solidity-argus 0.2.0 → 0.3.2

package/src/tools/pattern-loader.ts

@@ -1,64 +1,11 @@
-import { readdirSync, readFileSync, existsSync } from "node:fs"
-import { join, extname } from "node:path"
-import { parse as parseYaml } from "yaml"
-import { PatternPackSchema, type PatternDefinition } from "./pattern-schema"
+import { existsSync, readdirSync, readFileSync } from "node:fs"
+import { join } from "node:path"
 import { createLogger } from "../shared/logger"
 import { parseFrontmatter, SkillFrontmatterSchema } from "../skills/skill-schema"
+import type { PatternDefinition } from "./pattern-schema"
 
 const logger = createLogger()
 
-const YAML_EXTENSIONS = new Set([".yaml", ".yml"])
-
-const SKILL_NAME_TO_PATTERN_CATEGORY: Record<string, PatternDefinition["category"]> = {
-  "reentrancy": "reentrancy",
-  "access-control": "access-control",
-  "oracle-manipulation": "oracle-manipulation",
-  "flash-loan-attacks": "flash-loan",
-  "delegatecall-untrusted-callee": "proxy",
-  "authorization-txorigin": "access-control",
-  "unchecked-return-values": "logic-error",
-  "dos-revert": "dos",
-  "overflow-underflow": "logic-error",
-  "signature-malleability": "signature",
-}
-
-export function loadPatternPacks(patternsDir: string): PatternDefinition[] {
-  if (!existsSync(patternsDir)) {
-    logger.warn(`Patterns directory does not exist: ${patternsDir}`)
-    return []
-  }
-
-  const entries = readdirSync(patternsDir).filter((f) =>
-    YAML_EXTENSIONS.has(extname(f).toLowerCase())
-  )
-
-  const allPatterns: PatternDefinition[] = []
-
-  for (const filename of entries) {
-    const filePath = join(patternsDir, filename)
-    try {
-      const raw = readFileSync(filePath, "utf-8")
-      const parsed = parseYaml(raw)
-      const result = PatternPackSchema.safeParse(parsed)
-
-      if (!result.success) {
-        logger.warn(
-          `Skipping ${filename}: schema validation failed — ${result.error.issues[0]?.message ?? "unknown"}`
-        )
-        continue
-      }
-
-      allPatterns.push(...result.data.patterns)
-    } catch (err) {
-      logger.warn(
-        `Skipping ${filename}: ${err instanceof Error ? err.message : "parse error"}`
-      )
-    }
-  }
-
-  return allPatterns
-}
-
 function listSkillMarkdownFiles(skillsDir: string): string[] {
   if (!existsSync(skillsDir)) {
     logger.warn(`Skills directory does not exist: ${skillsDir}`)
@@ -103,7 +50,7 @@ export function extractDetectionRulesFromSkills(skillsDir: string): PatternDefin
       if (!parsed.success) continue
 
       const skillName = parsed.data.name
-      const category = SKILL_NAME_TO_PATTERN_CATEGORY[skillName]
+      const category = parsed.data.pattern_category
       if (!category) continue
 
       const rules = parsed.data.detection_rules
@@ -122,62 +69,9 @@ export function extractDetectionRulesFromSkills(skillsDir: string): PatternDefin
         })
       }
     } catch (err) {
-      logger.warn(
-        `Skipping ${filePath}: ${err instanceof Error ? err.message : "parse error"}`
-      )
+      logger.warn(`Skipping ${filePath}: ${err instanceof Error ? err.message : "parse error"}`)
     }
   }
 
   return extracted
 }
-
-type BuiltinPattern = {
-  name: string
-  category: string
-  severity: string
-  regex: RegExp
-  description: string
-  exploitReference?: string
-}
-
-function isValidUrl(s: string): boolean {
-  try {
-    new URL(s)
-    return true
-  } catch {
-    return false
-  }
-}
-
-function builtinToDefinition(b: BuiltinPattern): PatternDefinition {
-  return {
-    name: b.name,
-    category: b.category as PatternDefinition["category"],
-    severity: b.severity as PatternDefinition["severity"],
-    confidence: "Medium",
-    version: "1.0",
-    regex: b.regex.source,
-    description: b.description,
-    ...(b.exploitReference && isValidUrl(b.exploitReference)
-      ? { exploit_ref: b.exploitReference }
-      : {}),
-  }
-}
-
-export function mergeWithBuiltins(
-  yamlPatterns: PatternDefinition[],
-  builtins: BuiltinPattern[],
-  skillDetectionRules: PatternDefinition[] = []
-): PatternDefinition[] {
-  const mergedInputs = [...yamlPatterns, ...skillDetectionRules]
-  const yamlByName = new Map(mergedInputs.map((p) => [p.name, p]))
-  const merged: PatternDefinition[] = [...mergedInputs]
-
-  for (const builtin of builtins) {
-    if (!yamlByName.has(builtin.name)) {
-      merged.push(builtinToDefinition(builtin))
-    }
-  }
-
-  return merged
-}

package/src/tools/pattern-schema.ts

@@ -37,6 +37,9 @@ export const PatternDefinitionSchema = z.object({
   description: z.string().min(1),
   exploit_ref: z.string().url().optional(),
   remediation: z.string().optional(),
+  context: z.enum(["function-body", "contract-body", "file-level"]).optional(),
+  applies_to: z.array(z.string()).optional(),
+  exclude_if: z.array(z.string()).optional(),
 })
 
 export type PatternDefinition = z.infer<typeof PatternDefinitionSchema>

package/src/tools/proxy-detection-tool.ts

@@ -0,0 +1,224 @@
+import { isAbsolute, join } from "node:path"
+import { type ToolContext, tool } from "@opencode-ai/plugin"
+
+type ProxyDetectionArgs = {
+  file_path: string
+  project_dir?: string
+}
+
+type ProxyType = "diamond" | "uups" | "beacon" | "transparent" | "erc1967"
+
+type Confidence = "high" | "medium" | "low"
+
+export type ProxyDetectionResult = {
+  file: string
+  isProxy: boolean
+  proxyType: ProxyType | null
+  indicators: string[]
+  confidence: Confidence
+  error?: string
+}
+
+export type ReadFileFn = (path: string) => Promise<string>
+
+const ERC1967_IMPLEMENTATION_SLOT =
+  "0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc"
+const ERC1967_ADMIN_SLOT = "0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103"
+const ERC1967_BEACON_SLOT = "0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50"
+
+const readWithBunFile: ReadFileFn = async (path) => Bun.file(path).text()
+
+function hasMatch(source: string, pattern: RegExp): boolean {
+  return pattern.test(source)
+}
+
+function computeConfidence(indicatorCount: number): Confidence {
+  if (indicatorCount >= 3) {
+    return "high"
+  }
+  if (indicatorCount === 2) {
+    return "medium"
+  }
+  return "low"
+}
+
+function collectIndicators(source: string): Set<string> {
+  const indicators = new Set<string>()
+  const lower = source.toLowerCase()
+
+  if (lower.includes(ERC1967_IMPLEMENTATION_SLOT)) {
+    indicators.add("erc1967-implementation-slot")
+  }
+  if (lower.includes(ERC1967_ADMIN_SLOT)) {
+    indicators.add("erc1967-admin-slot")
+  }
+  if (lower.includes(ERC1967_BEACON_SLOT)) {
+    indicators.add("erc1967-beacon-slot")
+  }
+
+  if (hasMatch(source, /\b_implementation\s*\(/i)) {
+    indicators.add("transparent-implementation-getter")
+  }
+  if (hasMatch(source, /\b_admin\s*\(/i) || hasMatch(source, /\b_admin\b/i)) {
+    indicators.add("transparent-admin-getter")
+  }
+  if (hasMatch(source, /\b_setImplementation\s*\(/i)) {
+    indicators.add("transparent-set-implementation")
+  }
+
+  if (hasMatch(source, /\b_authorizeUpgrade\s*\(/i)) {
+    indicators.add("uups-authorize-upgrade")
+  }
+  if (hasMatch(source, /\bupgradeToAndCall\s*\(/i)) {
+    indicators.add("uups-upgrade-to-and-call")
+  }
+  if (hasMatch(source, /\bUUPSUpgradeable\b/)) {
+    indicators.add("uups-upgradeable")
+  }
+
+  if (hasMatch(source, /\bIBeacon\b/)) {
+    indicators.add("beacon-interface")
+  }
+  if (hasMatch(source, /\bBeaconProxy\b/)) {
+    indicators.add("beacon-proxy")
+  }
+  if (hasMatch(source, /\bUpgradeableBeacon\b/)) {
+    indicators.add("upgradeable-beacon")
+  }
+
+  if (hasMatch(source, /\bDiamondCut\b/)) {
+    indicators.add("diamond-cut")
+  }
+  if (hasMatch(source, /\bIDiamondCut\b/)) {
+    indicators.add("diamond-cut-interface")
+  }
+  if (hasMatch(source, /\bfacetAddress\s*\(/i)) {
+    indicators.add("facet-address")
+  }
+  if (hasMatch(source, /\bIDiamondLoupe\b/)) {
+    indicators.add("diamond-loupe")
+  }
+
+  if (hasMatch(source, /\bdelegatecall\b/)) {
+    indicators.add("delegatecall")
+  }
+  if (hasMatch(source, /\bfallback\s*\(/i)) {
+    indicators.add("fallback-function")
+  }
+  if (hasMatch(source, /\bProxy\b/)) {
+    indicators.add("proxy-keyword")
+  }
+  if (hasMatch(source, /\bERC1967\b/)) {
+    indicators.add("erc1967-keyword")
+  }
+
+  return indicators
+}
+
+function hasAny(indicators: Set<string>, candidates: string[]): boolean {
+  return candidates.some((candidate) => indicators.has(candidate))
+}
+
+function classifyProxyType(indicators: Set<string>): ProxyType | null {
+  if (
+    hasAny(indicators, ["diamond-cut", "diamond-cut-interface", "facet-address", "diamond-loupe"])
+  ) {
+    return "diamond"
+  }
+
+  if (
+    hasAny(indicators, ["uups-authorize-upgrade", "uups-upgrade-to-and-call", "uups-upgradeable"])
+  ) {
+    return "uups"
+  }
+
+  if (hasAny(indicators, ["beacon-interface", "beacon-proxy", "upgradeable-beacon"])) {
+    return "beacon"
+  }
+
+  if (
+    hasAny(indicators, [
+      "transparent-implementation-getter",
+      "transparent-admin-getter",
+      "transparent-set-implementation",
+    ])
+  ) {
+    return "transparent"
+  }
+
+  if (
+    hasAny(indicators, [
+      "erc1967-implementation-slot",
+      "erc1967-admin-slot",
+      "erc1967-beacon-slot",
+      "delegatecall",
+    ])
+  ) {
+    return "erc1967"
+  }
+
+  return null
+}
+
+export async function executeProxyDetection(
+  args: ProxyDetectionArgs,
+  context: ToolContext,
+  readFile: ReadFileFn = readWithBunFile,
+): Promise<ProxyDetectionResult> {
+  context.metadata({ title: `Detect proxy patterns: ${args.file_path}` })
+
+  const fileToRead =
+    args.project_dir && !isAbsolute(args.file_path)
+      ? join(args.project_dir, args.file_path)
+      : args.file_path
+
+  try {
+    const source = await readFile(fileToRead)
+    const indicators = collectIndicators(source)
+    const proxyType = classifyProxyType(indicators)
+    const indicatorList = [...indicators]
+    const isProxy = proxyType !== null
+
+    return {
+      file: args.file_path,
+      isProxy,
+      proxyType,
+      indicators: isProxy ? indicatorList : [],
+      confidence: computeConfidence(isProxy ? indicatorList.length : 0),
+    }
+  } catch (error) {
+    const maybeError = error as Error & { code?: string }
+    if (maybeError.code === "ENOENT") {
+      return {
+        file: args.file_path,
+        isProxy: false,
+        proxyType: null,
+        indicators: [],
+        confidence: "low",
+        error: `File not found: ${args.file_path}`,
+      }
+    }
+
+    return {
+      file: args.file_path,
+      isProxy: false,
+      proxyType: null,
+      indicators: [],
+      confidence: "low",
+      error: maybeError.message || "proxy detection failed",
+    }
+  }
+}
+
+export const proxyDetectionTool = tool({
+  description:
+    "Detects proxy patterns in Solidity contracts (ERC1967, UUPS, transparent, beacon, diamond) with confidence scoring.",
+  args: {
+    file_path: tool.schema.string(),
+    project_dir: tool.schema.string().optional(),
+  },
+  async execute(args, context) {
+    const result = await executeProxyDetection(args, context)
+    return JSON.stringify(result)
+  },
+})