From 16ea40303e408ba94482900bc7f7cd74de8e9182 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Sun, 20 Feb 2022 17:31:27 -0600 Subject: [PATCH 1/4] feat: add arbitrary-send-erc20 and arbitrary-send-erc20-permit detectors --- slither/detectors/all_detectors.py | 6 +- slither/detectors/erc/erc20/__init__.py | 0 .../erc/erc20/arbitrary_send_erc20.py | 76 ++ .../erc20/arbitrary_send_erc20_no_permit.py | 46 ++ .../erc/erc20/arbitrary_send_erc20_permit.py | 49 ++ .../{ => erc20}/incorrect_erc20_interface.py | 0 ...rbitrary_send.py => arbitrary_send_eth.py} | 6 +- .../0.4.25/arbitrary_send_erc20_permit.sol | 57 ++ ...t.sol.0.4.25.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.5.16/arbitrary_send_erc20_permit.sol | 57 ++ ...t.sol.0.5.16.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.6.11/arbitrary_send_erc20_permit.sol | 57 ++ ...t.sol.0.6.11.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.7.6/arbitrary_send_erc20_permit.sol | 57 ++ ...it.sol.0.7.6.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.8.0/arbitrary_send_erc20_permit.sol | 57 ++ ...it.sol.0.8.0.ArbitrarySendErc20Permit.json | 768 ++++++++++++++++++ .../0.4.25/arbitrary_send_erc20.sol | 69 ++ ...sol.0.4.25.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.5.16/arbitrary_send_erc20.sol | 69 ++ ...sol.0.5.16.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.6.11/arbitrary_send_erc20.sol | 69 ++ ...sol.0.6.11.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.7.6/arbitrary_send_erc20.sol | 69 ++ ....sol.0.7.6.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.8.0/arbitrary_send_erc20.sol | 69 ++ ....sol.0.8.0.ArbitrarySendErc20NoPermit.json | 655 +++++++++++++++ .../0.4.25/arbitrary_send_eth.sol} | 0 ...send_eth.sol.0.4.25.ArbitrarySendEth.json} | 136 ++-- .../0.5.16/arbitrary_send_eth.sol} | 0 ...send_eth.sol.0.5.16.ArbitrarySendEth.json} | 60 +- .../0.6.11/arbitrary_send_eth.sol} | 0 ...send_eth.sol.0.6.11.ArbitrarySendEth.json} | 60 +- .../0.7.6/arbitrary_send_eth.sol} | 0 ..._send_eth.sol.0.7.6.ArbitrarySendEth.json} | 136 ++-- tests/test_detectors.py | 66 +- 36 files changed, 8177 insertions(+), 209 deletions(-) create mode 100644 slither/detectors/erc/erc20/__init__.py create mode 100644 slither/detectors/erc/erc20/arbitrary_send_erc20.py create mode 100644 slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py create mode 100644 slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py rename slither/detectors/erc/{ => erc20}/incorrect_erc20_interface.py (100%) rename slither/detectors/functions/{arbitrary_send.py => arbitrary_send_eth.py} (97%) create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol create mode 100644 tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json create mode 100644 tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol create mode 100644 tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json rename tests/detectors/{arbitrary-send/0.4.25/arbitrary_send.sol => arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json => arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json} (88%) rename tests/detectors/{arbitrary-send/0.5.16/arbitrary_send.sol => arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json => arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json} (88%) rename tests/detectors/{arbitrary-send/0.6.11/arbitrary_send.sol => arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json => arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json} (88%) rename tests/detectors/{arbitrary-send/0.7.6/arbitrary_send.sol => arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol} (100%) rename tests/detectors/{arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json => arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json} (88%) diff --git a/slither/detectors/all_detectors.py b/slither/detectors/all_detectors.py index e287c258f6..a79dcaf51a 100644 --- a/slither/detectors/all_detectors.py +++ b/slither/detectors/all_detectors.py @@ -6,7 +6,9 @@ from .attributes.constant_pragma import ConstantPragma from .attributes.incorrect_solc import IncorrectSolc from .attributes.locked_ether import LockedEther -from .functions.arbitrary_send import ArbitrarySend +from .functions.arbitrary_send_eth import ArbitrarySendEth +from .erc.erc20.arbitrary_send_erc20_no_permit import ArbitrarySendErc20NoPermit +from .erc.erc20.arbitrary_send_erc20_permit import ArbitrarySendErc20Permit from .functions.suicidal import Suicidal # from .functions.complex_function import ComplexFunction @@ -34,7 +36,7 @@ from .operations.block_timestamp import Timestamp from .statements.calls_in_loop import MultipleCallsInLoop from .statements.incorrect_strict_equality import IncorrectStrictEquality -from .erc.incorrect_erc20_interface import IncorrectERC20InterfaceDetection +from .erc.erc20.incorrect_erc20_interface import IncorrectERC20InterfaceDetection from .erc.incorrect_erc721_interface import IncorrectERC721InterfaceDetection from .erc.unindexed_event_parameters import UnindexedERC20EventParameters from .statements.deprecated_calls import DeprecatedStandards diff --git a/slither/detectors/erc/erc20/__init__.py b/slither/detectors/erc/erc20/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20.py b/slither/detectors/erc/erc20/arbitrary_send_erc20.py new file mode 100644 index 0000000000..676cfd750b --- /dev/null +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20.py @@ -0,0 +1,76 @@ +from typing import List +from slither.core.cfg.node import Node +from slither.slithir.operations import HighLevelCall, LibraryCall +from slither.core.declarations import Contract, Function, SolidityVariableComposed +from slither.analyses.data_dependency.data_dependency import is_dependent +from slither.core.compilation_unit import SlitherCompilationUnit + + +class ArbitrarySendErc20: + def __init__(self, compilation_unit: SlitherCompilationUnit): + self._compilation_unit = compilation_unit + self._no_permit_results: List[Node] = [] + self._permit_results: List[Node] = [] + + @property + def compilation_unit(self) -> SlitherCompilationUnit: + return self._compilation_unit + + @property + def no_permit_results(self) -> List[Node]: + return self._no_permit_results + + @property + def permit_results(self) -> List[Node]: + return self._permit_results + + def _detect_arbitrary_from(self, contract: Contract): + for f in contract.functions_declared: + all_high_level_calls = [ + f_called[1].solidity_signature + for f_called in f.high_level_calls + if isinstance(f_called[1], Function) + ] + all_library_calls = [f_called[1].solidity_signature for f_called in f.library_calls] + if ( + "transferFrom(address,address,uint256)" in all_high_level_calls + or "safeTransferFrom(address,address,address,uint256)" in all_library_calls + ): + if ( + "permit(address,address,uint256,uint256,uint8,bytes32,bytes32)" + in all_high_level_calls + ): + self._arbitrary_from(f.nodes, self._permit_results) + else: + self._arbitrary_from(f.nodes, self._no_permit_results) + + def _arbitrary_from(self, nodes: List[Node], results: List[Node]): + for node in nodes: + for ir in node.irs: + if ( + isinstance(ir, HighLevelCall) + and isinstance(ir.function, Function) + and ir.function.solidity_signature == "transferFrom(address,address,uint256)" + and not is_dependent( + ir.arguments[0], + SolidityVariableComposed("msg.sender"), + node.function.contract, + ) + ): + results.append(ir.node) + elif ( + isinstance(ir, LibraryCall) + and ir.function.solidity_signature + == "safeTransferFrom(address,address,address,uint256)" + and not is_dependent( + ir.arguments[1], + SolidityVariableComposed("msg.sender"), + node.function.contract, + ) + ): + results.append(ir.node) + + def _detect(self): + """""" + for c in self.compilation_unit.contracts_derived: + self._detect_arbitrary_from(c) diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py new file mode 100644 index 0000000000..78a1e34d47 --- /dev/null +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py @@ -0,0 +1,46 @@ +from typing import List +from .arbitrary_send_erc20 import ArbitrarySendErc20 +from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification +from slither.utils.output import Output + + +class ArbitrarySendErc20NoPermit(AbstractDetector): + """ + Detect when `msg.sender` is not used as `from` in transferFrom + """ + + ARGUMENT = "arbitrary-send-erc20" + HELP = "transferFrom uses arbitrary `from`" + IMPACT = DetectorClassification.HIGH + CONFIDENCE = DetectorClassification.HIGH + + WIKI = "https://github.com/trailofbits/slither/wiki/Detector-Documentation#arbitrary-send-erc20" + + WIKI_TITLE = "Arbitrary `from` in transferFrom" + WIKI_DESCRIPTION = "Detect when `msg.sender` is not used as `from` in transferFrom." + WIKI_EXPLOIT_SCENARIO = """ +```solidity + function a(address from, address to, uint256 amount) public { + erc20.transferFrom(from, to, am); + } +} +``` +Alice approves this contract to spend her ERC20 tokens. Bob can call `a` and specify Alice's address as the `from` parameter in `transferFrom`, allowing him to transfer Alice's tokens to himself.""" + + WIKI_RECOMMENDATION = """ +Use `msg.sender` as `from` in transferFrom. +""" + + def _detect(self) -> List[Output]: + """""" + results: List[Output] = [] + + arbitrary_sends = ArbitrarySendErc20(self.compilation_unit) + arbitrary_sends._detect() + for node in arbitrary_sends.no_permit_results: + func = node.function + info = [func, " uses arbitrary from in transferFrom: ", node, "\n"] + res = self.generate_result(info) + results.append(res) + + return results diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py new file mode 100644 index 0000000000..b8ab6e0667 --- /dev/null +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py @@ -0,0 +1,49 @@ +from typing import List +from .arbitrary_send_erc20 import ArbitrarySendErc20 +from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification +from slither.utils.output import Output + + +class ArbitrarySendErc20Permit(AbstractDetector): + """ + Detect when `msg.sender` is not used as `from` in transferFrom along with the use of permit. + """ + + ARGUMENT = "arbitrary-send-erc20-permit" + HELP = "transferFrom uses arbitrary from with permit" + IMPACT = DetectorClassification.HIGH + CONFIDENCE = DetectorClassification.MEDIUM + + WIKI = "https://github.com/trailofbits/slither/wiki/Detector-Documentation#arbitrary-send-erc20-permit" + + WIKI_TITLE = "Arbitrary `from` in transferFrom used with permit" + WIKI_DESCRIPTION = ( + "Detect when `msg.sender` is not used as `from` in transferFrom and permit is used." + ) + WIKI_EXPLOIT_SCENARIO = """ +```solidity + function bad(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } +} +``` +If an ERC20 token does not implement permit and has a fallback function e.g. WETH, transferFrom allows an attacker to transfer all tokens approved for this contract.""" + + WIKI_RECOMMENDATION = """ +Ensure that the underlying ERC20 token correctly implements a permit function. +""" + + def _detect(self) -> List[Output]: + """""" + results: List[Output] = [] + + arbitrary_sends = ArbitrarySendErc20(self.compilation_unit) + arbitrary_sends._detect() + for node in arbitrary_sends.permit_results: + func = node.function + info = [func, " uses arbitrary from in transferFrom in combination with permit: ", node, "\n"] + res = self.generate_result(info) + results.append(res) + + return results diff --git a/slither/detectors/erc/incorrect_erc20_interface.py b/slither/detectors/erc/erc20/incorrect_erc20_interface.py similarity index 100% rename from slither/detectors/erc/incorrect_erc20_interface.py rename to slither/detectors/erc/erc20/incorrect_erc20_interface.py diff --git a/slither/detectors/functions/arbitrary_send.py b/slither/detectors/functions/arbitrary_send_eth.py similarity index 97% rename from slither/detectors/functions/arbitrary_send.py rename to slither/detectors/functions/arbitrary_send_eth.py index 3a7118bbfc..e1752bbdb0 100644 --- a/slither/detectors/functions/arbitrary_send.py +++ b/slither/detectors/functions/arbitrary_send_eth.py @@ -90,8 +90,8 @@ def detect_arbitrary_send(contract: Contract): return ret -class ArbitrarySend(AbstractDetector): - ARGUMENT = "arbitrary-send" +class ArbitrarySendEth(AbstractDetector): + ARGUMENT = "arbitrary-send-eth" HELP = "Functions that send Ether to arbitrary destinations" IMPACT = DetectorClassification.HIGH CONFIDENCE = DetectorClassification.MEDIUM @@ -104,7 +104,7 @@ class ArbitrarySend(AbstractDetector): # region wiki_exploit_scenario WIKI_EXPLOIT_SCENARIO = """ ```solidity -contract ArbitrarySend{ +contract ArbitrarySendEth{ address destination; function setDestination(){ destination = msg.sender; diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..4cc6bbe55f --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.4.25; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..0b3275b3da --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1033, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "82a43f5bf554d897b270abaac0ee62650383fe341adeff0d9c1c95b0040548a2", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1498, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "408ea319adfb46be330fd7775c13abf56f9d106eebcbcfe6574760309d93927e", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1738, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "f7695706feb3a8409e367a88028dfad8c64e1000f1f71d6e55074d0dcfbc2305", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 1986, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "22de0efa869fce1767af15469c8bcc95616478aec05625ab72283df0ad9fae55", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..4a020d2625 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.5.16; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..39888bf428 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1033, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 843, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "5983458eee02cf7d5484a82e17422dcdbd7b990305579e17d1252c0bb31e1cac", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1498, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1294, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "e3ed372c52b219322ca290ecfa79be96d7ea1b019af329a515c6c10b7a1cf03b", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1738, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1546, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "a8f319ba65d6c81726b72d7593eb089ce9819d22856387250e009a43a98cf1c3", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 1986, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1794, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 613, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "57068db07fd7e67d0b63035936fad5a373fcb8f84bb6a58aa463278143db43fa", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..0a9f80e7d5 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.6.11; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external override {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..7d4ca84d86 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 861, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1051, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 861, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "f90e97c676187cd6d727064001123d8537f5d8253d0a66ab6798b4a1c250a425", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1312, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1516, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1312, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "f75bec4e068adbca017ad00b355347aa0c337b30a807fa8e1b80577b031e68fd", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1564, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1756, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1564, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "1caf8efb7dd42f74884b4ee8d8b44585eeaa5758776ef8ac1e31b8aa749eac26", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1812, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 2004, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1812, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 631, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "cc58852f92580ac18db192412ec7e50667bf56d986349ae8fe6990f0b04f9f62", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..48e4e348ce --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.7.6; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external override {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..9ebc5f3181 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1050, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "ba2c627103717a52a46b52714313000eb4f9d96f57dfac874854a3747ace5a13", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1515, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "d56199ce2b7249389dffba8e53278f5ae32fbdda8a51cae8b5eb1cf2c09a0578", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1755, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "63dc39bd9025d9fa7d39e07342e5652c010ff424e6d31ed9d1559f225c417956", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 2003, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "7ebee7b534acb9d9502df84ba56fd0e90223cd262964c77cb9bee798eabd674b", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol new file mode 100644 index 0000000000..99ecbe488b --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol @@ -0,0 +1,57 @@ +pragma solidity 0.8.0; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); + function permit(address, address, uint256, uint256, uint8, bytes32, bytes32) external; +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } + function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external override {} +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function bad1(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + // This is not detected + function bad2(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) public { + int_transferFrom(from,value, deadline, v, r, s, to); + } + + function int_transferFrom(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) internal { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.transferFrom(from, to, value); + } + + function bad3(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + erc20.safeTransferFrom(from, to, value); + } + + function bad4(address from, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s, address to) external { + erc20.permit(from, address(this), value, deadline, v, r, s); + SafeERC20.safeTransferFrom(erc20, from, to, value); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json new file mode 100644 index 0000000000..429bdf585b --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json @@ -0,0 +1,768 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1050, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 34 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 860, + "length": 232, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 32, + 33, + 34, + 35 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "429dd8afad02f0e6869b1de2a82bf36ab35aaf74ba5909de5facd767f4642f32", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(from,to,value)", + "source_mapping": { + "start": 1515, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 44 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "int_transferFrom", + "source_mapping": { + "start": 1311, + "length": 246, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 42, + 43, + 44, + 45 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "398cc3de119232bd6688c797ddfb4f84d7587dbf9f72f3056898bfc442a5fd85", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,value)", + "source_mapping": { + "start": 1755, + "length": 39, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 49 + ], + "starting_column": 9, + "ending_column": 48 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1563, + "length": 238, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 47, + 48, + 49, + 50 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "7841a86248d8345520e98b963d59de36814b25e5fa3cef9e031c61d05a7feb2a", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "source_mapping": { + "start": 2003, + "length": 50, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 54 + ], + "starting_column": 9, + "ending_column": 59 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1811, + "length": 249, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 52, + 53, + 54, + 55 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 630, + "length": 1433, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", + "is_dependency": false, + "lines": [ + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + } + } + } + } + ], + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "136a1b6c001d3ca4b1aab662556139786307e1bf4cb929f4c507d592eb38cb72", + "check": "arbitrary-send-erc20-permit", + "impact": "High", + "confidence": "Medium" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..cbed4554fc --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.4.25; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..a367285c9f --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 835, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L35-L37", + "id": "430afa4e7855d25b1262162894fa21d58eea2571578d45de5399baf3eb438038", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1509, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59", + "id": "e7271d3fa958d20a025419c070ea1010431487e98e30fa2db65db9bf54a13665", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1777, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67", + "id": "b2557d6385585034271b9873559de9cde4972e3207c43f260663f3d0e2a4d4a0", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..ea5f5c24de --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.5.16; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..8f93377130 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 835, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 780, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37", + "id": "6ca6aea5c4506ac7fa421c049e0bd41faa74317e303b94721bc64c2fc6e8f128", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1509, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1434, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59", + "id": "773c84f15f90123743b54aca858695d11603109f4da52c487ee4ae161f09411b", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1777, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1702, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 394, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67", + "id": "15a810d738734100851211c7e6bff65724d553eb693869575ec3d9c9bf47081c", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..70ac209dcd --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.6.11; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() public { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..07b128bd70 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 789, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 844, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 789, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L35-L37", + "id": "040cf50981f6e1dea1f7a19f0115811be1347e0637f0ca85d789ae612a509322", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1443, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1518, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1443, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59", + "id": "8551e9d33fdd4f73f1eb7776480b2e8cd2cf9c897b52285c3a287caab6822ce3", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1711, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1786, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1711, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 403, + "length": 1444, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67", + "id": "61438092d2da6c23ecfa13e5e55c489e538249e47bddd9335b533d28a242aea1", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..56d3352ef4 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.7.6; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..1be3753a12 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 836, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37", + "id": "820841ccd8aee0469f9719d62ad01054b71a758a1d6924ed6a19ea078ff8350a", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1510, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59", + "id": "27c4a0e1a038beb0c01c86e07f1aef592f96907d330bcf899bde6632a9022327", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1778, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L65-L67", + "id": "9ecb2b9df9554b9ebdbcfd058eb44ba4f1524b285b676063432d5ede48aee5ad", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol new file mode 100644 index 0000000000..68eafd3937 --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol @@ -0,0 +1,69 @@ +pragma solidity 0.8.0; + +library SafeERC20 { + function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {} +} + +interface IERC20 { + function transferFrom(address, address, uint256) external returns(bool); +} + +contract ERC20 is IERC20 { + function transferFrom(address from, address to, uint256 amount) external override returns(bool) { + return true; + } +} + +contract C { + using SafeERC20 for IERC20; + + IERC20 erc20; + address notsend; + address send; + + constructor() { + erc20 = new ERC20(); + notsend = address(0x3); + send = msg.sender; + } + + function good1(address to, uint256 am) public { + address from_msgsender = msg.sender; + erc20.transferFrom(from_msgsender, to, am); + } + + function bad1(address to, uint256 am) public { + erc20.transferFrom(notsend, to, am); + } + + function good2(address to, uint256 am) public { + address from_msgsender = msg.sender; + int_transferFrom(from_msgsender, to, am); + } + + // This is not detected + function bad2(address from, address to, uint256 am) public { + int_transferFrom(from, to, am); + } + + function int_transferFrom(address from, address to, uint256 amount) internal { + erc20.transferFrom(from, to, amount); + } + + function good3(address to, uint256 amount) external { + erc20.safeTransferFrom(msg.sender, to, amount); + } + + function bad3(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(from, to, amount); + } + + function good4(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, msg.sender, to, amount); + } + + function bad4(address from, address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, from, to, amount); + } + +} diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..a340e4c4fa --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,655 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.transferFrom(notsend,to,am)", + "source_mapping": { + "start": 836, + "length": 35, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 36 + ], + "starting_column": 9, + "ending_column": 44 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad1", + "source_mapping": { + "start": 781, + "length": 97, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 35, + 36, + 37 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad1(address,uint256)" + } + } + } + } + ], + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37", + "id": "8972d014c645b3a3783400fb2a6a38b20ea38973481025b6f99b3c15c9e63868", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,to,amount)", + "source_mapping": { + "start": 1510, + "length": 40, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 58 + ], + "starting_column": 9, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad3", + "source_mapping": { + "start": 1435, + "length": 122, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 57, + 58, + 59 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad3(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59", + "id": "196b46419f55696599f4a533ea4915c3b1c39be679d8e2ab15a60b7a0238d52c", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + }, + { + "elements": [ + { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + }, + { + "type": "node", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "source_mapping": { + "start": 1778, + "length": 51, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 66 + ], + "starting_column": 9, + "ending_column": 60 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad4", + "source_mapping": { + "start": 1703, + "length": 133, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 65, + 66, + 67 + ], + "starting_column": 5, + "ending_column": 6 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "C", + "source_mapping": { + "start": 402, + "length": 1437, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", + "is_dependency": false, + "lines": [ + 17, + 18, + 19, + 20, + 21, + 22, + 23, + 24, + 25, + 26, + 27, + 28, + 29, + 30, + 31, + 32, + 33, + 34, + 35, + 36, + 37, + 38, + 39, + 40, + 41, + 42, + 43, + 44, + 45, + 46, + 47, + 48, + 49, + 50, + 51, + 52, + 53, + 54, + 55, + 56, + 57, + 58, + 59, + 60, + 61, + 62, + 63, + 64, + 65, + 66, + 67, + 68, + 69 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad4(address,address,uint256)" + } + } + } + } + ], + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67", + "id": "6ba2ac6eeef603310a4b4f7931ab44fadb3a242517096e17c5f1e39f0f4b83cf", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file diff --git a/tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json index b215f0e967..15685f8fcc 100644 --- a/tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol.0.4.25.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol.0.4.25.ArbitrarySendEth.json @@ -4,19 +4,19 @@ "elements": [ { "type": "function", - "name": "indirect", + "name": "direct", "source_mapping": { - "start": 301, - "length": 82, + "start": 147, + "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 19, - 20, - 21 + 11, + 12, + 13 ], "starting_column": 5, "ending_column": 6 @@ -29,9 +29,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -80,42 +80,42 @@ "ending_column": 2 } }, - "signature": "indirect()" + "signature": "direct()" } }, { "type": "node", - "name": "destination.send(address(this).balance)", + "name": "msg.sender.send(address(this).balance)", "source_mapping": { - "start": 337, - "length": 39, + "start": 181, + "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 20 + 12 ], "starting_column": 9, - "ending_column": 48 + "ending_column": 47 }, "type_specific_fields": { "parent": { "type": "function", - "name": "indirect", + "name": "direct", "source_mapping": { - "start": 301, - "length": 82, + "start": 147, + "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 19, - 20, - 21 + 11, + 12, + 13 ], "starting_column": 5, "ending_column": 6 @@ -128,9 +128,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -179,17 +179,17 @@ "ending_column": 2 } }, - "signature": "indirect()" + "signature": "direct()" } } } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L19-L21", - "id": "4759805615df746a3d8a6c068ce885d2c18c46edf411f83ae004593958caafe7", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L11-L13", + "id": "672bdccd2e85fb88deee03d312d533259b73ca932965ae09e5b24a3b546c4ad2", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -197,19 +197,19 @@ "elements": [ { "type": "function", - "name": "direct", + "name": "indirect", "source_mapping": { - "start": 147, - "length": 79, + "start": 301, + "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 11, - 12, - 13 + 19, + 20, + 21 ], "starting_column": 5, "ending_column": 6 @@ -222,9 +222,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -273,42 +273,42 @@ "ending_column": 2 } }, - "signature": "direct()" + "signature": "indirect()" } }, { "type": "node", - "name": "msg.sender.send(address(this).balance)", + "name": "destination.send(address(this).balance)", "source_mapping": { - "start": 181, - "length": 38, + "start": 337, + "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 12 + 20 ], "starting_column": 9, - "ending_column": 47 + "ending_column": 48 }, "type_specific_fields": { "parent": { "type": "function", - "name": "direct", + "name": "indirect", "source_mapping": { - "start": 147, - "length": 79, + "start": 301, + "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 11, - 12, - 13 + 19, + 20, + 21 ], "starting_column": 5, "ending_column": 6 @@ -321,9 +321,9 @@ "start": 0, "length": 869, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -372,17 +372,17 @@ "ending_column": 2 } }, - "signature": "direct()" + "signature": "indirect()" } } } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.4.25/arbitrary_send.sol#L11-L13", - "id": "477cc1ab9fa3d2263400e47d09146eaed3e478f5eecf7856b59d49a2a5093a1c", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.4.25/arbitrary_send_eth.sol#L19-L21", + "id": "9d50facc8382e844e7381f8ca9e389061bd0302345047de2407e0ad7b046687d", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json index cfb1bcc13f..814e44e931 100644 --- a/tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol.0.5.16.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol.0.5.16.ArbitrarySendEth.json @@ -9,9 +9,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -29,9 +29,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -90,9 +90,9 @@ "start": 196, "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 12 @@ -108,9 +108,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -128,9 +128,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -185,11 +185,11 @@ } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L11-L13", - "id": "9531cafd91af4d7b54f22fa933dae983077df1c51bd855c2516ffee812911f43", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L11-L13", + "id": "7ded1859293ad51d129850d2f19669c7d38f4687a6e2afa8d93534d5f2a9a0ad", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -202,9 +202,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -222,9 +222,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -283,9 +283,9 @@ "start": 352, "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 20 @@ -301,9 +301,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -321,9 +321,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -378,11 +378,11 @@ } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.5.16/arbitrary_send.sol#L19-L21", - "id": "f1395ebf21de9f8fb2c5d254c5990cce55b239c05a6a5e074813f58c6cd32834", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.5.16/arbitrary_send_eth.sol#L19-L21", + "id": "d27379ff48eebb6c568308104d444dc8f6b5ed5eae53f6c937aec9fb15cf6464", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json index cde2f95aa2..af4d54ece7 100644 --- a/tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol.0.6.11.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol.0.6.11.ArbitrarySendEth.json @@ -9,9 +9,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -29,9 +29,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -90,9 +90,9 @@ "start": 196, "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 12 @@ -108,9 +108,9 @@ "start": 162, "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 11, @@ -128,9 +128,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -185,11 +185,11 @@ } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L11-L13", - "id": "8a1de239f630f10fef9ef6a9c439fc10aad2f6caba7ee43d1a7f7bacf6028f1e", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L11-L13", + "id": "51e87e03fc48363e666bb99c1d15beccb50464e1c170eeea5b76ec6fcde643e7", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -202,9 +202,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -222,9 +222,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -283,9 +283,9 @@ "start": 352, "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 20 @@ -301,9 +301,9 @@ "start": 316, "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 19, @@ -321,9 +321,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -378,11 +378,11 @@ } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.6.11/arbitrary_send.sol#L19-L21", - "id": "f272e05d9741895fc22051ed09afa6ce4af8ad4cd74b3452224dfb29eb4b9df6", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.6.11/arbitrary_send_eth.sol#L19-L21", + "id": "0ec491130aac4e23e6d47193bff49ed6029330bca373454b4e34ffba0a2baea6", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol b/tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol similarity index 100% rename from tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol rename to tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol diff --git a/tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json b/tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json similarity index 88% rename from tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json rename to tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json index 0f0fe4d573..56afe8cb59 100644 --- a/tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol.0.7.6.ArbitrarySend.json +++ b/tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol.0.7.6.ArbitrarySendEth.json @@ -4,19 +4,19 @@ "elements": [ { "type": "function", - "name": "indirect", + "name": "direct", "source_mapping": { - "start": 316, - "length": 82, + "start": 162, + "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 19, - 20, - 21 + 11, + 12, + 13 ], "starting_column": 5, "ending_column": 6 @@ -29,9 +29,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -80,42 +80,42 @@ "ending_column": 2 } }, - "signature": "indirect()" + "signature": "direct()" } }, { "type": "node", - "name": "destination.send(address(this).balance)", + "name": "msg.sender.send(address(this).balance)", "source_mapping": { - "start": 352, - "length": 39, + "start": 196, + "length": 38, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 20 + 12 ], "starting_column": 9, - "ending_column": 48 + "ending_column": 47 }, "type_specific_fields": { "parent": { "type": "function", - "name": "indirect", + "name": "direct", "source_mapping": { - "start": 316, - "length": 82, + "start": 162, + "length": 79, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 19, - 20, - 21 + 11, + 12, + 13 ], "starting_column": 5, "ending_column": 6 @@ -128,9 +128,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -179,17 +179,17 @@ "ending_column": 2 } }, - "signature": "indirect()" + "signature": "direct()" } } } } ], - "description": "Test.indirect() (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#20)\n", - "markdown": "[Test.indirect()](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L20)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L19-L21", - "id": "3bf41470de6f5fec21d1da5741e7d63ee1d3b63cfd2646d697274f4495e3f1a9", - "check": "arbitrary-send", + "description": "Test.direct() (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#12)\n", + "markdown": "[Test.direct()](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L11-L13", + "id": "76af03df5e6d33df8978a2cc00dfe944236aca69ad1b7f107580da1b76121082", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" }, @@ -197,19 +197,19 @@ "elements": [ { "type": "function", - "name": "direct", + "name": "indirect", "source_mapping": { - "start": 162, - "length": 79, + "start": 316, + "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 11, - 12, - 13 + 19, + 20, + 21 ], "starting_column": 5, "ending_column": 6 @@ -222,9 +222,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -273,42 +273,42 @@ "ending_column": 2 } }, - "signature": "direct()" + "signature": "indirect()" } }, { "type": "node", - "name": "msg.sender.send(address(this).balance)", + "name": "destination.send(address(this).balance)", "source_mapping": { - "start": 196, - "length": 38, + "start": 352, + "length": 39, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 12 + 20 ], "starting_column": 9, - "ending_column": 47 + "ending_column": 48 }, "type_specific_fields": { "parent": { "type": "function", - "name": "direct", + "name": "indirect", "source_mapping": { - "start": 162, - "length": 79, + "start": 316, + "length": 82, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ - 11, - 12, - 13 + 19, + 20, + 21 ], "starting_column": 5, "ending_column": 6 @@ -321,9 +321,9 @@ "start": 0, "length": 884, "filename_used": "/GENERIC_PATH", - "filename_relative": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_relative": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "filename_absolute": "/GENERIC_PATH", - "filename_short": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol", + "filename_short": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol", "is_dependency": false, "lines": [ 1, @@ -372,17 +372,17 @@ "ending_column": 2 } }, - "signature": "direct()" + "signature": "indirect()" } } } } ], - "description": "Test.direct() (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#11-13) sends eth to arbitrary user\n\tDangerous calls:\n\t- msg.sender.send(address(this).balance) (tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#12)\n", - "markdown": "[Test.direct()](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L11-L13) sends eth to arbitrary user\n\tDangerous calls:\n\t- [msg.sender.send(address(this).balance)](tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L12)\n", - "first_markdown_element": "tests/detectors/arbitrary-send/0.7.6/arbitrary_send.sol#L11-L13", - "id": "90d9178119fb586af18c2298136d7f1af4d33a9b702b94d2ca0fcdbe6ee783c6", - "check": "arbitrary-send", + "description": "Test.indirect() (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#19-21) sends eth to arbitrary user\n\tDangerous calls:\n\t- destination.send(address(this).balance) (tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#20)\n", + "markdown": "[Test.indirect()](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L19-L21) sends eth to arbitrary user\n\tDangerous calls:\n\t- [destination.send(address(this).balance)](tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L20)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-eth/0.7.6/arbitrary_send_eth.sol#L19-L21", + "id": "2e1bd6d1260cf35450734eb2027a2d964f61858a3aabd0cb459c22cb4da9956b", + "check": "arbitrary-send-eth", "impact": "High", "confidence": "Medium" } diff --git a/tests/test_detectors.py b/tests/test_detectors.py index 30999389c7..758e8cb719 100644 --- a/tests/test_detectors.py +++ b/tests/test_detectors.py @@ -396,23 +396,23 @@ def id_test(test_item: Test): Test(all_detectors.LockedEther, "locked_ether.sol", "0.6.11"), Test(all_detectors.LockedEther, "locked_ether.sol", "0.7.6"), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.4.25", ), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.5.16", ), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.6.11", ), Test( - all_detectors.ArbitrarySend, - "arbitrary_send.sol", + all_detectors.ArbitrarySendEth, + "arbitrary_send_eth.sol", "0.7.6", ), Test( @@ -1272,6 +1272,56 @@ def id_test(test_item: Test): "comment.sol", "0.8.2", ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.4.25", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.5.16", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.6.11", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.7.6", + ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20.sol", + "0.8.0", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.4.25", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.5.16", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.6.11", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.7.6", + ), + Test( + all_detectors.ArbitrarySendErc20Permit, + "arbitrary_send_erc20_permit.sol", + "0.8.0", + ), ] From 134ddd355c5f205067da3a2a543b8fc4a9f7f002 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Sun, 20 Feb 2022 16:57:37 -0600 Subject: [PATCH 2/4] update heuristic to not flag when 'address(this)' is from param --- .../erc/erc20/arbitrary_send_erc20.py | 35 ++++++--- .../erc20/arbitrary_send_erc20_no_permit.py | 1 - .../erc/erc20/arbitrary_send_erc20_permit.py | 8 ++- .../0.4.25/arbitrary_send_erc20.sol | 8 +++ ...sol.0.4.25.ArbitrarySendErc20NoPermit.json | 72 +++++++++++++++---- .../0.5.16/arbitrary_send_erc20.sol | 8 +++ ...sol.0.5.16.ArbitrarySendErc20NoPermit.json | 72 +++++++++++++++---- .../0.6.11/arbitrary_send_erc20.sol | 8 +++ ...sol.0.6.11.ArbitrarySendErc20NoPermit.json | 72 +++++++++++++++---- .../0.7.6/arbitrary_send_erc20.sol | 8 +++ ....sol.0.7.6.ArbitrarySendErc20NoPermit.json | 72 +++++++++++++++---- .../0.8.0/arbitrary_send_erc20.sol | 8 +++ ....sol.0.8.0.ArbitrarySendErc20NoPermit.json | 72 +++++++++++++++---- 13 files changed, 373 insertions(+), 71 deletions(-) diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20.py b/slither/detectors/erc/erc20/arbitrary_send_erc20.py index 676cfd750b..5c44128f10 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20.py @@ -1,5 +1,6 @@ from typing import List from slither.core.cfg.node import Node +from slither.core.declarations.solidity_variables import SolidityVariable from slither.slithir.operations import HighLevelCall, LibraryCall from slither.core.declarations import Contract, Function, SolidityVariableComposed from slither.analyses.data_dependency.data_dependency import is_dependent @@ -7,6 +8,8 @@ class ArbitrarySendErc20: + """Detects instances where ERC20 can be sent from an arbitrary from address.""" + def __init__(self, compilation_unit: SlitherCompilationUnit): self._compilation_unit = compilation_unit self._no_permit_results: List[Node] = [] @@ -44,17 +47,26 @@ def _detect_arbitrary_from(self, contract: Contract): else: self._arbitrary_from(f.nodes, self._no_permit_results) + @classmethod def _arbitrary_from(self, nodes: List[Node], results: List[Node]): + """Finds instances of (safe)transferFrom that do not use msg.sender or address(this) as from parameter.""" for node in nodes: for ir in node.irs: if ( isinstance(ir, HighLevelCall) and isinstance(ir.function, Function) and ir.function.solidity_signature == "transferFrom(address,address,uint256)" - and not is_dependent( - ir.arguments[0], - SolidityVariableComposed("msg.sender"), - node.function.contract, + and not ( + is_dependent( + ir.arguments[0], + SolidityVariableComposed("msg.sender"), + node.function.contract, + ) + or is_dependent( + ir.arguments[0], + SolidityVariable("this"), + node.function.contract, + ) ) ): results.append(ir.node) @@ -62,10 +74,17 @@ def _arbitrary_from(self, nodes: List[Node], results: List[Node]): isinstance(ir, LibraryCall) and ir.function.solidity_signature == "safeTransferFrom(address,address,address,uint256)" - and not is_dependent( - ir.arguments[1], - SolidityVariableComposed("msg.sender"), - node.function.contract, + and not ( + is_dependent( + ir.arguments[1], + SolidityVariableComposed("msg.sender"), + node.function.contract, + ) + or is_dependent( + ir.arguments[1], + SolidityVariable("this"), + node.function.contract, + ) ) ): results.append(ir.node) diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py index 78a1e34d47..e58af948df 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py @@ -23,7 +23,6 @@ class ArbitrarySendErc20NoPermit(AbstractDetector): function a(address from, address to, uint256 amount) public { erc20.transferFrom(from, to, am); } -} ``` Alice approves this contract to spend her ERC20 tokens. Bob can call `a` and specify Alice's address as the `from` parameter in `transferFrom`, allowing him to transfer Alice's tokens to himself.""" diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py index b8ab6e0667..b233b48455 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py @@ -26,7 +26,6 @@ class ArbitrarySendErc20Permit(AbstractDetector): erc20.permit(from, address(this), value, deadline, v, r, s); erc20.transferFrom(from, to, value); } -} ``` If an ERC20 token does not implement permit and has a fallback function e.g. WETH, transferFrom allows an attacker to transfer all tokens approved for this contract.""" @@ -42,7 +41,12 @@ def _detect(self) -> List[Output]: arbitrary_sends._detect() for node in arbitrary_sends.permit_results: func = node.function - info = [func, " uses arbitrary from in transferFrom in combination with permit: ", node, "\n"] + info = [ + func, + " uses arbitrary from in transferFrom in combination with permit: ", + node, + "\n", + ] res = self.generate_result(info) results.append(res) diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol index cbed4554fc..8695d2de80 100644 --- a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol @@ -66,4 +66,12 @@ contract C { SafeERC20.safeTransferFrom(erc20, from, to, amount); } + function good5(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, address(this), to, amount); + } + + function good6(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(address(this), to, amount); + } + } diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json index a367285c9f..6535937e7e 100644 --- a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json @@ -27,7 +27,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -86,7 +86,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -138,7 +146,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -197,7 +205,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -244,7 +260,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -303,7 +319,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -355,7 +379,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -414,7 +438,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -461,7 +493,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -520,7 +552,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -572,7 +612,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -631,7 +671,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol index ea5f5c24de..6cf2148056 100644 --- a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol @@ -66,4 +66,12 @@ contract C { SafeERC20.safeTransferFrom(erc20, from, to, amount); } + function good5(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, address(this), to, amount); + } + + function good6(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(address(this), to, amount); + } + } diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json index 8f93377130..6a850f1cc4 100644 --- a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json @@ -27,7 +27,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -86,7 +86,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -138,7 +146,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -197,7 +205,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -244,7 +260,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -303,7 +319,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -355,7 +379,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -414,7 +438,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -461,7 +493,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -520,7 +552,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -572,7 +612,7 @@ "name": "C", "source_mapping": { "start": 394, - "length": 1444, + "length": 1717, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -631,7 +671,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol index 70ac209dcd..a61e4f8ab3 100644 --- a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol @@ -65,5 +65,13 @@ contract C { function bad4(address from, address to, uint256 amount) external { SafeERC20.safeTransferFrom(erc20, from, to, amount); } + + function good5(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, address(this), to, amount); + } + + function good6(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(address(this), to, amount); + } } diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json index 07b128bd70..6cd44870a6 100644 --- a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json @@ -27,7 +27,7 @@ "name": "C", "source_mapping": { "start": 403, - "length": 1444, + "length": 1721, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -86,7 +86,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -138,7 +146,7 @@ "name": "C", "source_mapping": { "start": 403, - "length": 1444, + "length": 1721, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -197,7 +205,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -244,7 +260,7 @@ "name": "C", "source_mapping": { "start": 403, - "length": 1444, + "length": 1721, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -303,7 +319,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -355,7 +379,7 @@ "name": "C", "source_mapping": { "start": 403, - "length": 1444, + "length": 1721, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -414,7 +438,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -461,7 +493,7 @@ "name": "C", "source_mapping": { "start": 403, - "length": 1444, + "length": 1721, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -520,7 +552,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -572,7 +612,7 @@ "name": "C", "source_mapping": { "start": 403, - "length": 1444, + "length": 1721, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -631,7 +671,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol index 56d3352ef4..0ceff0f666 100644 --- a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol @@ -66,4 +66,12 @@ contract C { SafeERC20.safeTransferFrom(erc20, from, to, amount); } + function good5(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, address(this), to, amount); + } + + function good6(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(address(this), to, amount); + } + } diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json index 1be3753a12..9acf15da1a 100644 --- a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json @@ -27,7 +27,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -86,7 +86,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -138,7 +146,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -197,7 +205,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -244,7 +260,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -303,7 +319,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -355,7 +379,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -414,7 +438,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -461,7 +493,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -520,7 +552,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -572,7 +612,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -631,7 +671,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol index 68eafd3937..19dcf3f150 100644 --- a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol @@ -66,4 +66,12 @@ contract C { SafeERC20.safeTransferFrom(erc20, from, to, amount); } + function good5(address to, uint256 amount) external { + SafeERC20.safeTransferFrom(erc20, address(this), to, amount); + } + + function good6(address from, address to, uint256 amount) external { + erc20.safeTransferFrom(address(this), to, amount); + } + } diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json index a340e4c4fa..694d2b4c69 100644 --- a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json @@ -27,7 +27,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -86,7 +86,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -138,7 +146,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -197,7 +205,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -244,7 +260,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -303,7 +319,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -355,7 +379,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -414,7 +438,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -461,7 +493,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -520,7 +552,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 @@ -572,7 +612,7 @@ "name": "C", "source_mapping": { "start": 402, - "length": 1437, + "length": 1710, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", @@ -631,7 +671,15 @@ 66, 67, 68, - 69 + 69, + 70, + 71, + 72, + 73, + 74, + 75, + 76, + 77 ], "starting_column": 1, "ending_column": 2 From 1d81829ec10f391a7d4c4b0b9f6de35f61d0f96a Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Thu, 21 Apr 2022 08:18:21 -0500 Subject: [PATCH 3/4] use functions instead of functions_derived to analyze inherited functions too --- .../erc/erc20/arbitrary_send_erc20.py | 2 +- ...t.sol.0.4.25.ArbitrarySendErc20Permit.json | 150 ++++++------- ...t.sol.0.5.16.ArbitrarySendErc20Permit.json | 144 ++++++------- ...t.sol.0.6.11.ArbitrarySendErc20Permit.json | 200 +++++++++--------- ...it.sol.0.7.6.ArbitrarySendErc20Permit.json | 200 +++++++++--------- ...it.sol.0.8.0.ArbitrarySendErc20Permit.json | 150 ++++++------- ...sol.0.4.25.ArbitrarySendErc20NoPermit.json | 92 ++++---- ...sol.0.5.16.ArbitrarySendErc20NoPermit.json | 138 ++++++------ ...sol.0.6.11.ArbitrarySendErc20NoPermit.json | 92 ++++---- ....sol.0.7.6.ArbitrarySendErc20NoPermit.json | 92 ++++---- ....sol.0.8.0.ArbitrarySendErc20NoPermit.json | 138 ++++++------ .../arbitrary_send_erc20_inheritance.sol | 16 ++ tests/test_detectors.py | 5 + 13 files changed, 720 insertions(+), 699 deletions(-) create mode 100644 tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20.py b/slither/detectors/erc/erc20/arbitrary_send_erc20.py index 5c44128f10..1ab6428d44 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20.py @@ -28,7 +28,7 @@ def permit_results(self) -> List[Node]: return self._permit_results def _detect_arbitrary_from(self, contract: Contract): - for f in contract.functions_declared: + for f in contract.functions: all_high_level_calls = [ f_called[1].solidity_signature for f_called in f.high_level_calls diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json index 0b3275b3da..e8486f5e1a 100644 --- a/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json +++ b/tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol.0.4.25.ArbitrarySendErc20Permit.json @@ -4,20 +4,20 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 843, - "length": 232, + "start": 1794, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -79,43 +79,43 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", "source_mapping": { - "start": 1033, - "length": 35, + "start": 1986, + "length": 50, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 34 + 54 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 59 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 843, - "length": 232, + "start": 1794, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -177,16 +177,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#34)\n", - "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L34)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35", - "id": "82a43f5bf554d897b270abaac0ee62650383fe341adeff0d9c1c95b0040548a2", + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "22de0efa869fce1767af15469c8bcc95616478aec05625ab72283df0ad9fae55", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -386,20 +386,20 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1546, - "length": 238, + "start": 843, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -461,43 +461,43 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 1738, - "length": 39, + "start": 1033, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 49 + 34 ], "starting_column": 9, - "ending_column": 48 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1546, - "length": 238, + "start": 843, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -559,16 +559,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#49)\n", - "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L49)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50", - "id": "f7695706feb3a8409e367a88028dfad8c64e1000f1f71d6e55074d0dcfbc2305", + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "82a43f5bf554d897b270abaac0ee62650383fe341adeff0d9c1c95b0040548a2", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -577,20 +577,20 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1794, - "length": 249, + "start": 1546, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -652,43 +652,43 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "name": "erc20.safeTransferFrom(from,to,value)", "source_mapping": { - "start": 1986, - "length": 50, + "start": 1738, + "length": 39, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 54 + 49 ], "starting_column": 9, - "ending_column": 59 + "ending_column": 48 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1794, - "length": 249, + "start": 1546, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -750,16 +750,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#54)\n", - "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L54)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L52-L55", - "id": "22de0efa869fce1767af15469c8bcc95616478aec05625ab72283df0ad9fae55", + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.4.25/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "f7695706feb3a8409e367a88028dfad8c64e1000f1f71d6e55074d0dcfbc2305", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json index 39888bf428..6452e06f92 100644 --- a/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json +++ b/tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol.0.5.16.ArbitrarySendErc20Permit.json @@ -4,20 +4,20 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 843, - "length": 232, + "start": 1794, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -79,43 +79,43 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", "source_mapping": { - "start": 1033, - "length": 35, + "start": 1986, + "length": 50, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 34 + 54 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 59 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 843, - "length": 232, + "start": 1794, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -177,16 +177,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#34)\n", - "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L34)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35", - "id": "5983458eee02cf7d5484a82e17422dcdbd7b990305579e17d1252c0bb31e1cac", + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "57068db07fd7e67d0b63035936fad5a373fcb8f84bb6a58aa463278143db43fa", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -195,20 +195,20 @@ "elements": [ { "type": "function", - "name": "int_transferFrom", + "name": "bad1", "source_mapping": { - "start": 1294, - "length": 246, + "start": 843, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 42, - 43, - 44, - 45 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -270,14 +270,14 @@ "ending_column": 2 } }, - "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 1498, + "start": 1033, "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", @@ -285,7 +285,7 @@ "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 44 + 34 ], "starting_column": 9, "ending_column": 44 @@ -293,20 +293,20 @@ "type_specific_fields": { "parent": { "type": "function", - "name": "int_transferFrom", + "name": "bad1", "source_mapping": { - "start": 1294, - "length": 246, + "start": 843, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 42, - 43, - 44, - 45 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -368,16 +368,16 @@ "ending_column": 2 } }, - "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#44)\n", - "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L44)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45", - "id": "e3ed372c52b219322ca290ecfa79be96d7ea1b019af329a515c6c10b7a1cf03b", + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "5983458eee02cf7d5484a82e17422dcdbd7b990305579e17d1252c0bb31e1cac", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -577,20 +577,20 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "int_transferFrom", "source_mapping": { - "start": 1794, - "length": 249, + "start": 1294, + "length": 246, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 42, + 43, + 44, + 45 ], "starting_column": 5, "ending_column": 6 @@ -652,43 +652,43 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 1986, - "length": 50, + "start": 1498, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 54 + 44 ], "starting_column": 9, - "ending_column": 59 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "int_transferFrom", "source_mapping": { - "start": 1794, - "length": 249, + "start": 1294, + "length": 246, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 42, + 43, + 44, + 45 ], "starting_column": 5, "ending_column": 6 @@ -750,16 +750,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#54)\n", - "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L54)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L52-L55", - "id": "57068db07fd7e67d0b63035936fad5a373fcb8f84bb6a58aa463278143db43fa", + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.5.16/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "e3ed372c52b219322ca290ecfa79be96d7ea1b019af329a515c6c10b7a1cf03b", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json index 7d4ca84d86..911573c671 100644 --- a/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json +++ b/tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol.0.6.11.ArbitrarySendErc20Permit.json @@ -4,20 +4,20 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 861, - "length": 232, + "start": 1564, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -79,43 +79,43 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "erc20.safeTransferFrom(from,to,value)", "source_mapping": { - "start": 1051, - "length": 35, + "start": 1756, + "length": 39, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 34 + 49 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 48 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 861, - "length": 232, + "start": 1564, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -177,16 +177,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#34)\n", - "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L34)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35", - "id": "f90e97c676187cd6d727064001123d8537f5d8253d0a66ab6798b4a1c250a425", + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "1caf8efb7dd42f74884b4ee8d8b44585eeaa5758776ef8ac1e31b8aa749eac26", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -195,20 +195,20 @@ "elements": [ { "type": "function", - "name": "int_transferFrom", + "name": "bad4", "source_mapping": { - "start": 1312, - "length": 246, + "start": 1812, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 42, - 43, - 44, - 45 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -270,43 +270,43 @@ "ending_column": 2 } }, - "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", "source_mapping": { - "start": 1516, - "length": 35, + "start": 2004, + "length": 50, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 44 + 54 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 59 }, "type_specific_fields": { "parent": { "type": "function", - "name": "int_transferFrom", + "name": "bad4", "source_mapping": { - "start": 1312, - "length": 246, + "start": 1812, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 42, - 43, - 44, - 45 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -368,16 +368,16 @@ "ending_column": 2 } }, - "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#44)\n", - "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L44)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45", - "id": "f75bec4e068adbca017ad00b355347aa0c337b30a807fa8e1b80577b031e68fd", + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "cc58852f92580ac18db192412ec7e50667bf56d986349ae8fe6990f0b04f9f62", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -386,20 +386,20 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "int_transferFrom", "source_mapping": { - "start": 1564, - "length": 238, + "start": 1312, + "length": 246, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 42, + 43, + 44, + 45 ], "starting_column": 5, "ending_column": 6 @@ -461,43 +461,43 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 1756, - "length": 39, + "start": 1516, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 49 + 44 ], "starting_column": 9, - "ending_column": 48 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "int_transferFrom", "source_mapping": { - "start": 1564, - "length": 238, + "start": 1312, + "length": 246, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 42, + 43, + 44, + 45 ], "starting_column": 5, "ending_column": 6 @@ -559,16 +559,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#49)\n", - "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L49)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L47-L50", - "id": "1caf8efb7dd42f74884b4ee8d8b44585eeaa5758776ef8ac1e31b8aa749eac26", + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "f75bec4e068adbca017ad00b355347aa0c337b30a807fa8e1b80577b031e68fd", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -577,20 +577,20 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad1", "source_mapping": { - "start": 1812, - "length": 249, + "start": 861, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -652,43 +652,43 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 2004, - "length": 50, + "start": 1051, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 54 + 34 ], "starting_column": 9, - "ending_column": 59 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad1", "source_mapping": { - "start": 1812, - "length": 249, + "start": 861, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -750,16 +750,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#54)\n", - "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L54)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L52-L55", - "id": "cc58852f92580ac18db192412ec7e50667bf56d986349ae8fe6990f0b04f9f62", + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.6.11/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "f90e97c676187cd6d727064001123d8537f5d8253d0a66ab6798b4a1c250a425", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json index 9ebc5f3181..f31ee33e1a 100644 --- a/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json +++ b/tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol.0.7.6.ArbitrarySendErc20Permit.json @@ -4,20 +4,20 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 860, - "length": 232, + "start": 1563, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -79,43 +79,43 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "erc20.safeTransferFrom(from,to,value)", "source_mapping": { - "start": 1050, - "length": 35, + "start": 1755, + "length": 39, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 34 + 49 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 48 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 860, - "length": 232, + "start": 1563, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -177,16 +177,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#34)\n", - "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L34)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35", - "id": "ba2c627103717a52a46b52714313000eb4f9d96f57dfac874854a3747ace5a13", + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "63dc39bd9025d9fa7d39e07342e5652c010ff424e6d31ed9d1559f225c417956", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -195,20 +195,20 @@ "elements": [ { "type": "function", - "name": "int_transferFrom", + "name": "bad4", "source_mapping": { - "start": 1311, - "length": 246, + "start": 1811, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 42, - 43, - 44, - 45 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -270,43 +270,43 @@ "ending_column": 2 } }, - "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", "source_mapping": { - "start": 1515, - "length": 35, + "start": 2003, + "length": 50, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 44 + 54 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 59 }, "type_specific_fields": { "parent": { "type": "function", - "name": "int_transferFrom", + "name": "bad4", "source_mapping": { - "start": 1311, - "length": 246, + "start": 1811, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 42, - 43, - 44, - 45 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -368,16 +368,16 @@ "ending_column": 2 } }, - "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#44)\n", - "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L44)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45", - "id": "d56199ce2b7249389dffba8e53278f5ae32fbdda8a51cae8b5eb1cf2c09a0578", + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "7ebee7b534acb9d9502df84ba56fd0e90223cd262964c77cb9bee798eabd674b", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -386,20 +386,20 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1563, - "length": 238, + "start": 860, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -461,43 +461,43 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 1755, - "length": 39, + "start": 1050, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 49 + 34 ], "starting_column": 9, - "ending_column": 48 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1563, - "length": 238, + "start": 860, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -559,16 +559,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#49)\n", - "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L49)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L47-L50", - "id": "63dc39bd9025d9fa7d39e07342e5652c010ff424e6d31ed9d1559f225c417956", + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "ba2c627103717a52a46b52714313000eb4f9d96f57dfac874854a3747ace5a13", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -577,20 +577,20 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "int_transferFrom", "source_mapping": { - "start": 1811, - "length": 249, + "start": 1311, + "length": 246, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 42, + 43, + 44, + 45 ], "starting_column": 5, "ending_column": 6 @@ -652,43 +652,43 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 2003, - "length": 50, + "start": 1515, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 54 + 44 ], "starting_column": 9, - "ending_column": 59 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "int_transferFrom", "source_mapping": { - "start": 1811, - "length": 249, + "start": 1311, + "length": 246, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 42, + 43, + 44, + 45 ], "starting_column": 5, "ending_column": 6 @@ -750,16 +750,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#54)\n", - "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L54)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L52-L55", - "id": "7ebee7b534acb9d9502df84ba56fd0e90223cd262964c77cb9bee798eabd674b", + "description": "C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#42-45) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#44)\n", + "markdown": "[C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L44)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.7.6/arbitrary_send_erc20_permit.sol#L42-L45", + "id": "d56199ce2b7249389dffba8e53278f5ae32fbdda8a51cae8b5eb1cf2c09a0578", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" diff --git a/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json index 429bdf585b..8adf73c173 100644 --- a/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json +++ b/tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol.0.8.0.ArbitrarySendErc20Permit.json @@ -4,20 +4,20 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 860, - "length": 232, + "start": 1811, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -79,43 +79,43 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.transferFrom(from,to,value)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", "source_mapping": { - "start": 1050, - "length": 35, + "start": 2003, + "length": 50, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 34 + 54 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 59 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 860, - "length": 232, + "start": 1811, + "length": 249, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 32, - 33, - 34, - 35 + 52, + 53, + 54, + 55 ], "starting_column": 5, "ending_column": 6 @@ -177,16 +177,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#34)\n", - "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L34)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35", - "id": "429dd8afad02f0e6869b1de2a82bf36ab35aaf74ba5909de5facd767f4642f32", + "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#54)\n", + "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L54)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55", + "id": "136a1b6c001d3ca4b1aab662556139786307e1bf4cb929f4c507d592eb38cb72", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -386,20 +386,20 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1563, - "length": 238, + "start": 860, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -461,43 +461,43 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,value)", + "name": "erc20.transferFrom(from,to,value)", "source_mapping": { - "start": 1755, - "length": 39, + "start": 1050, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 49 + 34 ], "starting_column": 9, - "ending_column": 48 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1563, - "length": 238, + "start": 860, + "length": 232, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 47, - 48, - 49, - 50 + 32, + 33, + 34, + 35 ], "starting_column": 5, "ending_column": 6 @@ -559,16 +559,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#49)\n", - "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L49)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50", - "id": "7841a86248d8345520e98b963d59de36814b25e5fa3cef9e031c61d05a7feb2a", + "description": "C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#32-35) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#34)\n", + "markdown": "[C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35) uses arbitrary from in transferFrom in combination with permit: [erc20.transferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L34)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L32-L35", + "id": "429dd8afad02f0e6869b1de2a82bf36ab35aaf74ba5909de5facd767f4642f32", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" @@ -577,20 +577,20 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1811, - "length": 249, + "start": 1563, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -652,43 +652,43 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,value)", + "name": "erc20.safeTransferFrom(from,to,value)", "source_mapping": { - "start": 2003, - "length": 50, + "start": 1755, + "length": 39, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 54 + 49 ], "starting_column": 9, - "ending_column": 59 + "ending_column": 48 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1811, - "length": 249, + "start": 1563, + "length": 238, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol", "is_dependency": false, "lines": [ - 52, - 53, - 54, - 55 + 47, + 48, + 49, + 50 ], "starting_column": 5, "ending_column": 6 @@ -750,16 +750,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)" + "signature": "bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)" } } } } ], - "description": "C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#52-55) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#54)\n", - "markdown": "[C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55) uses arbitrary from in transferFrom in combination with permit: [SafeERC20.safeTransferFrom(erc20,from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L54)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L52-L55", - "id": "136a1b6c001d3ca4b1aab662556139786307e1bf4cb929f4c507d592eb38cb72", + "description": "C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#47-50) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value) (tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#49)\n", + "markdown": "[C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50) uses arbitrary from in transferFrom in combination with permit: [erc20.safeTransferFrom(from,to,value)](tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L49)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20-permit/0.8.0/arbitrary_send_erc20_permit.sol#L47-L50", + "id": "7841a86248d8345520e98b963d59de36814b25e5fa3cef9e031c61d05a7feb2a", "check": "arbitrary-send-erc20-permit", "impact": "High", "confidence": "Medium" diff --git a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json index 6535937e7e..cf6feaa5a2 100644 --- a/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol.0.4.25.ArbitrarySendErc20NoPermit.json @@ -237,19 +237,19 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad4", "source_mapping": { - "start": 1434, - "length": 122, + "start": 1702, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -333,42 +333,42 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad4(address,address,uint256)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,amount)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", "source_mapping": { - "start": 1509, - "length": 40, + "start": 1777, + "length": 51, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 58 + 66 ], "starting_column": 9, - "ending_column": 49 + "ending_column": 60 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad4", "source_mapping": { - "start": 1434, - "length": 122, + "start": 1702, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -452,16 +452,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad4(address,address,uint256)" } } } } ], - "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#58)\n", - "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L58)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59", - "id": "e7271d3fa958d20a025419c070ea1010431487e98e30fa2db65db9bf54a13665", + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67", + "id": "b2557d6385585034271b9873559de9cde4972e3207c43f260663f3d0e2a4d4a0", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -470,19 +470,19 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1702, - "length": 133, + "start": 1434, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -566,42 +566,42 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad3(address,address,uint256)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "name": "erc20.safeTransferFrom(from,to,amount)", "source_mapping": { - "start": 1777, - "length": 51, + "start": 1509, + "length": 40, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 66 + 58 ], "starting_column": 9, - "ending_column": 60 + "ending_column": 49 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1702, - "length": 133, + "start": 1434, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -685,16 +685,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad3(address,address,uint256)" } } } } ], - "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#66)\n", - "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L66)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L65-L67", - "id": "b2557d6385585034271b9873559de9cde4972e3207c43f260663f3d0e2a4d4a0", + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.4.25/arbitrary_send_erc20.sol#L57-L59", + "id": "e7271d3fa958d20a025419c070ea1010431487e98e30fa2db65db9bf54a13665", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" diff --git a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json index 6a850f1cc4..18a210262c 100644 --- a/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol.0.5.16.ArbitrarySendErc20NoPermit.json @@ -4,19 +4,19 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 780, - "length": 97, + "start": 1702, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 35, - 36, - 37 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -100,42 +100,42 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256)" + "signature": "bad4(address,address,uint256)" } }, { "type": "node", - "name": "erc20.transferFrom(notsend,to,am)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", "source_mapping": { - "start": 835, - "length": 35, + "start": 1777, + "length": 51, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 36 + 66 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 60 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad4", "source_mapping": { - "start": 780, - "length": 97, + "start": 1702, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 35, - 36, - 37 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -219,16 +219,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256)" + "signature": "bad4(address,address,uint256)" } } } } ], - "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#36)\n", - "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L36)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37", - "id": "6ca6aea5c4506ac7fa421c049e0bd41faa74317e303b94721bc64c2fc6e8f128", + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67", + "id": "15a810d738734100851211c7e6bff65724d553eb693869575ec3d9c9bf47081c", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -237,19 +237,19 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1434, - "length": 122, + "start": 780, + "length": 97, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 35, + 36, + 37 ], "starting_column": 5, "ending_column": 6 @@ -333,42 +333,42 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad1(address,uint256)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,amount)", + "name": "erc20.transferFrom(notsend,to,am)", "source_mapping": { - "start": 1509, - "length": 40, + "start": 835, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 58 + 36 ], "starting_column": 9, - "ending_column": 49 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1434, - "length": 122, + "start": 780, + "length": 97, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 35, + 36, + 37 ], "starting_column": 5, "ending_column": 6 @@ -452,16 +452,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad1(address,uint256)" } } } } ], - "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#58)\n", - "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L58)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59", - "id": "773c84f15f90123743b54aca858695d11603109f4da52c487ee4ae161f09411b", + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L35-L37", + "id": "6ca6aea5c4506ac7fa421c049e0bd41faa74317e303b94721bc64c2fc6e8f128", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -470,19 +470,19 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1702, - "length": 133, + "start": 1434, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -566,42 +566,42 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad3(address,address,uint256)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "name": "erc20.safeTransferFrom(from,to,amount)", "source_mapping": { - "start": 1777, - "length": 51, + "start": 1509, + "length": 40, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 66 + 58 ], "starting_column": 9, - "ending_column": 60 + "ending_column": 49 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1702, - "length": 133, + "start": 1434, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -685,16 +685,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad3(address,address,uint256)" } } } } ], - "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#66)\n", - "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L66)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L65-L67", - "id": "15a810d738734100851211c7e6bff65724d553eb693869575ec3d9c9bf47081c", + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.5.16/arbitrary_send_erc20.sol#L57-L59", + "id": "773c84f15f90123743b54aca858695d11603109f4da52c487ee4ae161f09411b", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" diff --git a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json index 6cd44870a6..8d6b2a67d8 100644 --- a/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol.0.6.11.ArbitrarySendErc20NoPermit.json @@ -237,19 +237,19 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad4", "source_mapping": { - "start": 1443, - "length": 122, + "start": 1711, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -333,42 +333,42 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad4(address,address,uint256)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,amount)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", "source_mapping": { - "start": 1518, - "length": 40, + "start": 1786, + "length": 51, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 58 + 66 ], "starting_column": 9, - "ending_column": 49 + "ending_column": 60 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad4", "source_mapping": { - "start": 1443, - "length": 122, + "start": 1711, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -452,16 +452,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad4(address,address,uint256)" } } } } ], - "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#58)\n", - "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L58)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59", - "id": "8551e9d33fdd4f73f1eb7776480b2e8cd2cf9c897b52285c3a287caab6822ce3", + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67", + "id": "61438092d2da6c23ecfa13e5e55c489e538249e47bddd9335b533d28a242aea1", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -470,19 +470,19 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1711, - "length": 133, + "start": 1443, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -566,42 +566,42 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad3(address,address,uint256)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "name": "erc20.safeTransferFrom(from,to,amount)", "source_mapping": { - "start": 1786, - "length": 51, + "start": 1518, + "length": 40, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 66 + 58 ], "starting_column": 9, - "ending_column": 60 + "ending_column": 49 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad3", "source_mapping": { - "start": 1711, - "length": 133, + "start": 1443, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -685,16 +685,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad3(address,address,uint256)" } } } } ], - "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#66)\n", - "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L66)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L65-L67", - "id": "61438092d2da6c23ecfa13e5e55c489e538249e47bddd9335b533d28a242aea1", + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.6.11/arbitrary_send_erc20.sol#L57-L59", + "id": "8551e9d33fdd4f73f1eb7776480b2e8cd2cf9c897b52285c3a287caab6822ce3", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" diff --git a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json index 9acf15da1a..72b78d67a3 100644 --- a/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol.0.7.6.ArbitrarySendErc20NoPermit.json @@ -4,19 +4,19 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 781, - "length": 97, + "start": 1435, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 35, - 36, - 37 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -100,42 +100,42 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256)" + "signature": "bad3(address,address,uint256)" } }, { "type": "node", - "name": "erc20.transferFrom(notsend,to,am)", + "name": "erc20.safeTransferFrom(from,to,amount)", "source_mapping": { - "start": 836, - "length": 35, + "start": 1510, + "length": 40, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 36 + 58 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 49 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 781, - "length": 97, + "start": 1435, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 35, - 36, - 37 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -219,16 +219,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256)" + "signature": "bad3(address,address,uint256)" } } } } ], - "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#36)\n", - "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L36)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37", - "id": "820841ccd8aee0469f9719d62ad01054b71a758a1d6924ed6a19ea078ff8350a", + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59", + "id": "27c4a0e1a038beb0c01c86e07f1aef592f96907d330bcf899bde6632a9022327", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -237,19 +237,19 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1435, - "length": 122, + "start": 781, + "length": 97, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 35, + 36, + 37 ], "starting_column": 5, "ending_column": 6 @@ -333,42 +333,42 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad1(address,uint256)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,amount)", + "name": "erc20.transferFrom(notsend,to,am)", "source_mapping": { - "start": 1510, - "length": 40, + "start": 836, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 58 + 36 ], "starting_column": 9, - "ending_column": 49 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad1", "source_mapping": { - "start": 1435, - "length": 122, + "start": 781, + "length": 97, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 35, + 36, + 37 ], "starting_column": 5, "ending_column": 6 @@ -452,16 +452,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad1(address,uint256)" } } } } ], - "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#58)\n", - "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L58)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L57-L59", - "id": "27c4a0e1a038beb0c01c86e07f1aef592f96907d330bcf899bde6632a9022327", + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.7.6/arbitrary_send_erc20.sol#L35-L37", + "id": "820841ccd8aee0469f9719d62ad01054b71a758a1d6924ed6a19ea078ff8350a", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json index 694d2b4c69..de242ae4ea 100644 --- a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol.0.8.0.ArbitrarySendErc20NoPermit.json @@ -4,19 +4,19 @@ "elements": [ { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 781, - "length": 97, + "start": 1435, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 35, - 36, - 37 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -100,42 +100,42 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256)" + "signature": "bad3(address,address,uint256)" } }, { "type": "node", - "name": "erc20.transferFrom(notsend,to,am)", + "name": "erc20.safeTransferFrom(from,to,amount)", "source_mapping": { - "start": 836, - "length": 35, + "start": 1510, + "length": 40, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 36 + 58 ], "starting_column": 9, - "ending_column": 44 + "ending_column": 49 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad1", + "name": "bad3", "source_mapping": { - "start": 781, - "length": 97, + "start": 1435, + "length": 122, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 35, - 36, - 37 + 57, + 58, + 59 ], "starting_column": 5, "ending_column": 6 @@ -219,16 +219,16 @@ "ending_column": 2 } }, - "signature": "bad1(address,uint256)" + "signature": "bad3(address,address,uint256)" } } } } ], - "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#36)\n", - "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L36)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37", - "id": "8972d014c645b3a3783400fb2a6a38b20ea38973481025b6f99b3c15c9e63868", + "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#58)\n", + "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L58)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59", + "id": "196b46419f55696599f4a533ea4915c3b1c39be679d8e2ab15a60b7a0238d52c", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -237,19 +237,19 @@ "elements": [ { "type": "function", - "name": "bad3", + "name": "bad4", "source_mapping": { - "start": 1435, - "length": 122, + "start": 1703, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -333,42 +333,42 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad4(address,address,uint256)" } }, { "type": "node", - "name": "erc20.safeTransferFrom(from,to,amount)", + "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", "source_mapping": { - "start": 1510, - "length": 40, + "start": 1778, + "length": 51, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 58 + 66 ], "starting_column": 9, - "ending_column": 49 + "ending_column": 60 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad3", + "name": "bad4", "source_mapping": { - "start": 1435, - "length": 122, + "start": 1703, + "length": 133, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 57, - 58, - 59 + 65, + 66, + 67 ], "starting_column": 5, "ending_column": 6 @@ -452,16 +452,16 @@ "ending_column": 2 } }, - "signature": "bad3(address,address,uint256)" + "signature": "bad4(address,address,uint256)" } } } } ], - "description": "C.bad3(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#57-59) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#58)\n", - "markdown": "[C.bad3(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L58)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L57-L59", - "id": "196b46419f55696599f4a533ea4915c3b1c39be679d8e2ab15a60b7a0238d52c", + "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#66)\n", + "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L66)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67", + "id": "6ba2ac6eeef603310a4b4f7931ab44fadb3a242517096e17c5f1e39f0f4b83cf", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" @@ -470,19 +470,19 @@ "elements": [ { "type": "function", - "name": "bad4", + "name": "bad1", "source_mapping": { - "start": 1703, - "length": 133, + "start": 781, + "length": 97, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 35, + 36, + 37 ], "starting_column": 5, "ending_column": 6 @@ -566,42 +566,42 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad1(address,uint256)" } }, { "type": "node", - "name": "SafeERC20.safeTransferFrom(erc20,from,to,amount)", + "name": "erc20.transferFrom(notsend,to,am)", "source_mapping": { - "start": 1778, - "length": 51, + "start": 836, + "length": 35, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 66 + 36 ], "starting_column": 9, - "ending_column": 60 + "ending_column": 44 }, "type_specific_fields": { "parent": { "type": "function", - "name": "bad4", + "name": "bad1", "source_mapping": { - "start": 1703, - "length": 133, + "start": 781, + "length": 97, "filename_used": "/GENERIC_PATH", "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "filename_absolute": "/GENERIC_PATH", "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol", "is_dependency": false, "lines": [ - 65, - 66, - 67 + 35, + 36, + 37 ], "starting_column": 5, "ending_column": 6 @@ -685,16 +685,16 @@ "ending_column": 2 } }, - "signature": "bad4(address,address,uint256)" + "signature": "bad1(address,uint256)" } } } } ], - "description": "C.bad4(address,address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#65-67) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#66)\n", - "markdown": "[C.bad4(address,address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67) uses arbitrary from in transferFrom: [SafeERC20.safeTransferFrom(erc20,from,to,amount)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L66)\n", - "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L65-L67", - "id": "6ba2ac6eeef603310a4b4f7931ab44fadb3a242517096e17c5f1e39f0f4b83cf", + "description": "C.bad1(address,uint256) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#35-37) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#36)\n", + "markdown": "[C.bad1(address,uint256)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37) uses arbitrary from in transferFrom: [erc20.transferFrom(notsend,to,am)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L36)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20.sol#L35-L37", + "id": "8972d014c645b3a3783400fb2a6a38b20ea38973481025b6f99b3c15c9e63868", "check": "arbitrary-send-erc20", "impact": "High", "confidence": "High" diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol new file mode 100644 index 0000000000..c74ab0fa0e --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol @@ -0,0 +1,16 @@ +pragma solidity 0.8.0; + +library Safe { + function safeTransferFrom(address token, address from, address to, uint256 amount) internal {} +} + +contract T { + using Safe for address; + address erc20; + + function bad(address from) public { + erc20.safeTransferFrom(from, address(0x1), 90); + } +} + +contract A is T {} diff --git a/tests/test_detectors.py b/tests/test_detectors.py index 758e8cb719..c01594f5f5 100644 --- a/tests/test_detectors.py +++ b/tests/test_detectors.py @@ -1297,6 +1297,11 @@ def id_test(test_item: Test): "arbitrary_send_erc20.sol", "0.8.0", ), + Test( + all_detectors.ArbitrarySendErc20NoPermit, + "arbitrary_send_erc20_inheritance.sol", + "0.8.0", + ), Test( all_detectors.ArbitrarySendErc20Permit, "arbitrary_send_erc20_permit.sol", From 2e7f1f1e3094abc1c71c2a805e6adbc85f9df544 Mon Sep 17 00:00:00 2001 From: alpharush <0xalpharush@protonmail.com> Date: Thu, 21 Apr 2022 13:11:16 -0500 Subject: [PATCH 4/4] fix lints and add missing artifact --- .../erc/erc20/arbitrary_send_erc20.py | 12 +- .../erc20/arbitrary_send_erc20_no_permit.py | 4 +- .../erc/erc20/arbitrary_send_erc20_permit.py | 4 +- ....sol.0.8.0.ArbitrarySendErc20NoPermit.json | 131 ++++++++++++++++++ 4 files changed, 141 insertions(+), 10 deletions(-) create mode 100644 tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol.0.8.0.ArbitrarySendErc20NoPermit.json diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20.py b/slither/detectors/erc/erc20/arbitrary_send_erc20.py index 1ab6428d44..7aeaa1139e 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20.py @@ -43,12 +43,12 @@ def _detect_arbitrary_from(self, contract: Contract): "permit(address,address,uint256,uint256,uint8,bytes32,bytes32)" in all_high_level_calls ): - self._arbitrary_from(f.nodes, self._permit_results) + ArbitrarySendErc20._arbitrary_from(f.nodes, self._permit_results) else: - self._arbitrary_from(f.nodes, self._no_permit_results) + ArbitrarySendErc20._arbitrary_from(f.nodes, self._no_permit_results) - @classmethod - def _arbitrary_from(self, nodes: List[Node], results: List[Node]): + @staticmethod + def _arbitrary_from(nodes: List[Node], results: List[Node]): """Finds instances of (safe)transferFrom that do not use msg.sender or address(this) as from parameter.""" for node in nodes: for ir in node.irs: @@ -89,7 +89,7 @@ def _arbitrary_from(self, nodes: List[Node], results: List[Node]): ): results.append(ir.node) - def _detect(self): - """""" + def detect(self): + """Detect transfers that use arbitrary `from` parameter.""" for c in self.compilation_unit.contracts_derived: self._detect_arbitrary_from(c) diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py index e58af948df..8e29ecbef8 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_no_permit.py @@ -1,7 +1,7 @@ from typing import List -from .arbitrary_send_erc20 import ArbitrarySendErc20 from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification from slither.utils.output import Output +from .arbitrary_send_erc20 import ArbitrarySendErc20 class ArbitrarySendErc20NoPermit(AbstractDetector): @@ -35,7 +35,7 @@ def _detect(self) -> List[Output]: results: List[Output] = [] arbitrary_sends = ArbitrarySendErc20(self.compilation_unit) - arbitrary_sends._detect() + arbitrary_sends.detect() for node in arbitrary_sends.no_permit_results: func = node.function info = [func, " uses arbitrary from in transferFrom: ", node, "\n"] diff --git a/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py index b233b48455..48e80772bd 100644 --- a/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py +++ b/slither/detectors/erc/erc20/arbitrary_send_erc20_permit.py @@ -1,7 +1,7 @@ from typing import List -from .arbitrary_send_erc20 import ArbitrarySendErc20 from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification from slither.utils.output import Output +from .arbitrary_send_erc20 import ArbitrarySendErc20 class ArbitrarySendErc20Permit(AbstractDetector): @@ -38,7 +38,7 @@ def _detect(self) -> List[Output]: results: List[Output] = [] arbitrary_sends = ArbitrarySendErc20(self.compilation_unit) - arbitrary_sends._detect() + arbitrary_sends.detect() for node in arbitrary_sends.permit_results: func = node.function info = [ diff --git a/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol.0.8.0.ArbitrarySendErc20NoPermit.json b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol.0.8.0.ArbitrarySendErc20NoPermit.json new file mode 100644 index 0000000000..e89b664bbb --- /dev/null +++ b/tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol.0.8.0.ArbitrarySendErc20NoPermit.json @@ -0,0 +1,131 @@ +[ + [ + { + "elements": [ + { + "type": "function", + "name": "bad", + "source_mapping": { + "start": 196, + "length": 88, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "is_dependency": false, + "lines": [ + 11, + 12, + 13 + ], + "starting_column": 2, + "ending_column": 3 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "T", + "source_mapping": { + "start": 138, + "length": 149, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "is_dependency": false, + "lines": [ + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad(address)" + } + }, + { + "type": "node", + "name": "erc20.safeTransferFrom(from,address(0x1),90)", + "source_mapping": { + "start": 234, + "length": 46, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "is_dependency": false, + "lines": [ + 12 + ], + "starting_column": 3, + "ending_column": 49 + }, + "type_specific_fields": { + "parent": { + "type": "function", + "name": "bad", + "source_mapping": { + "start": 196, + "length": 88, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "is_dependency": false, + "lines": [ + 11, + 12, + 13 + ], + "starting_column": 2, + "ending_column": 3 + }, + "type_specific_fields": { + "parent": { + "type": "contract", + "name": "T", + "source_mapping": { + "start": 138, + "length": 149, + "filename_used": "/GENERIC_PATH", + "filename_relative": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "filename_absolute": "/GENERIC_PATH", + "filename_short": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol", + "is_dependency": false, + "lines": [ + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14 + ], + "starting_column": 1, + "ending_column": 2 + } + }, + "signature": "bad(address)" + } + } + } + } + ], + "description": "T.bad(address) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol#11-13) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,address(0x1),90) (tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol#12)\n", + "markdown": "[T.bad(address)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol#L11-L13) uses arbitrary from in transferFrom: [erc20.safeTransferFrom(from,address(0x1),90)](tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol#L12)\n", + "first_markdown_element": "tests/detectors/arbitrary-send-erc20/0.8.0/arbitrary_send_erc20_inheritance.sol#L11-L13", + "id": "51845f69be45c4d9b97ff3e01cbc5bf55d1c1cddcc4776f39e22dd803a241e46", + "check": "arbitrary-send-erc20", + "impact": "High", + "confidence": "High" + } + ] +] \ No newline at end of file