feat(lints): Add ZeroAddress lint

nowarp · May 29, 2024 · 66eee51 · 66eee51
1 parent acdab6e
commit 66eee51
Show file tree

Hide file tree

Showing 9 changed files with 133 additions and 9 deletions.
diff --git a/src/detectors/builtin/zeroAddress.ts b/src/detectors/builtin/zeroAddress.ts
@@ -0,0 +1,45 @@
+import { Detector } from "../detector";
+import { MistiContext } from "../../internals/context";
+import { CompilationUnit } from "../../internals/ir";
+import { foldExpressions } from "../../internals/tactASTUtil";
+import { createError, MistiTactError, Severity } from "../../internals/errors";
+import { ASTExpression } from "@tact-lang/compiler/dist/grammar/ast";
+
+function findZeroAddress(
+  acc: MistiTactError[],
+  expr: ASTExpression,
+): MistiTactError[] {
+  if (expr.kind === "op_static_call") {
+    if (
+      expr.name === "newAddress" &&
+      expr.args.length === 2 &&
+      expr.args[1].kind === "number" &&
+      expr.args[1].value === 0n
+    ) {
+      acc.push(
+        createError("Using zero address", Severity.MEDIUM, expr.args[1].ref),
+      );
+    }
+  }
+  return acc;
+}
+
+/**
+ * A detector that identifies uses of zero address.
+ *
+ * Using the zero address in smart contracts is typically problematic because it can be
+ * exploited as a default or uninitialized address, leading to unintended transfers and
+ * security vulnerabilities. Additionally, operations involving the zero address can
+ * result in loss of funds or tokens, as there is no private key to access this address.
+ */
+export class ZeroAddress extends Detector {
+  get id(): string {
+    return "ZeroAddress";
+  }
+
+  check(_ctx: MistiContext, cu: CompilationUnit): MistiTactError[] {
+    return cu.ast.getProgramEntries().reduce((acc, node) => {
+      return acc.concat(foldExpressions(node, [], findZeroAddress));
+    }, [] as MistiTactError[]);
+  }
+}
diff --git a/src/detectors/detector.ts b/src/detectors/detector.ts
@@ -1,7 +1,6 @@
 import { MistiContext } from "../internals/context";
 import { CompilationUnit } from "../internals/ir";
-import { MistiTactError, Severity } from "../internals/errors";
-import { ASTRef } from "@tact-lang/compiler/dist/grammar/ast";
+import { MistiTactError } from "../internals/errors";
 
 /**
  * Abstract base class for a detector module, providing an interface for defining various types of detectors.
@@ -31,6 +30,8 @@ const BuiltInDetectors: Record<string, () => Promise<Detector>> = {
     import("./builtin/readOnlyVariables").then(
       (module) => new module.ReadOnlyVariables(),
     ),
+  ZeroAddress: () =>
+    import("./builtin/zeroAddress").then((module) => new module.ZeroAddress()),
 };
 
 /**

diff --git a/src/internals/config.ts b/src/internals/config.ts
@@ -23,6 +23,7 @@ const ConfigSchema = z.object({
 /** Built-in detectors enabled by default, if no user configuration is provided. */
 export const BUILTIN_DETECTORS: DetectorConfig[] = [
   { className: "ReadOnlyVariables" },
+  { className: "ZeroAddress" },
 ];
 
 /** Represents content of the Misti configuration file (misti.config.json). */

diff --git a/src/internals/ir.ts b/src/internals/ir.ts
@@ -4,6 +4,7 @@ import {
   ASTReceive,
   ASTField,
   ASTInitFunction,
+  ASTNode,
   ASTFunction,
   ASTNativeFunction,
   ASTConstant,
@@ -21,6 +22,7 @@ export type ProjectName = string;
 export class TactASTStore {
   /**
    * Constructs a TactASTStore with mappings to all major AST components.
+   * @param programEntries Identifiers of AST elements defined on the top-level.
    * @param functions Functions and methods including user-defined and special methods.
    * @param constants Constants defined across the compilation unit.
    * @param contracts Contracts defined within the project.
@@ -31,6 +33,7 @@ export class TactASTStore {
    * @param statements All executable statements within all functions of the project.
    */
   constructor(
+    private programEntries: Set<number>,
     private functions: Map<number, ASTFunction | ASTReceive | ASTInitFunction>,
     private constants: Map<number, ASTConstant>,
     private contracts: Map<number, ASTContract>,
@@ -41,6 +44,32 @@ export class TactASTStore {
     private statements: Map<number, ASTStatement>,
   ) {}
 
+  /**
+   * Returns program entries defined on the top-level.
+   */
+  getProgramEntries(): ASTNode[] {
+    return Array.from(this.programEntries).reduce((acc, id) => {
+      if (this.functions.has(id)) {
+        acc.push(this.functions.get(id)!);
+      } else if (this.constants.has(id)) {
+        acc.push(this.constants.get(id)!);
+      } else if (this.contracts.has(id)) {
+        acc.push(this.contracts.get(id)!);
+      } else if (this.nativeFunctions.has(id)) {
+        acc.push(this.nativeFunctions.get(id)!);
+      } else if (this.primitives.has(id)) {
+        acc.push(this.primitives.get(id)!);
+      } else if (this.structs.has(id)) {
+        acc.push(this.structs.get(id)!);
+      } else if (this.traits.has(id)) {
+        acc.push(this.traits.get(id)!);
+      } else {
+        throw new Error(`No entry found for ID: ${id}`);
+      }
+      return acc;
+    }, [] as ASTNode[]);
+  }
+
   /**
    * Retrieves a function or method by its ID.
    * @param id The unique identifier of the function or method.
@@ -190,7 +219,7 @@ export class TactASTStore {
    * @param contractId The ID of the contract.
    * @returns An array of constant IDs or undefined if no contract is found.
    */
-  public getConstants(contractId: number): number[] | undefined {
+  public getContractConstants(contractId: number): number[] | undefined {
     const contract = this.getContract(contractId);
     if (!contract) {
       return undefined;
@@ -208,7 +237,7 @@ export class TactASTStore {
    * @param contractId The ID of the contract.
    * @returns An array of ASTField or undefined if no contract is found.
    */
-  public getFields(contractId: number): ASTField[] | undefined {
+  public getContractFields(contractId: number): ASTField[] | undefined {
     const contract = this.getContract(contractId);
     if (!contract) {
       return undefined;

diff --git a/src/internals/tactIRBuilder.ts b/src/internals/tactIRBuilder.ts
@@ -81,6 +81,7 @@ function generateReceiveName(receive: ASTReceive): string {
  * Transforms the TactAST imported from the tact compiler to a representation more suitable for analysis.
  */
 export class ASTMapper {
+  private programEntries = new Set<number>();
   private functions = new Map<
     number,
     ASTFunction | ASTReceive | ASTInitFunction
@@ -95,20 +96,26 @@ export class ASTMapper {
 
   constructor(private ast: TactAST) {
     this.ast.functions.forEach((func) => {
+      this.programEntries.add(func.id);
       if (func.kind == "def_function") {
         this.processFunction(func);
       } else {
         this.nativeFunctions.set(func.id, func);
       }
     });
-    this.ast.constants.forEach((constant) =>
-      this.constants.set(constant.id, constant),
-    );
-    this.ast.types.forEach((type) => this.processType(type));
+    this.ast.constants.forEach((constant) => {
+      this.programEntries.add(constant.id);
+      this.constants.set(constant.id, constant);
+    });
+    this.ast.types.forEach((type) => {
+      this.programEntries.add(type.id);
+      this.processType(type);
+    });
   }
 
   public getASTStore(): TactASTStore {
     return new TactASTStore(
+      this.programEntries,
       this.functions,
       this.constants,
       this.contracts,

diff --git a/test/config.spec.ts b/test/config.spec.ts
@@ -6,7 +6,10 @@ jest.mock("fs");
 describe("Config class", () => {
   const MOCK_CONFIG_PATH = "./mistiConfig_mock.json";
   const MOCK_CONFIG_CONTENT = JSON.stringify({
-    detectors: [{ className: "ReadOnlyVariables" }],
+    detectors: [
+      { className: "ReadOnlyVariables" },
+      { className: "ZeroAddress" },
+    ],
     ignored_projects: ["ignoredProject"],
   });
 
@@ -19,6 +22,7 @@ describe("Config class", () => {
     const configInstance = new MistiConfig(MOCK_CONFIG_PATH);
     expect(configInstance.detectorsEnabled).toEqual([
       { className: "ReadOnlyVariables" },
+      { className: "ZeroAddress" },
     ]);
     expect(configInstance.ignoredProjects).toEqual(["ignoredProject"]);
   });

diff --git a/test/contracts/zero-address.cfg.json b/test/contracts/zero-address.cfg.json
@@ -0,0 +1,25 @@
+{
+  "projectName": "zero-address",
+  "functions": [],
+  "contracts": [
+    {
+      "name": "SampleContract",
+      "methods": [
+        {
+          "name": "SampleContract.init",
+          "cfg": {
+            "nodes": [
+              {
+                "id": 606,
+                "stmtID": 8037,
+                "srcEdges": [],
+                "dstEdges": []
+              }
+            ],
+            "edges": []
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/test/contracts/zero-address.expected.out b/test/contracts/zero-address.expected.out
@@ -0,0 +1,7 @@
+
+/home/jubnzv/Dev/misti/test/contracts/zero-address.tact:3:23:
+  2 |     init() {
+> 3 |         newAddress(1, 0x000000000000000000000000000000000000000000000000);
+                            ^
+  4 |     }
+Using zero address
diff --git a/test/contracts/zero-address.tact b/test/contracts/zero-address.tact
@@ -0,0 +1,5 @@
+contract SampleContract {
+    init() {
+        newAddress(1, 0x000000000000000000000000000000000000000000000000);
+    }
+}