@snovon/solast 0.2.0

package/dist/detectors/eip5792-auth-replay.js

@@ -0,0 +1,519 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EIP5792AuthReplayDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'eip5792-auth-replay';
+const PATTERN = `${RULE_ID}/missing-replay-binding`;
+const RECOVER_NAMES = new Set(['ecrecover', 'recover']);
+const SESSION_NAME = /(session|sessionkey|validator|auth|signature|sig)/i;
+const CALLS_NAME = /^(calls|batch|userops|operations|executions)$/i;
+const TEMPORAL_NAME = /^(deadline|expiry|expires|expiration|expiresAt|validUntil|validBefore|notAfter)$/i;
+class EIP5792AuthReplayDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scan(ast, ctx) {
+        return this.scanAst(ast, ctx?.file || '');
+    }
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition' || !fn.body)
+                    continue;
+                if (!this.isExternallyCallable(fn))
+                    continue;
+                const finding = this.analyzeFunction(contract, fn, file);
+                if (finding)
+                    findings.push(finding);
+            }
+        }
+        return findings;
+    }
+    analyzeFunction(contract, fn, file) {
+        const facts = {
+            initializers: new Map(),
+            assignments: new Map(),
+            temporalChecks: new Set(),
+        };
+        this.collectFunctionFacts(fn.body, facts);
+        if (!this.hasSessionAuthContext(fn, fn.body))
+            return null;
+        if (!this.authorizesCallBatch(fn, fn.body))
+            return null;
+        const verifications = this.findSignatureVerifications(fn.body, facts);
+        if (verifications.length === 0)
+            return null;
+        const enforcedNonce = this.enforcesNonce(fn.body);
+        for (const verification of verifications) {
+            const digestFacts = this.digestFacts(verification.digest, facts, new Set());
+            const missing = this.missingBindings(digestFacts, facts.temporalChecks, enforcedNonce);
+            if (missing.length > 0)
+                return this.makeFinding(contract, fn, file, verification.loc, missing);
+        }
+        return null;
+    }
+    collectFunctionFacts(node, facts) {
+        this.walk(node, current => {
+            if (current?.type === 'VariableDeclarationStatement') {
+                const initialValue = current.initialValue;
+                for (const variable of current.variables || []) {
+                    if (variable?.name) {
+                        if (initialValue)
+                            facts.initializers.set(variable.name, initialValue);
+                        facts.assignments.delete(variable.name);
+                    }
+                }
+            }
+            if (current?.type === 'ExpressionStatement') {
+                const expr = current.expression;
+                if (expr?.type === 'BinaryOperation' &&
+                    expr.operator === '=' &&
+                    expr.left?.type === 'Identifier') {
+                    facts.assignments.set(expr.left.name, expr.right);
+                }
+            }
+            if (current?.type === 'FunctionCall' && this.directCallName(current.expression) === 'require') {
+                this.collectTemporalChecks(current.arguments?.[0], facts.temporalChecks);
+            }
+            if (current?.type === 'IfStatement' && this.bodyBlocks(current)) {
+                this.collectTemporalChecks(current.condition, facts.temporalChecks);
+            }
+        });
+    }
+    findSignatureVerifications(node, facts) {
+        const verifications = [];
+        this.walk(node, current => {
+            if (current?.type === 'FunctionCall' && this.directCallName(current.expression) === 'require') {
+                const condition = current.arguments?.[0];
+                if (!condition)
+                    return;
+                const digest = this.digestFromAuthorizationCheck(condition, facts);
+                if (digest)
+                    verifications.push({ digest, loc: this.locOf(condition) });
+            }
+            if (current?.type === 'IfStatement' && this.bodyBlocks(current)) {
+                const digest = this.digestFromAuthorizationCheck(current.condition, facts);
+                if (digest)
+                    verifications.push({ digest, loc: this.locOf(current.condition) });
+            }
+        });
+        return verifications;
+    }
+    digestFromAuthorizationCheck(expr, facts) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type === 'BinaryOperation' && ['==', '!=', '===', '!=='].includes(expr.operator)) {
+            const left = this.resolveLocalExpression(expr.left, facts, new Set());
+            const right = this.resolveLocalExpression(expr.right, facts, new Set());
+            const leftDigest = this.recoverDigest(left) || this.erc1271Digest(left);
+            const rightDigest = this.recoverDigest(right) || this.erc1271Digest(right);
+            if (leftDigest && (this.looksLikeSessionAuthority(expr.right, facts) || this.isMagicValue(expr.right)))
+                return leftDigest;
+            if (rightDigest && (this.looksLikeSessionAuthority(expr.left, facts) || this.isMagicValue(expr.left)))
+                return rightDigest;
+        }
+        for (const child of this.childNodes(expr)) {
+            const found = this.digestFromAuthorizationCheck(child, facts);
+            if (found)
+                return found;
+        }
+        return null;
+    }
+    recoverDigest(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type !== 'FunctionCall')
+            return null;
+        const callName = this.directCallName(expr.expression);
+        if (!callName || !RECOVER_NAMES.has(callName))
+            return null;
+        if (callName === 'ecrecover')
+            return expr.arguments?.[0] || null;
+        if (expr.expression?.type === 'MemberAccess') {
+            const receiver = expr.expression.expression;
+            if (this.isEcdsaLibraryReceiver(receiver))
+                return expr.arguments?.[0] || null;
+            return receiver || expr.arguments?.[0] || null;
+        }
+        return expr.arguments?.[0] || null;
+    }
+    isEcdsaLibraryReceiver(receiver) {
+        if (!receiver || typeof receiver !== 'object')
+            return false;
+        if (receiver.type !== 'Identifier')
+            return false;
+        return /^(ECDSA|MessageHashUtils|SignatureChecker)$/i.test(String(receiver.name || ''));
+    }
+    erc1271Digest(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type !== 'FunctionCall')
+            return null;
+        if (this.directCallName(expr.expression) !== 'isValidSignature')
+            return null;
+        return expr.arguments?.[0] || null;
+    }
+    hasSessionAuthContext(fn, body) {
+        const params = this.functionParams(fn);
+        const hasSignatureParam = params.some(param => /^(signature|sig)$/i.test(param?.name || ''));
+        const hasSessionParam = params.some(param => SESSION_NAME.test(param?.name || ''));
+        const functionName = String(fn.name || '');
+        return hasSignatureParam && (hasSessionParam || /session|auth|executeBatch/i.test(functionName) || this.containsSessionVocabulary(body));
+    }
+    containsSessionVocabulary(node) {
+        let found = false;
+        this.walk(node, current => {
+            if (found)
+                return;
+            if (current?.type === 'Identifier' && SESSION_NAME.test(current.name || ''))
+                found = true;
+            if (current?.type === 'MemberAccess' && SESSION_NAME.test(current.memberName || ''))
+                found = true;
+            if (current?.type === 'StringLiteral' && /session/i.test(current.value || ''))
+                found = true;
+        });
+        return found;
+    }
+    authorizesCallBatch(fn, body) {
+        const batchParams = this.functionParams(fn)
+            .filter(param => this.isArrayType(param?.typeName) || CALLS_NAME.test(param?.name || ''))
+            .map(param => String(param.name || '').toLowerCase())
+            .filter(Boolean);
+        if (batchParams.length === 0 && !/batch/i.test(String(fn.name || '')))
+            return false;
+        let found = false;
+        this.walk(body, current => {
+            if (found)
+                return;
+            if (this.isBatchExternalCall(current, batchParams))
+                found = true;
+            if (current?.type === 'FunctionCall' && /executeBatch|executeBatchCalls|executeUserOpBatch/i.test(this.directCallName(current.expression) || '')) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    isBatchExternalCall(node, batchParams) {
+        if (!this.isExternalCall(node))
+            return false;
+        let usesBatch = false;
+        this.walk(node, current => {
+            if (usesBatch)
+                return;
+            if (current?.type === 'Identifier' && batchParams.includes(String(current.name || '').toLowerCase()))
+                usesBatch = true;
+            if (current?.type === 'IndexAccess') {
+                const root = this.indexRootName(current).toLowerCase();
+                if (batchParams.includes(root))
+                    usesBatch = true;
+            }
+        });
+        return usesBatch;
+    }
+    isExternalCall(expr) {
+        let current = expr;
+        if (current?.type === 'FunctionCall')
+            current = current.expression;
+        if (current?.type === 'NameValueExpression')
+            current = current.expression;
+        if (current?.type !== 'MemberAccess')
+            return false;
+        return ['call', 'delegatecall', 'staticcall', 'send', 'transfer'].includes(String(current.memberName || '').toLowerCase());
+    }
+    digestFacts(node, facts, seen) {
+        const digestFacts = {
+            nonce: false,
+            chainid: false,
+            account: false,
+            batch: false,
+            signedTemporal: new Set(),
+        };
+        this.walkResolved(node, facts, seen, current => {
+            if (!current || typeof current !== 'object')
+                return;
+            if (current.type === 'FunctionCall' && this.directCallName(current.expression) === '_hashTypedDataV4') {
+                digestFacts.chainid = true;
+                digestFacts.account = true;
+            }
+            if (current.type === 'FunctionCall' && this.directCallName(current.expression) === 'address') {
+                if (current.arguments?.[0]?.type === 'Identifier' && current.arguments[0].name === 'this')
+                    digestFacts.account = true;
+            }
+            if (current.type === 'MemberAccess' &&
+                current.memberName === 'chainid' &&
+                current.expression?.type === 'Identifier' &&
+                current.expression.name === 'block') {
+                digestFacts.chainid = true;
+            }
+            if (current.type === 'IndexAccess' && /nonce/i.test(this.indexRootName(current)))
+                digestFacts.nonce = true;
+            if (current.type === 'Identifier' && /nonce/i.test(current.name || ''))
+                digestFacts.nonce = true;
+            if (current.type === 'MemberAccess' && /nonce/i.test(current.memberName || ''))
+                digestFacts.nonce = true;
+            if (current.type === 'Identifier' && TEMPORAL_NAME.test(current.name || ''))
+                digestFacts.signedTemporal.add(current.name);
+            if (current.type === 'MemberAccess' && TEMPORAL_NAME.test(current.memberName || ''))
+                digestFacts.signedTemporal.add(current.memberName);
+            if (current.type === 'Identifier' && CALLS_NAME.test(current.name || ''))
+                digestFacts.batch = true;
+            if (current.type === 'MemberAccess' && CALLS_NAME.test(current.memberName || ''))
+                digestFacts.batch = true;
+        });
+        return digestFacts;
+    }
+    missingBindings(digestFacts, temporalChecks, enforcedNonce) {
+        const missing = [];
+        if (!digestFacts.nonce || !enforcedNonce)
+            missing.push('nonce');
+        if (!digestFacts.chainid)
+            missing.push('chainid');
+        if (!digestFacts.account)
+            missing.push('account');
+        if (!this.hasCheckedSignedTemporal(digestFacts, temporalChecks))
+            missing.push('expiry');
+        if (!digestFacts.batch)
+            missing.push('batch');
+        return missing;
+    }
+    enforcesNonce(body) {
+        let found = false;
+        this.walk(body, current => {
+            if (found || !current || typeof current !== 'object')
+                return;
+            if (current.type === 'UnaryOperation' && (current.operator === '++' || current.operator === '--')) {
+                if (this.referencesNonceState(current.subExpression))
+                    found = true;
+                return;
+            }
+            if (current.type === 'BinaryOperation' && this.isAssignmentOperator(current.operator)) {
+                if (this.referencesNonceState(current.left))
+                    found = true;
+            }
+        });
+        return found;
+    }
+    isAssignmentOperator(op) {
+        if (typeof op !== 'string')
+            return false;
+        return ['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>='].includes(op);
+    }
+    referencesNonceState(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'Identifier')
+            return /nonce/i.test(expr.name || '');
+        if (expr.type === 'MemberAccess') {
+            if (/nonce/i.test(expr.memberName || ''))
+                return true;
+            return this.referencesNonceState(expr.expression);
+        }
+        if (expr.type === 'IndexAccess') {
+            if (/nonce/i.test(this.indexRootName(expr)))
+                return true;
+            return this.referencesNonceState(expr.base);
+        }
+        return false;
+    }
+    hasCheckedSignedTemporal(digestFacts, temporalChecks) {
+        for (const checked of temporalChecks) {
+            for (const signed of digestFacts.signedTemporal) {
+                if (checked.toLowerCase() === signed.toLowerCase())
+                    return true;
+            }
+        }
+        return false;
+    }
+    collectTemporalChecks(expr, out) {
+        if (!expr || !this.containsTimestamp(expr))
+            return;
+        this.walk(expr, current => {
+            if (current?.type === 'Identifier' && TEMPORAL_NAME.test(current.name || ''))
+                out.add(current.name);
+            if (current?.type === 'MemberAccess' && TEMPORAL_NAME.test(current.memberName || ''))
+                out.add(current.memberName);
+        });
+    }
+    containsTimestamp(node) {
+        let found = false;
+        this.walk(node, current => {
+            if (current?.type === 'Identifier' && current.name === 'now')
+                found = true;
+            if (current?.type === 'MemberAccess' &&
+                current.memberName === 'timestamp' &&
+                current.expression?.type === 'Identifier' &&
+                current.expression.name === 'block') {
+                found = true;
+            }
+        });
+        return found;
+    }
+    bodyBlocks(node) {
+        const body = node.trueBody || node.falseBody;
+        if (!body)
+            return false;
+        let blocks = false;
+        this.walk(body, current => {
+            if (current?.type === 'RevertStatement' || current?.type === 'ReturnStatement')
+                blocks = true;
+            if (current?.type === 'FunctionCall' && this.directCallName(current.expression) === 'revert')
+                blocks = true;
+        });
+        return blocks;
+    }
+    looksLikeSessionAuthority(expr, facts) {
+        let found = false;
+        this.walkResolved(expr, facts, new Set(), current => {
+            if (current?.type === 'Identifier' && /^(sessionKey|validator|signer|owner|account|authorizer|from)$/i.test(current.name || ''))
+                found = true;
+            if (current?.type === 'MemberAccess' && /^(sessionKey|validator|signer|owner|account|authorizer|from)$/i.test(current.memberName || ''))
+                found = true;
+        });
+        return found;
+    }
+    isMagicValue(expr) {
+        if (expr?.type === 'NumberLiteral' && String(expr.number || '').toLowerCase() === '0x1626ba7e')
+            return true;
+        if (expr?.type === 'Identifier' && /magic|valid_signature/i.test(expr.name || ''))
+            return true;
+        if (expr?.type === 'MemberAccess' && /magic|valid_signature/i.test(expr.memberName || ''))
+            return true;
+        return false;
+    }
+    resolveLocalExpression(expr, facts, seen) {
+        let current = expr;
+        while (current?.type === 'Identifier') {
+            const key = `local:${current.name}`;
+            if (seen.has(key))
+                return current;
+            seen.add(key);
+            const initializer = facts.initializers.get(current.name);
+            if (initializer) {
+                current = initializer;
+                continue;
+            }
+            const assignment = facts.assignments.get(current.name);
+            if (assignment) {
+                current = assignment;
+                continue;
+            }
+            return current;
+        }
+        return current;
+    }
+    walkResolved(node, facts, seen, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        if (node.type === 'Identifier') {
+            const initializer = facts.initializers.get(node.name);
+            const assignment = facts.assignments.get(node.name);
+            const resolved = initializer || assignment;
+            if (resolved && !seen.has(`local:${node.name}`)) {
+                seen.add(`local:${node.name}`);
+                this.walkResolved(resolved, facts, seen, visit);
+            }
+        }
+        for (const child of this.childNodes(node))
+            this.walkResolved(child, facts, seen, visit);
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.childNodes(node))
+            this.walk(child, visit);
+    }
+    childNodes(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        const children = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    if (item && typeof item === 'object')
+                        children.push(item);
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+    directCallName(expr) {
+        if (expr?.type === 'Identifier')
+            return expr.name;
+        if (expr?.type === 'MemberAccess')
+            return expr.memberName;
+        return null;
+    }
+    indexRootName(node) {
+        let current = node;
+        while (current?.type === 'IndexAccess')
+            current = current.base;
+        if (current?.type === 'Identifier')
+            return current.name || '';
+        if (current?.type === 'MemberAccess')
+            return current.memberName || '';
+        return '';
+    }
+    functionParams(fn) {
+        const params = fn.parameters?.parameters || fn.parameters || [];
+        return Array.isArray(params) ? params : [];
+    }
+    isArrayType(typeName) {
+        if (!typeName || typeof typeName !== 'object')
+            return false;
+        if (typeName.type === 'ArrayTypeName')
+            return true;
+        if (String(typeName.namePath || typeName.name || '').toLowerCase().includes('call'))
+            return true;
+        return false;
+    }
+    isExternallyCallable(fn) {
+        const kind = String(fn.kind || (fn.isConstructor ? 'constructor' : '') || 'function').toLowerCase();
+        if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+            return false;
+        const visibility = String(fn.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external';
+    }
+    locOf(node) {
+        const { line, column } = (0, ast_1.assertLoc)(node);
+        return { line, column };
+    }
+    makeFinding(contract, fn, file, loc, missing) {
+        const contractName = contract.name || '<anonymous>';
+        const functionName = fn.name || '<anonymous>';
+        const missingText = missing.join(', ');
+        return {
+            file,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            column: loc.column,
+            pattern: PATTERN,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `EIP-5792 session-key batch authorization in '${contractName}.${functionName}' omits replay binding: ${missingText}.`,
+            rationale: 'Session-key signatures that authorize batched calls can be replayed when the signed digest does not bind the account, chain id, consumed nonce, enforced expiry, and call-batch contents.',
+            suggestedFix: 'Bind address(this), block.chainid, a consumed per-session-key nonce, an expiry checked against block.timestamp, and a hash of the calls batch into the signed payload.',
+            contractName,
+            functionName,
+            sourceLocation: loc,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.EIP5792AuthReplayDetector = EIP5792AuthReplayDetector;
+//# sourceMappingURL=eip5792-auth-replay.js.map

package/dist/detectors/eip712-domain-separator.d.ts

@@ -0,0 +1,42 @@
+import type { ScanResult } from '../index';
+export declare class Eip712DomainSeparatorDetector {
+    readonly id = "eip712-domain-separator";
+    readonly patternKey = "eip712-domain-separator";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private currentContractKind;
+    private currentFunction;
+    private findings;
+    private domainVariables;
+    private typeHashes;
+    private chainIdHelpers;
+    private safeDomainBuilders;
+    private pendingStaleCacheEmits;
+    private hasGuardedDomainGetter;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(_node: any): void;
+    StructDefinition(node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(_node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    ReturnStatement(node: any): void;
+    IfStatement(node: any): void;
+    FunctionCall(node: any): void;
+    private analyzeDomainConstruction;
+    private resolveTypeHashFacts;
+    private emitFinding;
+    private isNonExecutableContract;
+    private preScanContractHelpers;
+}