blueprint-tsa 1.0.0

package/dist/commands/drain-check.js

@@ -0,0 +1,218 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.drainCheckConcrete = exports.runDrainCheckAnalysis = exports.configureDrainCheckCommand = void 0;
+const fs_1 = require("fs");
+const core_1 = require("@ton/core");
+const analyzer_wrapper_js_1 = require("../common/analyzer-wrapper.js");
+const build_config_js_1 = require("../reproduce/build-config.js");
+const constants_js_1 = require("../common/constants.js");
+const build_utils_js_1 = require("../common/build-utils.js");
+const utils_js_1 = require("../reproduce/utils.js");
+const paths_js_1 = require("../common/paths.js");
+const opcode_extractor_js_1 = require("../common/opcode-extractor.js");
+const ONE_MINUTE_SECONDS = 60;
+const configureDrainCheckCommand = (context) => {
+    return {
+        command: constants_js_1.DRAIN_CHECK_ID,
+        description: "Analyze contract for drain vulnerabilities",
+        builder: (yargs) => yargs
+            .option("timeout", {
+            alias: "t",
+            type: "number",
+            description: "Analysis timeout in seconds",
+        })
+            .option("contract", {
+            alias: "c",
+            type: "string",
+            description: "Contract name",
+            demandOption: true,
+        })
+            .option("verbose", {
+            alias: "v",
+            type: "boolean",
+            description: "Use debug output in TSA log",
+        })
+            .option("disable-opcode-extraction", {
+            type: "boolean",
+            description: "Disable opcode extraction. This affects path selection strategy and default timeout.",
+        }),
+        handler: async (argv) => {
+            await drainCheckCommand(context, argv);
+        },
+    };
+};
+exports.configureDrainCheckCommand = configureDrainCheckCommand;
+/**
+ * Runs drain check analysis and returns the analyzer wrapper
+ * @param contractName - Name of the contract
+ * @param contractPath - Path to the compiled contract
+ * @param ui - UI provider
+ * @param timeout - Analysis timeout in seconds
+ * @param opcodes - List of opcodes to analyze
+ * @param verbose - Enable verbose output
+ * @returns AnalyzerWrapper instance
+ */
+const runDrainCheckAnalysis = async (contractName, contractPath, ui, timeout, opcodes, verbose = false, completionMessage = "Analysis complete.") => {
+    const checkerPath = (0, paths_js_1.getCheckerPath)(constants_js_1.DRAIN_CHECK_SYMBOLIC_FILENAME);
+    const properties = [
+        { key: "Contract", value: contractName },
+        { key: "Mode", value: "TON drain" },
+        {
+            key: "Options",
+            separator: true,
+            children: [
+                {
+                    key: "Timeout",
+                    value: timeout !== null ? `${timeout} seconds` : "not set",
+                },
+            ],
+        },
+    ];
+    const checkerCell = (0, core_1.beginCell)().endCell();
+    const analyzer = new analyzer_wrapper_js_1.AnalyzerWrapper({
+        ui,
+        checkerPath,
+        checkerCell,
+        properties,
+        codePath: contractPath,
+    });
+    const reportDir = (0, paths_js_1.getReportDirectory)(analyzer.id);
+    const sarifPath = (0, paths_js_1.getSarifReportPath)(analyzer.id);
+    await analyzer.run(constants_js_1.DRAIN_CHECK_SYMBOLIC_FILENAME, (wrapper) => [
+        "custom-checker-compiled",
+        "--checker",
+        wrapper.getTempBocPath(),
+        "--contract",
+        contractPath,
+        "--stop-when-exit-codes-found",
+        constants_js_1.ERROR_EXIT_CODE.toString(),
+        "--checker-data",
+        wrapper.getTempCheckerCellPath(),
+        "--output",
+        sarifPath,
+        ...(timeout != null ? ["--timeout", timeout.toString()] : []),
+        "--exported-inputs",
+        reportDir,
+        ...(verbose ? ["-v"] : []),
+        ...opcodes.flatMap((opcode) => ["--opcode", opcode.toString()]),
+    ], completionMessage);
+    // Write reproduction config if vulnerability is found
+    const vulnerability = analyzer.getVulnerability();
+    if (vulnerability) {
+        (0, build_config_js_1.writeReproduceConfig)(vulnerability, constants_js_1.DRAIN_CHECK_ID, timeout, analyzer.id, {
+            kind: constants_js_1.DRAIN_CHECK_ID,
+        });
+    }
+    return analyzer;
+};
+exports.runDrainCheckAnalysis = runDrainCheckAnalysis;
+const drainCheckCommand = async (context, parsedArgs) => {
+    const { ui } = context;
+    await (0, build_utils_js_1.buildContracts)(ui);
+    if (!parsedArgs.contract) {
+        throw new Error("Contract name or path is required");
+    }
+    const contract = parsedArgs.contract;
+    const contractPath = (0, paths_js_1.findCompiledContract)(contract);
+    if (!(0, fs_1.existsSync)(contractPath)) {
+        ui.write(`\n${constants_js_1.Sym.ERR} Contract ${contract} not found`);
+        process.exit(1);
+    }
+    let opcodes = [];
+    if (!parsedArgs["disable-opcode-extraction"]) {
+        opcodes = await (0, opcode_extractor_js_1.extractOpcodes)({
+            ui,
+            codePath: contractPath,
+            contractName: contract,
+        });
+    }
+    let timeout = parsedArgs.timeout ?? null;
+    // If timeout wasn't provided, set it to 1 minute * (number_of_opcodes + 1)
+    if (timeout === null && opcodes.length > 0) {
+        timeout = ONE_MINUTE_SECONDS * (opcodes.length + 1);
+        ui.write("");
+        ui.write("The timeout was calculated automatically based on the number of opcodes.");
+    }
+    const analyzer = await (0, exports.runDrainCheckAnalysis)(contract, contractPath, ui, timeout, opcodes, parsedArgs.verbose);
+    const vulnerability = analyzer.getVulnerability();
+    analyzer.reportVulnerability(vulnerability, constants_js_1.DRAIN_DESCRIPTION_URL);
+    (0, utils_js_1.printCleanupInstructions)(ui);
+    if (vulnerability != null) {
+        (0, utils_js_1.printReproductionInstructions)(ui, analyzer.id);
+        process.exit(2);
+    }
+};
+const drainCheckConcrete = async (config, completionMessage = "Analysis complete.") => {
+    const { ui } = config;
+    if (!(0, fs_1.existsSync)(config.codePath)) {
+        ui.write(`\n${constants_js_1.Sym.ERR} Code at ${config.codePath} not found`);
+        process.exit(1);
+    }
+    const timeout = config.timeout;
+    const properties = [
+        { key: "Contract", value: config.contractAddress.toRawString() },
+        { key: "Mode", value: "TON drain reproduction" },
+        {
+            key: "Options",
+            separator: true,
+            children: [
+                {
+                    key: "Timeout",
+                    value: timeout !== null ? `${timeout} seconds` : "not set",
+                },
+                { key: "Sender", value: config.senderAddress.toRawString() },
+            ],
+        },
+    ];
+    const maxTons = (0, core_1.toNano)(await ui.input("Enter maximum amount of TONs for reproduction message:"));
+    const checkerPath = (0, paths_js_1.getCheckerPath)(constants_js_1.DRAIN_CHECK_CONCRETE_FILENAME);
+    const checkerCell = (0, core_1.beginCell)()
+        .storeAddress(config.senderAddress)
+        .storeCoins(maxTons)
+        .endCell();
+    const analyzer = new analyzer_wrapper_js_1.AnalyzerWrapper({
+        ui,
+        checkerPath,
+        checkerCell,
+        properties,
+        codePath: config.codePath,
+    });
+    await analyzer.run(constants_js_1.DRAIN_CHECK_CONCRETE_FILENAME, (wrapper) => [
+        "custom-checker-compiled",
+        "--checker",
+        wrapper.getTempBocPath(),
+        "--contract",
+        config.codePath,
+        "--data",
+        config.dataPath,
+        "--balance",
+        config.balance.toString(),
+        "--address",
+        config.contractAddress.toRawString(),
+        "--stop-when-exit-codes-found",
+        constants_js_1.ERROR_EXIT_CODE.toString(),
+        "--checker-data",
+        wrapper.getTempCheckerCellPath(),
+        "--output",
+        (0, paths_js_1.getSarifReportPath)(wrapper.id),
+        "--exported-inputs",
+        (0, paths_js_1.getReportDirectory)(wrapper.id),
+        ...(config.timeout != null
+            ? ["--timeout", config.timeout.toString()]
+            : []),
+    ], completionMessage);
+    const vulnerability = analyzer.getVulnerability();
+    if (vulnerability == null) {
+        ui.write(`${constants_js_1.Sym.WARN} Vulnerability couldn't be reproduced with concrete data.`);
+        return null;
+    }
+    if (vulnerability.value == null) {
+        throw new Error("Unexpected external message");
+    }
+    return {
+        address: config.contractAddress,
+        msgBody: vulnerability.msgBody,
+        suggestedValue: vulnerability.value,
+    };
+};
+exports.drainCheckConcrete = drainCheckConcrete;

package/dist/commands/opcode-info.d.ts

@@ -0,0 +1,23 @@
+import { Argv } from "yargs";
+import yargs from "yargs";
+import { CommandContext } from "../cli.js";
+import { UIProvider } from "@ton/blueprint";
+export interface OpcodeInfo {
+    opcode: number;
+    withAuthorization: boolean;
+    vulnerabilityPath?: string;
+}
+export declare function runOpcodeAuthorizationCheckAnalysis(opcode: number, contractName: string, contractPath: string, ui: UIProvider, timeout: number | null, completionMessage?: string, verbose?: boolean): Promise<OpcodeInfo | null>;
+export declare function formatOpcodeInfo(infos: OpcodeInfo[]): string;
+export declare const configureOpcodeInfoCommand: (context: CommandContext) => {
+    command: string;
+    description: string;
+    builder: (yargs: Argv) => Argv<{
+        contract: string;
+    } & {
+        timeout: number;
+    } & {
+        verbose: boolean | undefined;
+    }>;
+    handler: (argv: yargs.ArgumentsCamelCase) => Promise<void>;
+};

package/dist/commands/opcode-info.js

@@ -0,0 +1,176 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configureOpcodeInfoCommand = void 0;
+exports.runOpcodeAuthorizationCheckAnalysis = runOpcodeAuthorizationCheckAnalysis;
+exports.formatOpcodeInfo = formatOpcodeInfo;
+const path_1 = __importDefault(require("path"));
+const constants_js_1 = require("../common/constants.js");
+const opcode_extractor_js_1 = require("../common/opcode-extractor.js");
+const build_utils_js_1 = require("../common/build-utils.js");
+const paths_js_1 = require("../common/paths.js");
+const fs_1 = require("fs");
+const analyzer_wrapper_js_1 = require("../common/analyzer-wrapper.js");
+const core_1 = require("@ton/core");
+const format_utils_js_1 = require("../common/format-utils.js");
+const result_parsing_js_1 = require("../common/result-parsing.js");
+async function runOpcodeAuthorizationCheckAnalysis(opcode, contractName, contractPath, ui, timeout, completionMessage = "Analysis complete.", verbose = false) {
+    const properties = [
+        { key: "Contract", value: contractName },
+        { key: "Mode", value: "Opcode Authorization Check" },
+        {
+            key: "Options",
+            separator: true,
+            children: [
+                {
+                    key: "Opcode",
+                    value: (0, format_utils_js_1.formatOpcodeHex)(opcode),
+                },
+                {
+                    key: "Timeout",
+                    value: timeout !== null ? `${timeout} seconds` : "not set",
+                },
+            ],
+        },
+    ];
+    const checkerPath = (0, paths_js_1.getCheckerPath)(constants_js_1.OPCODE_AUTHORIZATION_CHECK_FILENAME);
+    const checkerCell = (0, core_1.beginCell)().storeUint(opcode, 32).endCell();
+    const analyzer = new analyzer_wrapper_js_1.AnalyzerWrapper({
+        ui,
+        checkerPath,
+        checkerCell,
+        properties,
+        codePath: contractPath,
+    });
+    const sarifPath = (0, paths_js_1.getSarifReportPath)(analyzer.id);
+    await analyzer.run(constants_js_1.OPCODE_AUTHORIZATION_CHECK_FILENAME, (wrapper) => [
+        "custom-checker-compiled",
+        "--checker",
+        wrapper.getTempBocPath(),
+        "--contract",
+        contractPath,
+        "--stop-when-exit-codes-found",
+        constants_js_1.ERROR_EXIT_CODE.toString(),
+        "--checker-data",
+        wrapper.getTempCheckerCellPath(),
+        "--output",
+        sarifPath,
+        ...(timeout != null ? ["--timeout", timeout.toString()] : []),
+        "--disable-out-message-analysis",
+        "--exported-inputs",
+        (0, paths_js_1.getReportDirectory)(wrapper.id),
+        ...(verbose ? ["-v"] : []),
+    ], completionMessage);
+    const vulnerability = analyzer.vulnerabilityIsPresent();
+    const nonFailingExecutionIndex = (0, result_parsing_js_1.findNonFailingExecution)(sarifPath);
+    if (nonFailingExecutionIndex === undefined && !vulnerability) {
+        return null;
+    }
+    const withAuthorization = !vulnerability;
+    let vulnerabilityPath;
+    if (vulnerability) {
+        const vulnDesc = analyzer.getVulnerability();
+        if (vulnDesc) {
+            vulnerabilityPath = (0, paths_js_1.getInputsPath)(analyzer.id, vulnDesc.executionIndex);
+        }
+    }
+    return {
+        opcode,
+        withAuthorization,
+        vulnerabilityPath,
+    };
+}
+async function extractOpcodeInfo(opcode, contractName, contractPath, ui, timeout, verbose) {
+    return runOpcodeAuthorizationCheckAnalysis(opcode, contractName, contractPath, ui, timeout, "Analysis complete.", verbose);
+}
+async function getAllOpcodeInfo(opcodes, contractName, contractPath, ui, timeout, verbose) {
+    const results = [];
+    for (const opcode of opcodes) {
+        const info = await extractOpcodeInfo(opcode, contractName, contractPath, ui, timeout, verbose);
+        if (info !== null) {
+            results.push(info);
+        }
+    }
+    return results;
+}
+function formatOpcodeInfo(infos) {
+    if (infos.length === 0) {
+        return "No opcodes to analyze.";
+    }
+    const lines = ["Opcode Authorization Analysis:", ""];
+    let hasUnauthorizedOpcodes = false;
+    for (const info of infos) {
+        const opcodeHex = (0, format_utils_js_1.formatOpcodeHex)(info.opcode);
+        const authStatus = info.withAuthorization
+            ? `${constants_js_1.Sym.OK} Has authorization checks`
+            : `${constants_js_1.Sym.WARN} No authorization checks`;
+        lines.push(`${opcodeHex}: ${authStatus}`);
+        // If authorization is missing and vulnerability path is available, show it
+        if (!info.withAuthorization && info.vulnerabilityPath) {
+            const relativePath = path_1.default.relative(process.cwd(), info.vulnerabilityPath);
+            lines.push(`  Path to reproducing input: ${relativePath}`);
+            hasUnauthorizedOpcodes = true;
+        }
+        lines.push("");
+    }
+    // Add description URL if any opcodes lack authorization
+    if (hasUnauthorizedOpcodes) {
+        lines.push(`Description: ${constants_js_1.OPCODE_INFO_DESCRIPTION_URL}`);
+    }
+    lines.push("");
+    return lines.join("\n");
+}
+const opcodeInfoHandler = async (context, args) => {
+    const { ui } = context;
+    const { timeout, contract, verbose } = args;
+    await (0, build_utils_js_1.buildContracts)(ui);
+    const codePath = (0, paths_js_1.findCompiledContract)(contract);
+    if (!(0, fs_1.existsSync)(codePath)) {
+        ui.write(`\n${constants_js_1.Sym.ERR} Contract ${contract} not found`);
+        process.exit(1);
+    }
+    const opcodes = await (0, opcode_extractor_js_1.extractOpcodes)({
+        ui,
+        codePath,
+        contractName: contract,
+    });
+    if (opcodes.length === 0) {
+        ui.write("");
+        ui.write(`${constants_js_1.Sym.WARN} No opcodes found in contract`);
+        return;
+    }
+    const infos = await getAllOpcodeInfo(opcodes, contract, codePath, ui, timeout ?? null, verbose);
+    ui.write("");
+    const output = formatOpcodeInfo(infos);
+    ui.write(output);
+};
+const configureOpcodeInfoCommand = (context) => {
+    return {
+        command: constants_js_1.OPCODE_INFO,
+        description: "Display information about contract opcodes",
+        builder: (yargs) => yargs
+            .option("contract", {
+            alias: "c",
+            type: "string",
+            description: "Contract name",
+            demandOption: true,
+        })
+            .option("timeout", {
+            alias: "t",
+            type: "number",
+            description: "Timeout in seconds for analyzing one opcode",
+            default: 60,
+        })
+            .option("verbose", {
+            alias: "v",
+            type: "boolean",
+            description: "Use debug output in TSA log",
+        }),
+        handler: async (argv) => {
+            await opcodeInfoHandler(context, argv);
+        },
+    };
+};
+exports.configureOpcodeInfoCommand = configureOpcodeInfoCommand;

package/dist/commands/owner-hijack-check.d.ts

@@ -0,0 +1,20 @@
+import { CommandContext } from "../cli.js";
+import { AnalyzerWrapper } from "../common/analyzer-wrapper.js";
+import { UIProvider } from "@ton/blueprint";
+import { ConcreteAnalysisConfig } from "../reproduce/concrete-analysis.js";
+import { ReproduceParameters } from "../reproduce/network.js";
+import { OwnerHijackOptions } from "../reproduce/reproduce-config.js";
+export declare const configureOwnerHijackCommand: (context: CommandContext) => any;
+/**
+ * Runs owner hijack check analysis and returns the analyzer wrapper
+ * @param contractName - Name of the contract
+ * @param contractPath - Path to the compiled contract
+ * @param ui - UI provider
+ * @param timeout - Analysis timeout in seconds
+ * @param methodId - Method ID of the owner getter
+ * @param opcodes - List of opcodes to analyze
+ * @param verbose - Enable verbose output
+ * @returns AnalyzerWrapper instance
+ */
+export declare const runOwnerHijackCheckAnalysis: (contractName: string, contractPath: string, ui: UIProvider, timeout: number | null, methodId: bigint, opcodes: number[], verbose?: boolean, completionMessage?: string) => Promise<AnalyzerWrapper>;
+export declare const ownerHijackCheckConcrete: (config: ConcreteAnalysisConfig, concreteCheckerOptions: OwnerHijackOptions, completionMessage?: string) => Promise<ReproduceParameters | null>;