@snovon/solast 0.2.0

package/dist/detectors/eip712-signature-verification.js

@@ -0,0 +1,689 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Eip712SignatureVerificationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'eip712-signature-verification';
+class Eip712SignatureVerificationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'EIP-712 typed-data signature verification missing zero-address, replay, domain, or chain-aware cache binding.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags executable typed-data signature verification paths that recover a signer but omit address(0) rejection, nonce consumption, verifying-domain binding, or chain-aware domain-separator cache invalidation.',
+    };
+    currentFile = '';
+    currentContract = '';
+    currentContractKind = '';
+    currentFunction = null;
+    findings = [];
+    domainVars = new Map();
+    safeDomainFunctions = new Set();
+    fileRecoverHelpers = new Set();
+    recoverHelpers = new Set();
+    typedDataHelpers = new Map();
+    helperBodyFacts = { hasRecover: false, chainBound: false, contractBound: false };
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.currentFunction = null;
+        this.findings = [];
+        this.domainVars.clear();
+        this.safeDomainFunctions.clear();
+        this.fileRecoverHelpers = new Set();
+        this.recoverHelpers = new Set();
+        this.typedDataHelpers.clear();
+        this.helperBodyFacts = { hasRecover: false, chainBound: false, contractBound: false };
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '';
+        this.currentContractKind = node.kind || '';
+        this.domainVars.clear();
+        this.safeDomainFunctions.clear();
+        this.recoverHelpers = new Set(this.fileRecoverHelpers);
+        this.typedDataHelpers.clear();
+        this.preScanContractHelpers(node);
+        if (this.currentContractKind === 'library') {
+            for (const helper of this.recoverHelpers)
+                this.fileRecoverHelpers.add(helper);
+        }
+    }
+    'ContractDefinition:exit'(_node) {
+        this.currentContract = '';
+        this.currentContractKind = '';
+        this.domainVars.clear();
+        this.safeDomainFunctions.clear();
+        this.recoverHelpers = new Set(this.fileRecoverHelpers);
+        this.typedDataHelpers.clear();
+    }
+    StateVariableDeclaration(node) {
+        if (this.currentFunction || this.isNonExecutableContract())
+            return;
+        for (const variable of node.variables || []) {
+            const name = variable?.name;
+            if (!name || !isDomainSeparatorName(name))
+                continue;
+            const facts = bindingFacts(variable.expression || node.initialValue);
+            this.domainVars.set(name, {
+                immutable: Boolean(variable.isImmutable || variable.isDeclaredConst),
+                chainBound: facts.chainBound,
+                contractBound: facts.contractBound,
+            });
+        }
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = null;
+        this.helperBodyFacts = { hasRecover: false, chainBound: false, contractBound: false };
+        if (this.isNonExecutableContract() || !node.body)
+            return;
+        this.currentFunction = {
+            name: node.isConstructor ? '<constructor>' : (node.name || '<anonymous>'),
+            node,
+            localInitializers: new Map(),
+            recoveredVars: new Map(),
+            signerCheckNode: null,
+            zeroGuard: false,
+            replayProtection: false,
+            valueMoving: false,
+            usesUnsafeCachedDomain: false,
+            digestChainBound: false,
+            digestContractBound: false,
+            hasRecoverCall: false,
+        };
+    }
+    ModifierDefinition(node) {
+        this.currentFunction = null;
+        this.helperBodyFacts = { hasRecover: false, chainBound: false, contractBound: false };
+        if (this.isNonExecutableContract() || !node.body)
+            return;
+        this.currentFunction = {
+            name: node.name || '<anonymous>',
+            node,
+            localInitializers: new Map(),
+            recoveredVars: new Map(),
+            signerCheckNode: null,
+            zeroGuard: false,
+            replayProtection: false,
+            valueMoving: false,
+            usesUnsafeCachedDomain: false,
+            digestChainBound: false,
+            digestContractBound: false,
+            hasRecoverCall: false,
+        };
+    }
+    'FunctionDefinition:exit'(node) {
+        const facts = this.currentFunction;
+        if (!facts)
+            return;
+        if (node.name) {
+            if (this.helperBodyFacts.hasRecover)
+                this.recoverHelpers.add(node.name);
+            if (this.helperBodyFacts.chainBound || this.helperBodyFacts.contractBound) {
+                this.typedDataHelpers.set(node.name, {
+                    chainBound: this.helperBodyFacts.chainBound,
+                    contractBound: this.helperBodyFacts.contractBound,
+                });
+            }
+        }
+        if (facts.signerCheckNode) {
+            this.analyzeFunction(facts);
+        }
+        this.currentFunction = null;
+        this.helperBodyFacts = { hasRecover: false, chainBound: false, contractBound: false };
+    }
+    'ModifierDefinition:exit'(node) {
+        const facts = this.currentFunction;
+        if (!facts)
+            return;
+        if (node.name) {
+            if (this.helperBodyFacts.hasRecover)
+                this.recoverHelpers.add(node.name);
+            if (this.helperBodyFacts.chainBound || this.helperBodyFacts.contractBound) {
+                this.typedDataHelpers.set(node.name, {
+                    chainBound: this.helperBodyFacts.chainBound,
+                    contractBound: this.helperBodyFacts.contractBound,
+                });
+            }
+        }
+        if (facts.signerCheckNode) {
+            this.analyzeFunction(facts);
+        }
+        this.currentFunction = null;
+        this.helperBodyFacts = { hasRecover: false, chainBound: false, contractBound: false };
+    }
+    VariableDeclarationStatement(node) {
+        const facts = this.currentFunction;
+        if (!facts || !node.initialValue)
+            return;
+        for (const variable of node.variables || []) {
+            if (variable?.name)
+                facts.localInitializers.set(variable.name, node.initialValue);
+        }
+        const digest = this.recoverDigest(node.initialValue, facts);
+        if (!digest)
+            return;
+        facts.hasRecoverCall = true;
+        this.recordDigestFacts(digest, facts);
+        for (const variable of node.variables || []) {
+            if (variable?.name)
+                facts.recoveredVars.set(variable.name, digest);
+        }
+    }
+    ExpressionStatement(node) {
+        const expr = node.expression;
+        if (!expr || typeof expr !== 'object')
+            return;
+        if (this.currentFunction && (0, ast_1.isNode)(expr, 'BinaryOperation') && expr.operator === '=') {
+            const target = identifierName(expr.left);
+            if (target)
+                this.currentFunction.localInitializers.set(target, expr.right);
+        }
+        if (this.currentFunction?.name === '<constructor>' && (0, ast_1.isNode)(expr, 'BinaryOperation') && expr.operator === '=') {
+            const target = identifierName(expr.left);
+            if (target && isDomainSeparatorName(target)) {
+                const facts = bindingFacts(expr.right);
+                const helperFacts = helperBindingFacts(expr.right, this.typedDataHelpers);
+                const existing = this.domainVars.get(target);
+                this.domainVars.set(target, {
+                    immutable: existing?.immutable ?? false,
+                    chainBound: facts.chainBound || helperFacts.chainBound,
+                    contractBound: facts.contractBound || helperFacts.contractBound,
+                });
+            }
+        }
+    }
+    IfStatement(node) {
+        const facts = this.currentFunction;
+        if (!facts)
+            return;
+        if (conditionHasZeroGuard(node.condition, facts))
+            facts.zeroGuard = true;
+        if (conditionHasZeroEquality(node.condition, facts) && statementAlwaysReverts(node.trueBody))
+            facts.zeroGuard = true;
+        if (!facts.signerCheckNode && ifStatementHasSignerRevertGate(node, facts)) {
+            facts.signerCheckNode = node.condition || node;
+        }
+    }
+    FunctionCall(node) {
+        const facts = this.currentFunction;
+        if (!facts)
+            return;
+        const callName = directCallName(node.expression);
+        if (callName && isNonceConsumingHelper(callName))
+            facts.replayProtection = true;
+        if (callName === 'ecrecover' || this.recoverHelpers.has(callName || '')) {
+            facts.hasRecoverCall = true;
+            this.helperBodyFacts.hasRecover = true;
+            const digest = this.recoverDigest(node, facts);
+            if (digest)
+                this.recordDigestFacts(digest, facts);
+        }
+        if (isAddressThis(node))
+            this.helperBodyFacts.contractBound = true;
+        if (isRequireOrAssert(node)) {
+            const condition = node.arguments?.[0];
+            if (conditionHasZeroGuard(condition, facts))
+                facts.zeroGuard = true;
+            if (!facts.signerCheckNode && conditionHasSignerCheck(condition, facts))
+                facts.signerCheckNode = condition || node;
+        }
+        if (callName === 'DOMAIN_SEPARATOR') {
+            const safe = this.safeDomainFunctions.has(callName);
+            if (!safe)
+                facts.usesUnsafeCachedDomain = true;
+        }
+        if (isValueMovingCall(node))
+            facts.valueMoving = true;
+    }
+    ReturnStatement(node) {
+        if (!this.currentFunction)
+            return;
+        const fnName = this.currentFunction.name;
+        if (!isDomainSeparatorName(fnName))
+            return;
+        const returned = node.expression;
+        if (!returned)
+            return;
+        if (referencesCachedDomain(returned) && this.helperBodyFacts.chainBound && this.helperBodyFacts.contractBound) {
+            this.safeDomainFunctions.add(fnName);
+        }
+    }
+    UnaryOperation(node) {
+        if (!this.currentFunction)
+            return;
+        if ((node.operator === '++' || node.operator === '--' || node.operator === 'delete') && containsNonceAccess(node.subExpression)) {
+            this.currentFunction.replayProtection = true;
+        }
+    }
+    MemberAccess(node) {
+        if (!this.currentFunction)
+            return;
+        if (isBlockChainId(node))
+            this.helperBodyFacts.chainBound = true;
+    }
+    BinaryOperation(node) {
+        if (!this.currentFunction)
+            return;
+        if (isAssignmentOperator(node.operator) && containsNonceAccess(node.left)) {
+            this.currentFunction.replayProtection = true;
+        }
+    }
+    analyzeFunction(facts) {
+        if (!facts.hasRecoverCall)
+            return;
+        let mode = null;
+        if (!facts.zeroGuard)
+            mode = 'missing-ecrecover-zero-address-guard';
+        else if (!facts.replayProtection)
+            mode = 'missing-replay-protection';
+        else if (!facts.digestChainBound || !facts.digestContractBound)
+            mode = 'missing-domain-context-binding';
+        else if (facts.usesUnsafeCachedDomain)
+            mode = 'unsafe-cached-domain-separator';
+        if (!mode)
+            return;
+        this.findings.push(this.makeFinding(facts, mode));
+    }
+    recoverDigest(expr, facts) {
+        const resolved = this.resolve(expr, facts);
+        if (!(0, ast_1.isNode)(resolved, 'FunctionCall'))
+            return null;
+        const callName = directCallName(resolved.expression);
+        if (!callName)
+            return null;
+        if (callName === 'ecrecover')
+            return argumentByName(resolved, 'hash', 0);
+        if (this.recoverHelpers.has(callName))
+            return argumentByName(resolved, 'digest', 0);
+        return null;
+    }
+    recordDigestFacts(digest, facts) {
+        const resolved = this.resolve(digest, facts);
+        const direct = bindingFacts(resolved);
+        if (direct.chainBound)
+            facts.digestChainBound = true;
+        if (direct.contractBound)
+            facts.digestContractBound = true;
+        forEachNode(resolved, current => {
+            if ((0, ast_1.isNode)(current, 'Identifier')) {
+                const domain = this.domainVars.get(current.name);
+                if (domain) {
+                    if (domain.chainBound)
+                        facts.digestChainBound = true;
+                    if (domain.contractBound)
+                        facts.digestContractBound = true;
+                    if (!domain.immutable && (domain.chainBound || domain.contractBound))
+                        facts.usesUnsafeCachedDomain = true;
+                }
+                const helper = this.typedDataHelpers.get(current.name);
+                if (helper?.chainBound)
+                    facts.digestChainBound = true;
+                if (helper?.contractBound)
+                    facts.digestContractBound = true;
+            }
+            if ((0, ast_1.isNode)(current, 'FunctionCall')) {
+                const callName = directCallName(current.expression);
+                const helper = callName ? this.typedDataHelpers.get(callName) : null;
+                if (callName === '_hashTypedDataV4' || callName === 'toTypedDataHash') {
+                    facts.digestChainBound = true;
+                    facts.digestContractBound = true;
+                }
+                if (helper?.chainBound)
+                    facts.digestChainBound = true;
+                if (helper?.contractBound)
+                    facts.digestContractBound = true;
+                if (callName && isDomainSeparatorName(callName)) {
+                    if (this.safeDomainFunctions.has(callName)) {
+                        facts.digestChainBound = true;
+                        facts.digestContractBound = true;
+                    }
+                    else {
+                        facts.usesUnsafeCachedDomain = true;
+                    }
+                }
+            }
+        });
+    }
+    resolve(expr, facts, seen = new Set()) {
+        if (!(0, ast_1.isNode)(expr, 'Identifier'))
+            return expr;
+        const key = expr.name || '';
+        if (!key || seen.has(key))
+            return expr;
+        seen.add(key);
+        const initializer = facts.localInitializers.get(key);
+        return initializer ? this.resolve(initializer, facts, seen) : expr;
+    }
+    makeFinding(facts, mode) {
+        const loc = (0, ast_1.tryLoc)(facts.signerCheckNode, facts.node) || { line: 1, endLine: 1, column: 0, endColumn: 0 };
+        const severity = mode === 'missing-replay-protection' || mode === 'missing-domain-context-binding'
+            ? 'high'
+            : 'medium';
+        return {
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': facts.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern: mode,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity,
+            category: 'vulnerability',
+            message: messageFor(mode, facts),
+            rationale: rationaleFor(mode),
+            suggestedFix: fixFor(mode),
+            contractName: this.currentContract,
+            functionName: facts.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    isNonExecutableContract() {
+        return this.currentContractKind === 'interface';
+    }
+    preScanContractHelpers(contract) {
+        if (this.isNonExecutableContract())
+            return;
+        const functions = (contract.subNodes || []).filter((subNode) => (0, ast_1.isNode)(subNode, 'FunctionDefinition') && subNode.body);
+        let changed = true;
+        while (changed) {
+            changed = false;
+            for (const fn of functions) {
+                const name = fn.name || '';
+                if (!name)
+                    continue;
+                const facts = this.preScanFunctionBody(fn.body);
+                if (facts.hasRecover && !this.recoverHelpers.has(name)) {
+                    this.recoverHelpers.add(name);
+                    changed = true;
+                }
+                if ((facts.chainBound || facts.contractBound) && !this.typedDataHelpers.has(name)) {
+                    this.typedDataHelpers.set(name, {
+                        chainBound: facts.chainBound,
+                        contractBound: facts.contractBound,
+                    });
+                    changed = true;
+                }
+                if (isDomainSeparatorName(name) && facts.returnsCachedDomain && facts.chainBound && facts.contractBound && !this.safeDomainFunctions.has(name)) {
+                    this.safeDomainFunctions.add(name);
+                    changed = true;
+                }
+            }
+        }
+    }
+    preScanFunctionBody(body) {
+        let hasRecover = false;
+        let chainBound = false;
+        let contractBound = false;
+        let returnsCachedDomain = false;
+        forEachNode(body, current => {
+            if (isBlockChainId(current))
+                chainBound = true;
+            if (isAddressThis(current))
+                contractBound = true;
+            if ((0, ast_1.isNode)(current, 'ReturnStatement') && referencesCachedDomain(current.expression))
+                returnsCachedDomain = true;
+            if (!(0, ast_1.isNode)(current, 'FunctionCall'))
+                return;
+            const callName = directCallName(current.expression);
+            if (callName === 'ecrecover' || this.recoverHelpers.has(callName))
+                hasRecover = true;
+            const helper = this.typedDataHelpers.get(callName);
+            if (helper?.chainBound)
+                chainBound = true;
+            if (helper?.contractBound)
+                contractBound = true;
+        });
+        return { hasRecover, chainBound, contractBound, returnsCachedDomain };
+    }
+}
+exports.Eip712SignatureVerificationDetector = Eip712SignatureVerificationDetector;
+function messageFor(mode, facts) {
+    if (mode === 'missing-replay-protection') {
+        return `EIP-712 signature authorization in ${facts.name} lacks visible nonce consumption or replay invalidation.`;
+    }
+    if (mode === 'missing-domain-context-binding') {
+        return `EIP-712 signature authorization in ${facts.name} does not bind both chain id and verifying contract context.`;
+    }
+    if (mode === 'unsafe-cached-domain-separator') {
+        return `EIP-712 signature authorization in ${facts.name} reuses a cached domain separator without visible chain-aware rebuild logic.`;
+    }
+    return `EIP-712 signature authorization in ${facts.name} uses ecrecover result without an address(0) guard.`;
+}
+function rationaleFor(mode) {
+    if (mode === 'missing-replay-protection') {
+        return 'Typed-data signatures that authorize value movement or state changes must consume a nonce or equivalent replay marker on the verification path.';
+    }
+    if (mode === 'missing-domain-context-binding') {
+        return 'EIP-712 digests need chain and verifying-contract context to prevent signatures from being reused across contracts or chains.';
+    }
+    if (mode === 'unsafe-cached-domain-separator') {
+        return 'A domain separator cached from block.chainid/address(this) can become stale across chain-context changes unless it is rebuilt when the chain id or contract context differs.';
+    }
+    return 'ecrecover returns address(0) for invalid signatures, so authorization should reject the zero address before treating the recovered value as a signer.';
+}
+function fixFor(mode) {
+    if (mode === 'missing-replay-protection') {
+        return 'Include a per-signer nonce or order hash in the signed struct and consume or invalidate it before or during authorization.';
+    }
+    if (mode === 'missing-domain-context-binding') {
+        return 'Build the typed-data digest with an EIP-712 domain separator that includes block.chainid and address(this), or use a chain-aware _hashTypedDataV4 implementation.';
+    }
+    if (mode === 'unsafe-cached-domain-separator') {
+        return 'Cache the domain separator together with block.chainid and address(this), and rebuild it whenever either value differs.';
+    }
+    return 'Add require(recovered != address(0)) or an equivalent guard before comparing or accepting the recovered signer.';
+}
+function conditionHasSignerCheck(node, facts) {
+    return conditionHasSignerComparison(node, facts, '==');
+}
+function conditionHasSignerMismatch(node, facts) {
+    return conditionHasSignerComparison(node, facts, '!=');
+}
+function conditionHasSignerComparison(node, facts, operator) {
+    return containsNode(node, current => {
+        if (!(0, ast_1.isNode)(current, 'BinaryOperation') || current.operator !== operator)
+            return false;
+        return expressionIsRecovered(current.left, facts) || expressionIsRecovered(current.right, facts);
+    });
+}
+function ifStatementHasSignerRevertGate(node, facts) {
+    if (conditionHasSignerMismatch(node.condition, facts) && statementAlwaysReverts(node.trueBody))
+        return true;
+    return conditionHasSignerCheck(node.condition, facts) && statementAlwaysReverts(node.falseBody);
+}
+function conditionHasZeroGuard(node, facts) {
+    return containsNode(node, current => {
+        if (!(0, ast_1.isNode)(current, 'BinaryOperation') || current.operator !== '!=')
+            return false;
+        return ((expressionIsRecovered(current.left, facts) && isAddressZero(current.right)) ||
+            (expressionIsRecovered(current.right, facts) && isAddressZero(current.left)));
+    });
+}
+function conditionHasZeroEquality(node, facts) {
+    return containsNode(node, current => {
+        if (!(0, ast_1.isNode)(current, 'BinaryOperation') || current.operator !== '==')
+            return false;
+        return ((expressionIsRecovered(current.left, facts) && isAddressZero(current.right)) ||
+            (expressionIsRecovered(current.right, facts) && isAddressZero(current.left)));
+    });
+}
+function expressionIsRecovered(expr, facts) {
+    if ((0, ast_1.isNode)(expr, 'Identifier') && facts.recoveredVars.has(expr.name))
+        return true;
+    const resolved = (0, ast_1.isNode)(expr, 'Identifier') ? facts.localInitializers.get(expr.name) : expr;
+    if (resolved && (0, ast_1.isNode)(resolved, 'FunctionCall')) {
+        const callName = directCallName(resolved.expression);
+        return callName === 'ecrecover' || facts.recoveredVars.has(identifierName(expr)) || callName === 'recover';
+    }
+    return false;
+}
+function isAddressZero(node) {
+    if ((0, ast_1.isNode)(node, 'FunctionCall') && directCallName(node.expression) === 'address') {
+        const arg = node.arguments?.[0];
+        return isZeroLiteral(arg);
+    }
+    return isZeroLiteral(node);
+}
+function isZeroLiteral(node) {
+    return (0, ast_1.isNode)(node, 'NumberLiteral') && String(node.number) === '0';
+}
+function bindingFacts(node) {
+    let chainBound = false;
+    let contractBound = false;
+    forEachNode(node, current => {
+        if (isBlockChainId(current))
+            chainBound = true;
+        if (isAddressThis(current))
+            contractBound = true;
+    });
+    return { chainBound, contractBound };
+}
+function helperBindingFacts(node, helpers) {
+    const name = (0, ast_1.isNode)(node, 'FunctionCall') ? directCallName(node.expression) : (0, ast_1.isNode)(node, 'Identifier') ? node.name || '' : '';
+    return helpers.get(name) || { chainBound: false, contractBound: false };
+}
+function isNonceConsumingHelper(name) {
+    return ['_useNonce', 'useNonce', '_useCheckedNonce', 'consumeNonce', '_incrementNonce', '_consumeNonce'].includes(name);
+}
+function containsNonceAccess(node) {
+    return containsNode(node, current => {
+        if ((0, ast_1.isNode)(current, 'IndexAccess')) {
+            const root = indexRootName(current).toLowerCase();
+            return root.includes('nonce') || root.includes('used') || root.includes('executed');
+        }
+        if ((0, ast_1.isNode)(current, 'Identifier')) {
+            const name = String(current.name || '').toLowerCase();
+            return name.includes('nonce') || name.includes('useddigest') || name.includes('usedhash');
+        }
+        return false;
+    });
+}
+function referencesCachedDomain(node) {
+    return containsNode(node, current => (0, ast_1.isNode)(current, 'Identifier') && /cached.*domain.*separator|_CACHED_DOMAIN_SEPARATOR/i.test(current.name || ''));
+}
+function isBlockChainId(node) {
+    return ((0, ast_1.isNode)(node, 'MemberAccess') &&
+        node.memberName === 'chainid' &&
+        (0, ast_1.isNode)(node.expression, 'Identifier') &&
+        node.expression.name === 'block');
+}
+function isAddressThis(node) {
+    return ((0, ast_1.isNode)(node, 'FunctionCall') &&
+        directCallName(node.expression) === 'address' &&
+        (0, ast_1.isNode)(node.arguments?.[0], 'Identifier') &&
+        node.arguments[0].name === 'this');
+}
+function isDomainSeparatorName(name) {
+    return /domain.*separator/i.test(name);
+}
+function isRequireOrAssert(node) {
+    const name = directCallName(node.expression);
+    return name === 'require' || name === 'assert';
+}
+function statementAlwaysReverts(node) {
+    if (!node)
+        return false;
+    if ((0, ast_1.isNode)(node, 'ThrowStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'RevertStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'ExpressionStatement'))
+        return expressionAlwaysReverts(node.expression);
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        const statements = node.statements || [];
+        return statements.some((statement) => statementAlwaysReverts(statement));
+    }
+    if ((0, ast_1.isNode)(node, 'IfStatement')) {
+        return statementAlwaysReverts(node.trueBody) && statementAlwaysReverts(node.falseBody);
+    }
+    return false;
+}
+function expressionAlwaysReverts(expr) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const name = directCallName(expr.expression);
+    if (name === 'revert')
+        return true;
+    if (name === 'assert')
+        return isFalseLiteral(expr.arguments?.[0]);
+    return false;
+}
+function isFalseLiteral(node) {
+    return (0, ast_1.isNode)(node, 'BooleanLiteral') && node.value === false;
+}
+function isValueMovingCall(node) {
+    if ((0, ast_1.isNode)(node.expression, 'MemberAccess')) {
+        const member = String(node.expression.memberName || '').toLowerCase();
+        return member === 'transfer' || member === 'send' || member === 'call' || member === 'safeTransfer' || member === 'transferfrom' || member === 'safetransferfrom';
+    }
+    const name = String(directCallName(node.expression) || '').toLowerCase();
+    return name === 'transfer' || name === 'safetransfer' || name === 'transferfrom' || name === 'safetransferfrom';
+}
+function directCallName(expr) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return expr.name || '';
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return expr.memberName || '';
+    return '';
+}
+function argumentByName(call, name, fallbackIndex) {
+    const names = call.names || [];
+    const index = names.indexOf(name);
+    if (index >= 0)
+        return call.arguments?.[index] || null;
+    return call.arguments?.[fallbackIndex] || null;
+}
+function identifierName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return identifierName(node.base);
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return node.memberName || '';
+    return '';
+}
+function indexRootName(node) {
+    let current = node;
+    while ((0, ast_1.isNode)(current, 'IndexAccess'))
+        current = current.base;
+    return identifierName(current);
+}
+function isAssignmentOperator(operator) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^='].includes(operator);
+}
+function containsNode(node, predicate) {
+    let found = false;
+    forEachNode(node, current => {
+        if (!found && predicate(current))
+            found = true;
+    });
+    return found;
+}
+function forEachNode(node, visit, seen = new Set()) {
+    if (!node || typeof node !== 'object' || seen.has(node))
+        return;
+    seen.add(node);
+    visit(node);
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'comments')
+            continue;
+        if (Array.isArray(value)) {
+            for (const child of value)
+                forEachNode(child, visit, seen);
+        }
+        else if (value && typeof value === 'object') {
+            forEachNode(value, visit, seen);
+        }
+    }
+}
+//# sourceMappingURL=eip712-signature-verification.js.map

package/dist/detectors/eip7702-auth-replay.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class EIP7702AuthReplayDetector {
+    readonly id = "eip7702-auth-replay";
+    readonly patternKey = "eip7702-auth-replay";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}