From 8e66b668a516f27e301acf233168c1721817285d Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Wed, 26 Jan 2022 15:51:17 -0600 Subject: [PATCH] feat: add arbitrary-send-erc20 and arbitrary-send-erc20-permit detectors --- slither/detectors/all_detectors.py | 6 +- slither/detectors/erc/erc20/__init__.py | 0 .../erc/erc20/arbitrary_send_erc20.py | 76 ++ .../erc20/arbitrary_send_erc20_no_permit.py | 46 ++ .../erc/erc20/arbitrary_send_erc20_permit.py | 49 ++ .../{ => erc20}/incorrect_erc20_interface.py | 0 ...rbitrary_send.py => arbitrary_send_eth.py} | 6 +- .../0.4.25/arbitrary_send_erc20_permit.sol | 57 ++ ...t.sol.0.4.25.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.5.16/arbitrary_send_erc20_permit.sol | 57 ++ ...t.sol.0.5.16.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.6.11/arbitrary_send_erc20_permit.sol | 57 ++ ...t.sol.0.6.11.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.7.6/arbitrary_send_erc20_permit.sol | 57 ++ ...it.sol.0.7.6.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.8.0/arbitrary_send_erc20_permit.sol | 57 ++ ...it.sol.0.8.0.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.4.25/arbitrary_send_erc20.sol | 69 ++ ...sol.0.4.25.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.5.16/arbitrary_send_erc20.sol | 69 ++ ...sol.0.5.16.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.6.11/arbitrary_send_erc20.sol | 69 ++ ...sol.0.6.11.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.7.6/arbitrary_send_erc20.sol | 69 ++ ....sol.0.7.6.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.8.0/arbitrary_send_erc20.sol | 69 ++ ....sol.0.8.0.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.4.25/arbitrary_send_eth.sol} | 0 ...send_eth.sol.0.4.25.ArbitrarySendEth.json} | 60 +- .../0.5.16/arbitrary_send_eth.sol} | 0 ...send_eth.sol.0.5.16.ArbitrarySendEth.json} | 60 +- .../0.6.11/arbitrary_send_eth.sol} | 0 ...send_eth.sol.0.6.11.ArbitrarySendEth.json} | 60 +- .../0.7.6/arbitrary_send_eth.sol} | 0 ..._send_eth.sol.0.7.6.ArbitrarySendEth.json} | 60 +- tests/test_detectors.py | 66 +- 36 files changed, 8101 insertions(+), 133 deletions(-) create mode 100644 slither/detectors/erc/erc20/__init__.py create mode 100644 slither/detectors/erc/erc20/arbitrary_send_erc20.py create mode 100644 slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py create mode 100644 slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py rename slither/detectors/erc/{ => erc20}/incorrect_erc20_interface.py (100%) rename slither/detectors/functions/{arbitrary_send.py => arbitrary_send_eth.py} (97%) create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json rename tests/detectors/{arbitrary-send/0.4.25/arbitrary_send.sol => arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json => arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json} (88%) rename tests/detectors/{arbitrary-send/0.5.16/arbitrary_send.sol => arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json => arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json} (88%) rename tests/detectors/{arbitrary-send/0.6.11/arbitrary_send.sol => arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json => arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json} (88%) rename tests/detectors/{arbitrary-send/0.7.6/arbitrary_send.sol => arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json => arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json} (88%) diff --git a/slither/detectors/all_detectors.py b/slither/detectors/all_detectors.py index 62143ad3f1..52969cace5 100644 --- a/slither/detectors/all_detectors.py +++ b/slither/detectors/all_detectors.py @@ -6,7 +6,9 @@ from .attributes.constant_pragma import ConstantPragma from .attributes.incorrect_solc import IncorrectSolc from .attributes.locked_ether import LockedEther -from .functions.arbitrary_send import ArbitrarySend +from .functions.arbitrary_send_eth import ArbitrarySendEth +from .erc.erc20.arbitrary_send_erc20_no_permit import ArbitrarySendErc20NoPermit +from .erc.erc20.arbitrary_send_erc20_permit import ArbitrarySendErc20Permit from .functions.suicidal import Suicidal # from .functions.complex_function import ComplexFunction @@ -34,7 +36,7 @@ from .operations.block_timestamp import Timestamp from .statements.calls_in_loop import MultipleCallsInLoop from .statements.incorrect_strict_equality import IncorrectStrictEquality -from .erc.incorrect_erc20_interface import IncorrectERC20InterfaceDetection +from .erc.erc20.incorrect_erc20_interface import IncorrectERC20InterfaceDetection from .erc.incorrect_erc721_interface import IncorrectERC721InterfaceDetection from .erc.unindexed_event_parameters import UnindexedERC20EventParameters from .statements.deprecated_calls import DeprecatedStandards diff --git a/slither/detectors/erc/erc20/__init__.py b/slither/detectors/erc/erc20/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20.py b/slither/detectors/erc/erc20/arbitrary_send_erc20.py new file mode 100644 index 0000000000..676cfd750b --- /dev/null +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20.py @@ -0,0 +1,76 @@ +from typing import List +from slither.core.cfg.node import Node +from slither.slithir.operations import HighLevelCall, LibraryCall +from slither.core.declarations import Contract, Function, SolidityVariableComposed +from slither.analyses.data_dependency.data_dependency import is_dependent +from slither.core.compilation_unit import SlitherCompilationUnit + + +class ArbitrarySendErc20: + def __init__(self, compilation_unit: SlitherCompilationUnit): + self._compilation_unit = compilation_unit + self._no_permit_results: List[Node] = [] + self._permit_results: List[Node] = [] + + @property + def compilation_unit(self) -> SlitherCompilationUnit: + return self._compilation_unit + + @property + def no_permit_results(self) -> List[Node]: + return self._no_permit_results + + @property + def permit_results(self) -> List[Node]: + return self._permit_results + + def _detect_arbitrary_from(self, contract: Contract): + for f in contract.functions_declared: + all_high_level_calls = [ + f_called[1].solidity_signature + for f_called in f.high_level_calls + if isinstance(f_called[1], Function) + ] + all_library_calls = [f_called[1].solidity_signature for f_called in f.library_calls] + if ( + "transferFrom(address,address,uint256)" in all_high_level_calls + or "safeTransferFrom(address,address,address,uint256)" in all_library_calls + ): + if ( + "permit(address,address,uint256,uint256,uint8,bytes32,bytes32)" + in all_high_level_calls + ): + self._arbitrary_from(f.nodes, self._permit_results) + else: + self._arbitrary_from(f.nodes, self._no_permit_results) + + def _arbitrary_from(self, nodes: List[Node], results: List[Node]): + for node in nodes: + for ir in node.irs: + if ( + isinstance(ir, HighLevelCall) + and isinstance(ir.function, Function) + and ir.function.solidity_signature == "transferFrom(address,address,uint256)" + and not is_dependent( + ir.arguments[0], + SolidityVariableComposed("msg.sender"), + node.function.contract, + ) + ): + results.append(ir.node) + elif ( + isinstance(ir, LibraryCall) + and ir.function.solidity_signature + == "safeTransferFrom(address,address,address,uint256)" + and not is_dependent( + ir.arguments[1], + SolidityVariableComposed("msg.sender"), + node.function.contract, + ) + ): + results.append(ir.node) + + def _detect(self): + """""" + for c in self.compilation_unit.contracts_derived: + self._detect_arbitrary_from(c) diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py new file mode 100644 index 0000000000..78a1e34d47 --- /dev/null +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py @@ -0,0 +1,46 @@ +from typing import List +from .arbitrary_send_erc20 import ArbitrarySendErc20 +from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification +from slither.utils.output import Output + + +class ArbitrarySendErc20NoPermit(AbstractDetector): + """ + Detect when `msg.sender` is not used as `from` in transferFrom + """ + + ARGUMENT = "arbitrary-send-erc20" + HELP = "transferFrom uses arbitrary `from`" + IMPACT = DetectorClassification.HIGH + CONFIDENCE = DetectorClassification.HIGH + + WIKI = "https://github.com/trailofbits/slither/wiki/Detector-Documentation#arbitrary-send-erc20" + + WIKI_TITLE = "Arbitrary `from` in transferFrom" + WIKI_DESCRIPTION = "Detect when `msg.sender` is not used as `from` in transferFrom." + WIKI_EXPLOIT_SCENARIO = """ +```solidity + function a(address from, address to, uint256 amount) public { + erc20.transferFrom(from, to, am); + } +} +``` +Alice approves this contract to spend her ERC20 tokens. Bob can call `a` and specify Alice's address as the `from` parameter in `transferFrom`, allowing him to transfer Alice's tokens to himself.""" + + WIKI_RECOMMENDATION = """ +Use `msg.sender` as `from` in transferFrom. +""" + + def _detect(self) -> List[Output]: + """""" + results: List[Output] = [] + + arbitrary_sends = ArbitrarySendErc20(self.compilation_unit) + arbitrary_sends._detect() + for node in arbitrary_sends.no_permit_results: + func = node.function + info = [func, " uses arbitrary from in transferFrom: ", node, "\n"] + res = self.generate_result(info) + results.append(res) + + return results diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py new file mode 100644 index 0000000000..b8ab6e0667 --- /dev/null +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py @@ -0,0 +1,49 @@ +from typing import List +from .arbitrary_send_erc20 import ArbitrarySendErc20 +from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification +from slither.utils.output import Output + + +class ArbitrarySendErc20Permit(AbstractDetector): + """ + Detect when `msg.sender` is not used as `from` in transferFrom along with the use of permit. + """ + + ARGUMENT = "arbitrary-send-erc20-permit" + HELP = "transferFrom uses arbitrary from with permit" + IMPACT = DetectorClassification.HIGH + CONFIDENCE = DetectorClassification.MEDIUM + + WIKI = "https://github.com/trailofbits/slither/wiki/Detector-Documentation#arbitrary-send-erc20-permit" + + WIKI_TITLE = "Arbitrary `from` in transferFrom used with permit" + WIKI_DESCRIPTION = ( + "Detect when `msg.sender` is not used as `from` in transferFrom and permit is used." + ) + WIKI_EXPLOIT_SCENARIO = """ +```solidity + function bad(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } +} +``` +If an ERC20 token does not implement permit and has a fallback function e.g. WETH, transferFrom allows an attacker to transfer all tokens approved for this contract.""" + + WIKI_RECOMMENDATION = """ +Ensure that the underlying ERC20 token correctly implements a permit function. +""" + + def _detect(self) -> List[Output]: + """""" + results: List[Output] = [] + + arbitrary_sends = ArbitrarySendErc20(self.compilation_unit) + arbitrary_sends._detect() + for node in arbitrary_sends.permit_results: + func = node.function + info = [func, " uses arbitrary from in transferFrom in combination with permit: ", node, "\n"] + res = self.generate_result(info) + results.append(res) + + return results diff --git a/slither/detectors/erc/incorrect_erc20_interface.py b/slither/detectors/erc/erc20/incorrect_erc20_interface.py similarity index 100% rename from slither/detectors/erc/incorrect_erc20_interface.py rename to slither/detectors/erc/erc20/incorrect_erc20_interface.py diff --git a/slither/detectors/functions/arbitrary_send.py b/slither/detectors/functions/arbitrary_send_eth.py similarity index 97% rename from slither/detectors/functions/arbitrary_send.py rename to slither/detectors/functions/arbitrary_send_eth.py index 3a7118bbfc..e1752bbdb0 100644 --- a/slither/detectors/functions/arbitrary_send.py +++ b/slither/detectors/functions/arbitrary_send_eth.py @@ -90,8 +90,8 @@ def detect_arbitrary_send(contract: Contract): return ret -class ArbitrarySend(AbstractDetector): - ARGUMENT = "arbitrary-send" +class ArbitrarySendEth(AbstractDetector): + ARGUMENT = "arbitrary-send-eth" HELP = "Functions that send Ether to arbitrary destinations" IMPACT = DetectorClassification.HIGH CONFIDENCE = DetectorClassification.MEDIUM @@ -104,7 +104,7 @@ class ArbitrarySend(AbstractDetector): # region wiki_exploit_scenario WIKI_EXPLOIT_SCENARIO = """ ```solidity -contract ArbitrarySend{ +contract ArbitrarySendEth{ address destination; function setDestination(){ destination = msg.sender; diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..4cc6bbe55f --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.4.25; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..0b3275b3da --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1033, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "82a43f5bf554d897b270abaac0ee62650383fe341adeff0d9c1c95b0040548a2", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1498, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "408ea319adfb46be330fd7775c13abf56f9d106eebcbcfe6574760309d93927e", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1738, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "f7695706feb3a8409e367a88028dfad8c64e1000f1f71d6e55074d0dcfbc2305", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 1986, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "22de0efa869fce1767af15469c8bcc95616478aec05625ab72283df0ad9fae55", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..4a020d2625 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.5.16; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..39888bf428 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1033, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "5983458eee02cf7d5484a82e17422dcdbd7b990305579e17d1252c0bb31e1cac", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1498, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "e3ed372c52b219322ca290ecfa79be96d7ea1b019af329a515c6c10b7a1cf03b", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1738, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "a8f319ba65d6c81726b72d7593eb089ce9819d22856387250e009a43a98cf1c3", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 1986, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "57068db07fd7e67d0b63035936fad5a373fcb8f84bb6a58aa463278143db43fa", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..0a9f80e7d5 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.6.11; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external override {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..7d4ca84d86 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 861, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1051, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 861, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "f90e97c676187cd6d727064001123d8537f5d8253d0a66ab6798b4a1c250a425", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1312, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1516, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1312, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "f75bec4e068adbca017ad00b355347aa0c337b30a807fa8e1b80577b031e68fd", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1564, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1756, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1564, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "1caf8efb7dd42f74884b4ee8d8b44585eeaa5758776ef8ac1e31b8aa749eac26", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1812, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 2004, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1812, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "cc58852f92580ac18db192412ec7e50667bf56d986349ae8fe6990f0b04f9f62", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..48e4e348ce --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.7.6; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external override {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..9ebc5f3181 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1050, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "ba2c627103717a52a46b52714313000eb4f9d96f57dfac874854a3747ace5a13", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1515, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "d56199ce2b7249389dffba8e53278f5ae32fbdda8a51cae8b5eb1cf2c09a0578", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1755, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "63dc39bd9025d9fa7d39e07342e5652c010ff424e6d31ed9d1559f225c417956", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 2003, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "7ebee7b534acb9d9502df84ba56fd0e90223cd262964c77cb9bee798eabd674b", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..99ecbe488b --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.8.0; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external override {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..429bdf585b --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1050, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "429dd8afad02f0e6869b1de2a82bf36ab35aaf74ba5909de5facd767f4642f32", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1515, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "398cc3de119232bd6688c797ddfb4f84d7587dbf9f72f3056898bfc442a5fd85", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1755, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "7841a86248d8345520e98b963d59de36814b25e5fa3cef9e031c61d05a7feb2a", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 2003, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "136a1b6c001d3ca4b1aab662556139786307e1bf4cb929f4c507d592eb38cb72", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..cbed4554fc --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.4.25; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..a367285c9f --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 835, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L35-L37", + "id": "430afa4e7855d25b1262162894fa21d58eea2571578d45de5399baf3eb438038", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1509, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59", + "id": "e7271d3fa958d20a025419c070ea1010431487e98e30fa2db65db9bf54a13665", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1777, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67", + "id": "b2557d6385585034271b9873559de9cde4972e3207c43f260663f3d0e2a4d4a0", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..ea5f5c24de --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.5.16; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..8f93377130 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 835, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37", + "id": "6ca6aea5c4506ac7fa421c049e0bd41faa74317e303b94721bc64c2fc6e8f128", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1509, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59", + "id": "773c84f15f90123743b54aca858695d11603109f4da52c487ee4ae161f09411b", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1777, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67", + "id": "15a810d738734100851211c7e6bff65724d553eb693869575ec3d9c9bf47081c", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..70ac209dcd --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.6.11; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..07b128bd70 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 789, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 844, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 789, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L35-L37", + "id": "040cf50981f6e1dea1f7a19f0115811be1347e0637f0ca85d789ae612a509322", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1443, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1518, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1443, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59", + "id": "8551e9d33fdd4f73f1eb7776480b2e8cd2cf9c897b52285c3a287caab6822ce3", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1711, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1786, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1711, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67", + "id": "61438092d2da6c23ecfa13e5e55c489e538249e47bddd9335b533d28a242aea1", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..56d3352ef4 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.7.6; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..1be3753a12 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 836, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37", + "id": "820841ccd8aee0469f9719d62ad01054b71a758a1d6924ed6a19ea078ff8350a", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1510, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59", + "id": "27c4a0e1a038beb0c01c86e07f1aef592f96907d330bcf899bde6632a9022327", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1778, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L65-L67", + "id": "9ecb2b9df9554b9ebdbcfd058eb44ba4f1524b285b676063432d5ede48aee5ad", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..68eafd3937 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.8.0; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..a340e4c4fa --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 836, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37", + "id": "8972d014c645b3a3783400fb2a6a38b20ea38973481025b6f99b3c15c9e63868", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1510, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59", + "id": "196b46419f55696599f4a533ea4915c3b1c39be679d8e2ab15a60b7a0238d52c", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1778, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67", + "id": "6ba2ac6eeef603310a4b4f7931ab44fadb3a242517096e17c5f1e39f0f4b83cf", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json index 54595becc0..15685f8fcc 100644 --- a/tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json @@ -9,9 +9,9 @@ "start": 147, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -29,9 +29,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -90,9 +90,9 @@ "start": 181, "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 12 @@ -108,9 +108,9 @@ "start": 147, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -128,9 +128,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -185,11 +185,11 @@ } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L11-L13", - "id": "477cc1ab9fa3d2263400e47d09146eaed3e478f5eecf7856b59d49a2a5093a1c", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L11-L13", + "id": "672bdccd2e85fb88deee03d312d533259b73ca932965ae09e5b24a3b546c4ad2", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -202,9 +202,9 @@ "start": 301, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -222,9 +222,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -283,9 +283,9 @@ "start": 337, "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 20 @@ -301,9 +301,9 @@ "start": 301, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -321,9 +321,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -378,11 +378,11 @@ } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L19-L21", - "id": "4759805615df746a3d8a6c068ce885d2c18c46edf411f83ae004593958caafe7", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L19-L21", + "id": "9d50facc8382e844e7381f8ca9e389061bd0302345047de2407e0ad7b046687d", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json index cfb1bcc13f..814e44e931 100644 --- a/tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json @@ -9,9 +9,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -29,9 +29,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -90,9 +90,9 @@ "start": 196, "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 12 @@ -108,9 +108,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -128,9 +128,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -185,11 +185,11 @@ } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L11-L13", - "id": "9531cafd91af4d7b54f22fa933dae983077df1c51bd855c2516ffee812911f43", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L11-L13", + "id": "7ded1859293ad51d129850d2f19669c7d38f4687a6e2afa8d93534d5f2a9a0ad", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -202,9 +202,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -222,9 +222,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -283,9 +283,9 @@ "start": 352, "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 20 @@ -301,9 +301,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -321,9 +321,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -378,11 +378,11 @@ } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L19-L21", - "id": "f1395ebf21de9f8fb2c5d254c5990cce55b239c05a6a5e074813f58c6cd32834", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L19-L21", + "id": "d27379ff48eebb6c568308104d444dc8f6b5ed5eae53f6c937aec9fb15cf6464", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json index cde2f95aa2..af4d54ece7 100644 --- a/tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json @@ -9,9 +9,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -29,9 +29,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -90,9 +90,9 @@ "start": 196, "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 12 @@ -108,9 +108,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -128,9 +128,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -185,11 +185,11 @@ } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L11-L13", - "id": "8a1de239f630f10fef9ef6a9c439fc10aad2f6caba7ee43d1a7f7bacf6028f1e", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L11-L13", + "id": "51e87e03fc48363e666bb99c1d15beccb50464e1c170eeea5b76ec6fcde643e7", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -202,9 +202,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -222,9 +222,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -283,9 +283,9 @@ "start": 352, "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 20 @@ -301,9 +301,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -321,9 +321,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -378,11 +378,11 @@ } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L19-L21", - "id": "f272e05d9741895fc22051ed09afa6ce4af8ad4cd74b3452224dfb29eb4b9df6", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L19-L21", + "id": "0ec491130aac4e23e6d47193bff49ed6029330bca373454b4e34ffba0a2baea6", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json index a87969ad54..56afe8cb59 100644 --- a/tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json @@ -9,9 +9,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -29,9 +29,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -90,9 +90,9 @@ "start": 196, "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 12 @@ -108,9 +108,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -128,9 +128,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -185,11 +185,11 @@ } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L11-L13", - "id": "90d9178119fb586af18c2298136d7f1af4d33a9b702b94d2ca0fcdbe6ee783c6", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L11-L13", + "id": "76af03df5e6d33df8978a2cc00dfe944236aca69ad1b7f107580da1b76121082", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -202,9 +202,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -222,9 +222,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -283,9 +283,9 @@ "start": 352, "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 20 @@ -301,9 +301,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -321,9 +321,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -378,11 +378,11 @@ } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L19-L21", - "id": "3bf41470de6f5fec21d1da5741e7d63ee1d3b63cfd2646d697274f4495e3f1a9", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L19-L21", + "id": "2e1bd6d1260cf35450734eb2027a2d964f61858a3aabd0cb459c22cb4da9956b", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/test_detectors.py b/tests/test_detectors.py index 8d26b12cbc..37f90e55b7 100644 --- a/tests/test_detectors.py +++ b/tests/test_detectors.py @@ -373,23 +373,23 @@ def id_test(test_item: Test): Test(all_detectors.LockedEther, "locked_ether.sol", "0.6.11"), Test(all_detectors.LockedEther, "locked_ether.sol", "0.7.6"), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.4.25", ), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.5.16", ), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.6.11", ), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.7.6", ), Test( @@ -1199,6 +1199,56 @@ def id_test(test_item: Test): "delegatecall_loop.sol", "0.8.0", ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.4.25", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.5.16", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.6.11", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.7.6", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.8.0", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.4.25", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.5.16", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.6.11", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.7.6", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.8.0", + ), ] GENERIC_PATH = "/GENERIC_PATH"