identifierName(expr);
+        return !!name && validatedCaps.has(name);
+    }
+    validatedCapNamesBefore(body, beforeNode) {
+        const names = new Set();
+        const before = Array.isArray(beforeNode?.range) ? beforeNode.range[0] : Number.POSITIVE_INFINITY;
+        const visit = (node) => {
+            if (!node || typeof node !== 'object')
+                return;
+            const start = Array.isArray(node.range) ? node.range[0] : -1;
+            if (start >= before)
+                return;
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callName = this.directCallName(node.expression);
+                if ((callName === 'require' || callName === 'assert') && Array.isArray(node.arguments)) {
+                    this.collectValidatedCapNames(node.arguments[0], names);
+                }
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(body);
+        return names;
+    }
+    collectValidatedCapNames(expr, names) {
+        if (!expr || typeof expr !== 'object')
+            return;
+        if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+            const op = String(expr.operator || '');
+            if ((op === '<=' || op === '<') && this.identifierName(expr.left) && this.isNumericLiteral(expr.right)) {
+                names.add(this.identifierName(expr.left));
+            }
+            else if ((op === '>=' || op === '>') && this.identifierName(expr.right) && this.isNumericLiteral(expr.left)) {
+                names.add(this.identifierName(expr.right));
+            }
+        }
+        for (const child of this.childNodes(expr))
+            this.collectValidatedCapNames(child, names);
+    }
+    parameterNames(fnNode) {
+        const params = fnNode?.parameters;
+        const list = Array.isArray(params) ? params : Array.isArray(params?.parameters) ? params.parameters : [];
+        const names = [];
+        for (const param of list) {
+            const name = String(param?.name || param?.identifier?.name || '');
+            if (name)
+                names.push(name);
+        }
+        return names;
+    }
+    /** Record state variables assigned from caller-controllable input (`msg.sender` or a parameter). */
+    collectCallerAssignedRecipients(body, params) {
+        const visit = (node) => {
+            if (!node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'BinaryOperation') && this.isAssignmentOperator(node.operator)) {
+                if (this.referencesCallerInput(node.right, params)) {
+                    const root = this.rootIdentifier(node.left);
+                    if (root)
+                        this.currentContract?.callerAssignedRecipients.add(root);
+                }
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(body);
+    }
+    referencesCallerInput(expr, params) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(expr, 'MemberAccess') &&
+            String(expr.memberName || '') === 'sender' &&
+            this.identifierName(expr.expression) === 'msg') {
+            return true;
+        }
+        if ((0, ast_1.isNode)(expr, 'Identifier') && params.includes(String(expr.name || '')))
+            return true;
+        return this.childNodes(expr).some((child) => this.referencesCallerInput(child, params));
+    }
+    /** Revert-prone push calls reachable outside loops and try/catch isolation. */
+    collectSinglePushCalls(body) {
+        const found = [];
+        const visit = (node) => {
+            if (!node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'TryStatement') ||
+                (0, ast_1.isNode)(node, 'ForStatement') ||
+                (0, ast_1.isNode)(node, 'WhileStatement') ||
+                (0, ast_1.isNode)(node, 'DoWhileStatement')) {
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const recipientRoot = this.singlePushRecipient(node, body);
+                if (recipientRoot)
+                    found.push({ node, recipientRoot });
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(body);
+        return found;
+    }
+    singlePushRecipient(call, body) {
+        const member = this.memberCall(call);
+        if (!member)
+            return null;
+        const recipientRoot = this.recipientStateRoot(member.expression);
+        if (!recipientRoot)
+            return null;
+        if (member.memberName === 'transfer')
+            return recipientRoot;
+        if (member.memberName === 'send') {
+            const assigned = this.assignedSuccessVariable(body, call);
+            if (assigned)
+                return this.requiresSuccessVariable(body, assigned) ? recipientRoot : null;
+            return this.isDirectlyRequiredCall(body, call) ? recipientRoot : null;
+        }
+        if (member.memberName === 'call') {
+            if (!this.hasValueOption(call.expression))
+                return null;
+            const assigned = this.assignedSuccessVariable(body, call);
+            if (assigned)
+                return this.requiresSuccessVariable(body, assigned) ? recipientRoot : null;
+            return this.isDirectlyRequiredCall(body, call) ? recipientRoot : null;
+        }
+        return null;
+    }
+    /** Root identifier of a push recipient, unwrapping `payable(...)`/`address(...)` casts. */
+    recipientStateRoot(expr) {
+        let target = expr;
+        while ((0, ast_1.isNode)(target, 'FunctionCall')) {
+            const callee = target.expression;
+            const calleeName = (0, ast_1.isNode)(callee, 'Identifier') || (0, ast_1.isNode)(callee, 'ElementaryTypeName') ? String(callee.name || '') : '';
+            if ((calleeName === 'payable' || calleeName === 'address') && Array.isArray(target.arguments) && target.arguments.length === 1) {
+                target = target.arguments[0];
+            }
+            else {
+                break;
+            }
+        }
+        const root = this.rootIdentifier(target);
+        if (!root || this.isLocalName(root))
+            return null;
+        return root;
+    }
+    bodyHasStateMutation(body) {
+        let mutated = false;
+        const visit = (node) => {
+            if (mutated || !node || typeof node !== 'object')
+                return;
+            if (this.isStateMutation(node)) {
+                mutated = true;
+                return;
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(body);
+        return mutated;
+    }
+    inspectLoopBody(node, collection, insideTry) {
+        const result = {
+            hasStateMutation: false,
+            hasPushPayment: false,
+            hasExternalLivenessCall: false,
+        };
+        const visit = (child, inTry) => {
+            if (!child || typeof child !== 'object')
+                return;
+            if ((0, ast_1.isNode)(child, 'TryStatement')) {
+                for (const nested of this.childNodes(child))
+                    visit(nested, true);
+                return;
+            }
+            if (this.isStateMutation(child))
+                result.hasStateMutation = true;
+            if (!inTry && this.isPushPaymentCall(child, collection, node))
+                result.hasPushPayment = true;
+            if (!inTry && this.isExternalLivenessCall(child, collection))
+                result.hasExternalLivenessCall = true;
+            for (const nested of this.childNodes(child))
+                visit(nested, inTry);
+        };
+        visit(node, insideTry);
+        return result;
+    }
+    isPushPaymentCall(call, collection, loopNode) {
+        if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+            return false;
+        const member = this.memberCall(call);
+        if (!member)
+            return false;
+        if (member.memberName === 'transfer') {
+            return this.referencesCollectionElement(member.expression, collection);
+        }
+        if (member.memberName === 'send') {
+            if (!this.referencesCollectionElement(member.expression, collection))
+                return false;
+            const assigned = this.assignedSuccessVariable(loopNode, call);
+            return assigned
+                ? this.requiresSuccessVariable(loopNode, assigned)
+                : this.isDirectlyRequiredCall(loopNode, call);
+        }
+        if (member.memberName !== 'call')
+            return false;
+        if (!this.referencesCollectionElement(member.expression, collection))
+            return false;
+        if (!this.hasValueOption(call.expression))
+            return false;
+        const assigned = this.assignedSuccessVariable(loopNode, call);
+        return assigned
+            ? this.requiresSuccessVariable(loopNode, assigned)
+            : this.isDirectlyRequiredCall(loopNode, call);
+    }
+    isExternalLivenessCall(call, collection) {
+        if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+            return false;
+        const member = this.memberCall(call);
+        if (!member)
+            return false;
+        if (member.memberName === 'transfer' || member.memberName === 'send' || member.memberName === 'call')
+            return false;
+        if (member.memberName === 'delegatecall' || member.memberName === 'staticcall')
+            return false;
+        return this.referencesCollectionElement(member.expression, collection);
+    }
+    memberCall(call) {
+        let expr = call?.expression;
+        if ((0, ast_1.isNode)(expr, 'NameValueExpression'))
+            expr = expr.expression;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return null;
+        return { memberName: String(expr.memberName || ''), expression: expr.expression };
+    }
+    hasValueOption(expr) {
+        if (!(0, ast_1.isNode)(expr, 'NameValueExpression'))
+            return false;
+        const names = expr.names || expr.identifiers || expr.arguments?.names || expr.arguments?.identifiers || [];
+        return names.some((name) => String(name?.name || name) === 'value');
+    }
+    assignedSuccessVariable(root, targetCall) {
+        let found = null;
+        const visit = (node) => {
+            if (found || !node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement') && node.initialValue === targetCall) {
+                found = this.firstVariableName(node.variables);
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'ExpressionStatement')) {
+                const expr = node.expression;
+                if ((0, ast_1.isNode)(expr, 'BinaryOperation') && expr.operator === '=' && expr.right === targetCall) {
+                    found = this.identifierName(expr.left);
+                    return;
+                }
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(root);
+        return found;
+    }
+    /** True when the success boolean stored in `variable` is enforced by a revert-on-false guard. */
+    requiresSuccessVariable(root, variable) {
+        return this.guardedByRevertOnFalse(root, (node) => (0, ast_1.isNode)(node, 'Identifier') && String(node.name || '') === variable);
+    }
+    /**
+     * True when `targetCall` is itself consumed by a revert-on-false guard without an
+     * intervening success variable — `require(x.send(...))`, `assert(x.send(...))`, or
+     * `if (!x.send(...)) revert/throw`. This is the common required-success SWC-113
+     * shape (the boolean result is checked directly rather than assigned-then-checked).
+     * Bare ignored calls (`x.send(...)` as a statement) match nothing here and stay
+     * non-reporting.
+     */
+    isDirectlyRequiredCall(root, targetCall) {
+        return this.guardedByRevertOnFalse(root, (node) => node === targetCall);
+    }
+    /**
+     * Shared guard-recognition predicate for both the assigned-then-checked and the
+     * direct-required paths: returns true when an expression satisfying `matches` is
+     * consumed by a revert-on-false guard reachable from `root` — the first argument
+     * of a `require`/`assert` call, or the negated condition of an `if` that
+     * reverts/throws on failure.
+     */
+    guardedByRevertOnFalse(root, matches) {
+        const subtreeMatches = (node) => {
+            if (!node || typeof node !== 'object')
+                return false;
+            if (matches(node))
+                return true;
+            return this.childNodes(node).some((child) => subtreeMatches(child));
+        };
+        let guarded = false;
+        const visit = (node) => {
+            if (guarded || !node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callName = this.directCallName(node.expression);
+                if ((callName === 'require' || callName === 'assert') && Array.isArray(node.arguments)) {
+                    if (subtreeMatches(node.arguments[0])) {
+                        guarded = true;
+                        return;
+                    }
+                }
+            }
+            if ((0, ast_1.isNode)(node, 'IfStatement')) {
+                const condition = node.condition;
+                if ((0, ast_1.isNode)(condition, 'UnaryOperation') &&
+                    condition.operator === '!' &&
+                    subtreeMatches(condition.subExpression) &&
+                    this.containsRevert(node.trueBody)) {
+                    guarded = true;
+                    return;
+                }
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(root);
+        return guarded;
+    }
+    containsRevert(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'RevertStatement') || (0, ast_1.isNode)(node, 'ThrowStatement'))
+            return true;
+        if ((0, ast_1.isNode)(node, 'FunctionCall') && this.directCallName(node.expression) === 'revert')
+            return true;
+        return this.childNodes(node).some((child) => this.containsRevert(child));
+    }
+    isStateMutation(node) {
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && this.isAssignmentOperator(node.operator)) {
+            return this.isStateReference(node.left);
+        }
+        if ((0, ast_1.isNode)(node, 'UnaryOperation') && (node.operator === '++' || node.operator === '--' || node.operator === 'delete')) {
+            return this.isStateReference(node.subExpression);
+        }
+        return false;
+    }
+    isStateReference(expr) {
+        if (!this.currentContract || !expr)
+            return false;
+        const root = this.rootIdentifier(expr);
+        return !!root && !this.isLocalName(root);
+    }
+    isLocalName(name) {
+        if (!this.currentFunction)
+            return false;
+        let local = false;
+        const visit = (node) => {
+            if (local || !node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'VariableDeclaration')) {
+                const declared = String(node.name || node.identifier?.name || '');
+                if (declared === name && !node.isStateVar)
+                    local = true;
+                return;
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(this.currentFunction.node.body);
+        return local;
+    }
+    isAssignmentOperator(operator) {
+        return ['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>='].includes(operator);
+    }
+    lengthCollectionName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if ((0, ast_1.isNode)(expr, 'MemberAccess') && String(expr.memberName || '') === 'length') {
+            return this.identifierName(expr.expression);
+        }
+        for (const child of this.childNodes(expr)) {
+            const found = this.lengthCollectionName(child);
+            if (found)
+                return found;
+        }
+        return null;
+    }
+    pushedCollectionName(call) {
+        if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+            return null;
+        const expr = call.expression;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess') || String(expr.memberName || '') !== 'push')
+            return null;
+        return this.identifierName(expr.expression);
+    }
+    sameContractFunctionCallName(call) {
+        if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+            return null;
+        const expr = call.expression;
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '') || null;
+        if ((0, ast_1.isNode)(expr, 'MemberAccess') &&
+            String(expr.memberName || '') &&
+            this.identifierName(expr.expression) === 'this') {
+            return String(expr.memberName);
+        }
+        return null;
+    }
+    referencesCollectionElement(expr, collection) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(expr, 'IndexAccess') && this.identifierName(expr.base || expr.baseExpression) === collection) {
+            return true;
+        }
+        return this.childNodes(expr).some((child) => this.referencesCollectionElement(child, collection));
+    }
+    isDynamicArrayType(typeName) {
+        return (0, ast_1.isNode)(typeName, 'ArrayTypeName') && !typeName.length;
+    }
+    isExternallyReachableStateChanging(fn) {
+        const mutability = String(fn?.stateMutability || '').toLowerCase();
+        if (mutability === 'view' || mutability === 'pure')
+            return false;
+        if (fn?.isConstructor || String(fn?.kind || '').toLowerCase() === 'constructor')
+            return false;
+        const visibility = String(fn?.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external' || visibility === 'default' || visibility === '';
+    }
+    hasAccessControl(fn) {
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(fn))
+            return true;
+        let guarded = false;
+        const visit = (node) => {
+            if (guarded || !node || typeof node !== 'object')
+                return;
+            if ((0, ast_1.isNode)(node, 'FunctionCall') && (this.directCallName(node.expression) === 'require' || this.directCallName(node.expression) === 'assert')) {
+                if ((0, access_control_1.requireExpressesAccessControl)(node.arguments?.[0], this.isPrivilegedName))
+                    guarded = true;
+                return;
+            }
+            for (const child of this.childNodes(node))
+                visit(child);
+        };
+        visit(fn.body);
+        return guarded;
+    }
+    isPrivilegedName(name) {
+        return (0, access_control_1.isPrivilegedIdentifier)(name, { mode: 'word-boundary' });
+    }
+    makeFinding(contract, candidate) {
+        const loc = this.locOf(candidate.node, candidate.functionInfo.node);
+        const finding = {
+            file: this.currentFile,
+            contract: contract.name,
+            'function': candidate.functionInfo.name,
+            line: loc.line,
+            column: loc.column,
+            ruleId: RULE_ID,
+            pattern: candidate.pattern,
+            severity: 'medium',
+            confidence: candidate.confidence,
+            category: 'vulnerability',
+            message: candidate.message,
+            findingId: '',
+            contractHash: '',
+        };
+        if (candidate.pattern === PATTERN_PUSH_PAYMENT || candidate.pattern === PATTERN_EXTERNAL_LIVENESS) {
+            (0, loop_call_stack_1.enrichLoopCallStack)(finding, (0, loop_call_stack_1.loopCallPathForFunction)(contract.node, candidate.functionInfo.node));
+        }
+        return finding;
+    }
+    locOf(node, fallback) {
+        const loc = (0, ast_1.assertLoc)(node, fallback);
+        return { line: loc.line, column: loc.column };
+    }
+    directCallName(expr) {
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        return '';
+    }
+    firstVariableName(variables) {
+        if (!Array.isArray(variables))
+            return null;
+        for (const variable of variables) {
+            const name = String(variable?.name || variable?.identifier?.name || '');
+            if (name)
+                return name;
+        }
+        return null;
+    }
+    isNumericLiteral(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        return (0, ast_1.isNode)(node, 'NumberLiteral') || (0, ast_1.isNode)(node, 'DecimalNumber') || (0, ast_1.isNode)(node, 'HexNumber');
+    }
+    identifierName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        return null;
+    }
+    rootIdentifier(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+            return this.rootIdentifier(expr.expression);
+        if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+            return this.rootIdentifier(expr.base || expr.baseExpression);
+        return null;
+    }
+    childNodes(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        const children = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        children.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+}
+exports.DenialOfServiceDetector = DenialOfServiceDetector;
+const proto = DenialOfServiceDetector.prototype;
+proto['ContractDefinition:exit'] = proto.ContractDefinition_post;
+proto['FunctionDefinition:exit'] = proto.FunctionDefinition_post;
+//# sourceMappingURL=denial-of-service.js.map