Exclude location for printer output

slither/__main__.py

@@ -54,6 +54,7 @@
 logging.basicConfig()
 logger = logging.getLogger("Slither")
 
+# pylint: disable=too-many-lines
 
 ###################################################################################
 ###################################################################################
@@ -422,6 +423,13 @@ def parse_args(
         default=defaults_flag_in_config["exclude_high"],
     )
 
+    group_detector.add_argument(
+        "--exclude-location",
+        help="Exclude location information from detector output",
+        action="store_true",
+        default=defaults_flag_in_config["exclude_location"],
+    )
+
     group_detector.add_argument(
         "--include-detectors",
         help="Comma-separated list of detectors that should be included",

slither/detectors/abstract_detector.py

@@ -277,6 +277,7 @@ def generate_result(
             additional_fields,
             standard_format=self.STANDARD_JSON,
             markdown_root=self.slither.markdown_root,
+            exclude_location=self.slither.exclude_location,
         )
 
         output.data["check"] = self.ARGUMENT

slither/slither.py

@@ -106,6 +106,7 @@ def __init__(self, target: Union[str, CryticCompile], **kwargs) -> None:
             generate_patches (bool): if true, patches are generated (json output only)
             change_line_prefix (str): Change the line prefix (default #)
                 for the displayed source codes (i.e. file.sol#1).
+            exclude_location (bool): if true, exclude locations from detector output (default false)
 
         """
         super().__init__()
@@ -186,6 +187,7 @@ def __init__(self, target: Union[str, CryticCompile], **kwargs) -> None:
             self.add_path_to_include(p)
 
         self._exclude_dependencies = kwargs.get("exclude_dependencies", False)
+        self.exclude_location = kwargs.get("exclude_location", False)
 
         triage_mode = kwargs.get("triage_mode", False)
         triage_database = kwargs.get("triage_database", "slither.db.json")

slither/utils/command_line.py

@@ -52,6 +52,7 @@ class FailOnLevel(enum.Enum):
     "exclude_dependencies": False,
     "exclude_informational": False,
     "exclude_optimization": False,
+    "exclude_location": False,
     "exclude_low": False,
     "exclude_medium": False,
     "exclude_high": False,

slither/utils/output.py

@@ -5,7 +5,7 @@
 import zipfile
 from collections import OrderedDict
 from importlib import metadata
-from typing import Tuple, Optional, Dict, List, Union, Any, TYPE_CHECKING, Type
+from typing import Tuple, Optional, Dict, List, Union, Any, TYPE_CHECKING, Type, TypeVar
 from zipfile import ZipFile
 
 
@@ -229,46 +229,52 @@ def output_to_zip(filename: str, error: Optional[str], results: Dict, zip_type:
 ###################################################################################
 
 
-def _convert_to_description(d: str) -> str:
+SourceMappingT = TypeVar("SourceMappingT", bound=SourceMapping)
+
+
+def _convert_to_description(d: Union[str, SourceMappingT], exclude_location: bool = False) -> str:
     if isinstance(d, str):
         return d
 
     if not isinstance(d, SourceMapping):
         raise SlitherError(f"{d} does not inherit from SourceMapping, conversion impossible")
 
     if isinstance(d, Node):
-        if d.expression:
-            return f"{d.expression} ({d.source_mapping})"
-        return f"{str(d)} ({d.source_mapping})"
-
-    if hasattr(d, "canonical_name"):
-        return f"{d.canonical_name} ({d.source_mapping})"
+        first_part = f"{d.expression}" if d.expression else f"{str(d)}"
+    elif hasattr(d, "canonical_name"):
+        first_part = f"{d.canonical_name}"
+    elif hasattr(d, "name"):
+        first_part = f"{d.name}"
+    else:
+        raise SlitherError(f"{type(d)} cannot be converted (no name, or canonical_name")
 
-    if hasattr(d, "name"):
-        return f"{d.name} ({d.source_mapping})"
+    if exclude_location:
+        return first_part
 
-    raise SlitherError(f"{type(d)} cannot be converted (no name, or canonical_name")
+    return f"{first_part} ({d.source_mapping})"
 
 
-def _convert_to_markdown(d: str, markdown_root: str) -> str:
+def _convert_to_markdown(d: str, markdown_root: str, exclude_location: bool = False) -> str:
     if isinstance(d, str):
         return d
 
     if not isinstance(d, SourceMapping):
         raise SlitherError(f"{d} does not inherit from SourceMapping, conversion impossible")
 
+    first_part: str
     if isinstance(d, Node):
-        if d.expression:
-            return f"[{d.expression}]({d.source_mapping.to_markdown(markdown_root)})"
-        return f"[{str(d)}]({d.source_mapping.to_markdown(markdown_root)})"
+        first_part = f"[{d.expression}]" if d.expression else f"[{str(d)}]"
+    elif hasattr(d, "canonical_name"):
+        first_part = f"[{d.canonical_name}]"
+    elif hasattr(d, "name"):
+        first_part = f"[{d.name}]"
+    else:
+        raise SlitherError(f"{type(d)} cannot be converted (no name, or canonical_name")
 
-    if hasattr(d, "canonical_name"):
-        return f"[{d.canonical_name}]({d.source_mapping.to_markdown(markdown_root)})"
+    if exclude_location:
+        return first_part
 
-    if hasattr(d, "name"):
-        return f"[{d.name}]({d.source_mapping.to_markdown(markdown_root)})"
-
-    raise SlitherError(f"{type(d)} cannot be converted (no name, or canonical_name")
+    return f"{first_part}({d.source_mapping.to_markdown(markdown_root)})"
 
 
 def _convert_to_id(d: str) -> str:
@@ -386,12 +392,13 @@ def _create_parent_element(
 
 
 class Output:
-    def __init__(
+    def __init__(  # pylint: disable=too-many-arguments
         self,
         info_: Union[str, List[Union[str, SupportedOutput]]],
         additional_fields: Optional[Dict] = None,
         markdown_root: str = "",
         standard_format: bool = True,
+        exclude_location: bool = False,
     ) -> None:
         if additional_fields is None:
             additional_fields = {}
@@ -405,8 +412,12 @@ def __init__(
 
         self._data = OrderedDict()
         self._data["elements"] = []
-        self._data["description"] = "".join(_convert_to_description(d) for d in info)
-        self._data["markdown"] = "".join(_convert_to_markdown(d, markdown_root) for d in info)
+        self._data["description"] = "".join(
+            _convert_to_description(d, exclude_location) for d in info
+        )
+        self._data["markdown"] = "".join(
+            _convert_to_markdown(d, markdown_root, exclude_location) for d in info
+        )
         self._data["first_markdown_element"] = ""
         self._markdown_root = markdown_root
 

tests/e2e/detectors/snapshots/detectors__exclude_location_ABIEncoderV2Array_0_4_25_storage_ABIEncoderV2_array_sol_exclude__0.txt

@@ -0,0 +1,18 @@
+Function A.bad3() trigger an abi encoding bug:
+	- b = abi.encode(s)
+
+Function A.bad0() trigger an abi encoding bug:
+	- this.bad0_external(bad_arr)
+
+Function A.bad4() trigger an abi encoding bug:
+	- event1_bad(bad_arr)
+
+Function A.bad2() trigger an abi encoding bug:
+	- b = abi.encode(bad_arr)
+
+Function A.bad1(A.S[3]) trigger an abi encoding bug:
+	- this.bad1_external(s)
+
+Function A.bad5() trigger an abi encoding bug:
+	- event2_bad(s)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ABIEncoderV2Array_0_5_9_storage_ABIEncoderV2_array_sol_exclude__0.txt

@@ -0,0 +1,18 @@
+Function A.bad5() trigger an abi encoding bug:
+	- event2_bad(s)
+
+Function A.bad0() trigger an abi encoding bug:
+	- this.bad0_external(bad_arr)
+
+Function A.bad4() trigger an abi encoding bug:
+	- event1_bad(bad_arr)
+
+Function A.bad2() trigger an abi encoding bug:
+	- b = abi.encode(bad_arr)
+
+Function A.bad1(A.S[3]) trigger an abi encoding bug:
+	- this.bad1_external(s)
+
+Function A.bad3() trigger an abi encoding bug:
+	- b = abi.encode(s)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20NoPermit_0_4_25_arbitrary_send_erc20_sol_exclude__0.txt

@@ -0,0 +1,6 @@
+C.bad4(address,address,uint256) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount)
+
+C.bad1(address,uint256) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am)
+
+C.bad3(address,address,uint256) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20NoPermit_0_5_16_arbitrary_send_erc20_sol_exclude__0.txt

@@ -0,0 +1,6 @@
+C.bad4(address,address,uint256) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount)
+
+C.bad3(address,address,uint256) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount)
+
+C.bad1(address,uint256) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20NoPermit_0_6_11_arbitrary_send_erc20_sol_exclude__0.txt

@@ -0,0 +1,6 @@
+C.bad1(address,uint256) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am)
+
+C.bad3(address,address,uint256) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount)
+
+C.bad4(address,address,uint256) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20NoPermit_0_7_6_arbitrary_send_erc20_sol_exclude__0.txt

@@ -0,0 +1,6 @@
+C.bad4(address,address,uint256) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount)
+
+C.bad3(address,address,uint256) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount)
+
+C.bad1(address,uint256) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20NoPermit_0_8_0_arbitrary_send_erc20_inheritance_sol_exclude__0.txt

@@ -0,0 +1,2 @@
+T.bad(address) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,address(0x1),90)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20NoPermit_0_8_0_arbitrary_send_erc20_sol_exclude__0.txt

@@ -0,0 +1,6 @@
+C.bad1(address,uint256) uses arbitrary from in transferFrom: erc20.transferFrom(notsend,to,am)
+
+C.bad3(address,address,uint256) uses arbitrary from in transferFrom: erc20.safeTransferFrom(from,to,amount)
+
+C.bad4(address,address,uint256) uses arbitrary from in transferFrom: SafeERC20.safeTransferFrom(erc20,from,to,amount)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20Permit_0_4_25_arbitrary_send_erc20_permit_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+
+C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value)
+
+C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value)
+
+C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20Permit_0_5_16_arbitrary_send_erc20_permit_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+
+C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value)
+
+C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value)
+
+C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20Permit_0_6_11_arbitrary_send_erc20_permit_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value)
+
+C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value)
+
+C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+
+C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20Permit_0_7_6_arbitrary_send_erc20_permit_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+
+C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+
+C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value)
+
+C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendErc20Permit_0_8_0_arbitrary_send_erc20_permit_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+C.bad3(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.safeTransferFrom(from,to,value)
+
+C.bad4(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: SafeERC20.safeTransferFrom(erc20,from,to,value)
+
+C.int_transferFrom(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+
+C.bad1(address,uint256,uint256,uint8,bytes32,bytes32,address) uses arbitrary from in transferFrom in combination with permit: erc20.transferFrom(from,to,value)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendEth_0_4_25_arbitrary_send_eth_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+Test.indirect() sends eth to arbitrary user
+	Dangerous calls:
+	- destination.send(address(this).balance)
+
+Test.direct() sends eth to arbitrary user
+	Dangerous calls:
+	- msg.sender.send(address(this).balance)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendEth_0_5_16_arbitrary_send_eth_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+Test.direct() sends eth to arbitrary user
+	Dangerous calls:
+	- msg.sender.send(address(this).balance)
+
+Test.indirect() sends eth to arbitrary user
+	Dangerous calls:
+	- destination.send(address(this).balance)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendEth_0_6_11_arbitrary_send_eth_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+Test.indirect() sends eth to arbitrary user
+	Dangerous calls:
+	- destination.send(address(this).balance)
+
+Test.direct() sends eth to arbitrary user
+	Dangerous calls:
+	- msg.sender.send(address(this).balance)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArbitrarySendEth_0_7_6_arbitrary_send_eth_sol_exclude__0.txt

@@ -0,0 +1,8 @@
+Test.direct() sends eth to arbitrary user
+	Dangerous calls:
+	- msg.sender.send(address(this).balance)
+
+Test.indirect() sends eth to arbitrary user
+	Dangerous calls:
+	- destination.send(address(this).balance)
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArrayByReference_0_4_25_array_by_reference_sol_exclude__0.txt

@@ -0,0 +1,14 @@
+D.f() passes array D.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+D.f() passes array D.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+E.f() passes array E.x by reference to E.setByValue(uint256[1],uint256[1]) which only takes arrays by value
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArrayByReference_0_5_16_array_by_reference_sol_exclude__0.txt

@@ -0,0 +1,14 @@
+D.f() passes array D.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+D.f() passes array D.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+E.f() passes array E.x by reference to E.setByValue(uint256[1],uint256[1]) which only takes arrays by value
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArrayByReference_0_6_11_array_by_reference_sol_exclude__0.txt

@@ -0,0 +1,14 @@
+D.f() passes array D.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+D.f() passes array D.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+E.f() passes array E.x by reference to E.setByValue(uint256[1],uint256[1]) which only takes arrays by value
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArrayByReference_0_7_6_array_by_reference_sol_exclude__0.txt

@@ -0,0 +1,14 @@
+D.f() passes array D.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.f() passes array C.x by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+D.f() passes array D.x by reference to C.setByValueAndReturn(uint256[1]) which only takes arrays by value
+
+C.g() passes array C.g().y by reference to C.setByValue(uint256[1]) which only takes arrays by value
+
+E.f() passes array E.x by reference to E.setByValue(uint256[1],uint256[1]) which only takes arrays by value
+

tests/e2e/detectors/snapshots/detectors__exclude_location_ArrayLengthAssignment_0_4_25_array_length_assignment_sol_exclude__0.txt

@@ -0,0 +1,9 @@
+ArrayLengthAssignment contract sets array length with a user-controlled value:
+	- b.subStruct.x.length = param + 1
+
+ArrayLengthAssignment contract sets array length with a user-controlled value:
+	- a.x.length = param
+
+ArrayLengthAssignment contract sets array length with a user-controlled value:
+	- arr.length = param
+