Add dynamic library loading support and external detector example (#17)

0xGeorgii · web-flow · commit 965883000f52 · 2025-04-24T11:22:51.000+05:00
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -23,10 +23,12 @@
                 // "metadata"
                 "scan",
                 "${workspaceFolder}/corpus/subdir",
-                "--project-root",
-                "${workspaceFolder}/corpus",
-                "--detectors",
-                "all"
+                // "--project-root",
+                // "${workspaceFolder}/corpus",
+                // "--detectors",
+                // "all"
+                "--load",
+                "${workspaceFolder}/target/debug/libexternal_detector_example.so"
             ],
             "cwd": "${workspaceFolder}"
         },
diff --git a/compact-scanner/Cargo.toml b/compact-scanner/Cargo.toml
@@ -10,6 +10,7 @@ repository = { workspace = true }
 clap = { version = "4.5.32", features = ["derive"] }
 serde_json = { version = "1.0", features = ["preserve_order"] }
 serde_yaml = "0.9.17"
+libloading = "0.8.6"
 compact-security-detectors.workspace = true
 compact-security-detectors-sdk.workspace = true
 
diff --git a/compact-scanner/README.md b/compact-scanner/README.md
@@ -4,7 +4,8 @@ CLI tool for scanning `.compact` files using Compact security detectors.
 
 ## Overview
 
-The **compact-scanner** is a command-line tool designed to scan `.compact` files for security vulnerabilities using the Compact security detectors. It provides a simple interface to run various detectors and output results in JSON format.
+The **compact-scanner** is a command-line tool designed to scan `.compact` files for security vulnerabilities using the
+Compact security detectors. It provides a simple interface to run various detectors and output results in JSON format.
 
 ## CLI Usage
 
@@ -13,11 +14,13 @@ The **compact-scanner** is a command-line tool designed to scan `.compact` files
 ### Modes
 
 - `metadata` : Print scanner metadata as JSON and exit.
-- `scan <PATH>` : Scan files in the specified directory or file. The scanner will recursively scan all files in the directory and its subdirectories.
+- `scan <PATH>` : Scan files in the specified directory or file. The scanner will recursively scan all files in the
+  directory and its subdirectories.
 
 ### Options
 
-- `--detectors <NAME>...` : Optional list of detector names to run. If omitted, all available detectors will run. You can use `all` to run all detectors.
+- `--detectors <NAME>...` : Optional list of detector names to run. If omitted, all available detectors will run. You
+  can use `all` to run all detectors.
 - `--project-root <PATH>` : Optional project root path to calculate relative file paths in output.
 
 ### Examples
@@ -41,6 +44,7 @@ compact-scanner scan src --project-root .
 > How **compact-scanner** discovers and executes security detectors.
 
 Located in `src/main.rs`, the function:
+
 ```rust
 fn available_detectors() -> Vec<CompactDetector> {
     all_detectors()
@@ -51,14 +55,17 @@ fn available_detectors() -> Vec<CompactDetector> {
 ```
 
 ### Built-in vs. Custom Detectors
+
 - **Built-in**: Provided by `compact-security-detectors::all_detectors()`.
 - **Custom**: Placeholder via `custom_detectors()` (currently returns empty).
 
 ### Selecting Detectors
+
 - Omit `--detectors`: run all discovered detectors.
 - Provide `--detectors NAME...`: filter by detector `name()` property.
 
 ### Execution Flow
+
 1. Build the in-memory codebase: `build_codebase(files)` from the SDK.
 2. Iterate over selected detectors and run `detector.check(&codebase)`.
 3. Collect `DetectorResult` for detectors that return findings.
@@ -70,6 +77,7 @@ fn available_detectors() -> Vec<CompactDetector> {
 ### Metadata Output
 
 When invoked with `metadata`, the JSON includes:
+
 ```json
 {
   "name": "compact_scanner",
@@ -82,8 +90,13 @@ When invoked with `metadata`, the JSON includes:
       "description": "Detector Description",
       "report": {
         "severity": "<severity>",
-        "tags": ["tag1", "tag2"],
-        "template": { /* YAML converted to JSON */ }
+        "tags": [
+          "tag1",
+          "tag2"
+        ],
+        "template": {
+          /* YAML converted to JSON */
+        }
       }
     }
   ]
@@ -93,10 +106,14 @@ When invoked with `metadata`, the JSON includes:
 ### Scan Results Output
 
 When scanning code files, the JSON structure is:
+
 ```json
 {
   "errors": [],
-  "files_scanned": ["relative/path1.compact", "path2.compact"],
+  "files_scanned": [
+    "relative/path1.compact",
+    "path2.compact"
+  ],
   "detector_responses": {
     "DetectorName": {
       "finding": {
@@ -132,3 +149,26 @@ See [style guidelines](../style_guidelines.md) for coding standards and best pra
 ## License
 
 [AGPLv3](../LICENSE)
+
+## Experimental and Risk-Prone Feature
+
+> This functionality is intended for controlled testing environments only. It has not undergone extensive validation,
+> and its behavior may be unpredictable. Please ensure that you fully understand the potential risks and implications
+> before using it in any production scenario.
+
+
+For those who do not want to re-compile the `scanner` or `detectors` crates, dynamic library loading is available
+with the `--load` flag.
+
+Usage:
+
+```bash
+compact-scanner scan <PATH> --load <PATH_TO_DETECTOR_LIBRARY>
+```
+
+This will load the dynamic library at runtime. The library must contain the `CompactDetector` trait implementation and
+be compiled with the same Rust and `sdk` versions as the scanner.
+External detector must export the "external_detector" symbol.
+External detector must implement `DetectorReportTemplate` trait.
+
+See the example [external detector](../examples/external-detector/src/lib.rs) for more details.
diff --git a/compact-scanner/src/main.rs b/compact-scanner/src/main.rs
@@ -1,13 +1,13 @@
-use std::collections::HashMap;
-
 use clap::Parser;
 use compact_security_detectors::all_detectors;
 use compact_security_detectors_sdk::{
     build_codebase,
     detector::{CompactDetector, DetectorResult},
 };
+use libloading::{Library, Symbol};
 use parser::Cli;
 use serde_json::{json, Map};
+use std::collections::HashMap;
 
 mod parser;
 
@@ -19,6 +19,7 @@ fn main() {
             code,
             detectors,
             project_root,
+            load_lib,
         } => {
             let mut corpus = HashMap::new();
             for path in &code {
@@ -46,7 +47,7 @@ fn main() {
                 }
             }
             if !corpus.is_empty() {
-                let result = execute_rules(&corpus, detectors);
+                let result = execute_detectors(&corpus, detectors, load_lib);
 
                 let files_scanned: Vec<String> = corpus
                     .keys()
@@ -84,11 +85,25 @@ fn main() {
     }
 }
 
-fn execute_rules(
+fn execute_detectors(
     files: &HashMap<String, String>,
     rules: Option<Vec<String>>,
+    load_lib: Option<std::path::PathBuf>,
 ) -> HashMap<String, Vec<DetectorResult>> {
     let codebase = build_codebase(files).unwrap();
+    let mut results = HashMap::new();
+    if let Some(load_lib) = load_lib {
+        unsafe {
+            let lib = Library::new(load_lib).unwrap();
+            let constructor: Symbol<unsafe extern "C" fn() -> CompactDetector> =
+                lib.get(b"external_detector").unwrap();
+            let detector = constructor();
+            let detector_result = detector.check(codebase.as_ref());
+            if let Some(errors) = detector_result {
+                results.insert(detector.id().to_string(), errors);
+            }
+        }
+    }
     let selected_detectors: Vec<_> = available_detectors()
         .into_iter()
         .filter(|detector| {
@@ -101,7 +116,6 @@ fn execute_rules(
         })
         .collect();
 
-    let mut results = HashMap::new();
     for detector in selected_detectors {
         let detector_result = detector.check(codebase.as_ref());
         if let Some(errors) = detector_result {
diff --git a/compact-scanner/src/parser.rs b/compact-scanner/src/parser.rs
@@ -8,6 +8,8 @@ pub(crate) enum Commands {
         detectors: Option<Vec<String>>,
         #[arg(long = "project-root", required = false, value_parser)]
         project_root: Option<std::path::PathBuf>,
+        #[arg(long = "load", required = false, value_parser)]
+        load_lib: Option<std::path::PathBuf>,
     },
     Metadata,
 }
diff --git a/examples/external-detector/Cargo.toml b/examples/external-detector/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "external-detector-example"
+version = "0.0.1"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+compact-security-detectors-sdk = { path = "../../sdk" }
diff --git a/examples/external-detector/src/lib.rs b/examples/external-detector/src/lib.rs
@@ -0,0 +1,147 @@
+use compact_security_detectors_sdk::{
+    ast::{
+        declaration::Declaration, definition::Definition, expression::Expression,
+        node_type::NodeType, ty::Type,
+    },
+    codebase::{Codebase, SealedState},
+    detector::{CompactDetector, DetectorOpaque, DetectorReportTemplate, DetectorResult},
+};
+use std::collections::HashMap;
+
+compact_security_detectors_sdk::detector! {
+
+    #[type_name = ArrayLoopBoundCheck]
+    fn array_loop_bound_check(
+        codebase: &Codebase<SealedState>,
+    ) -> Option<Vec<DetectorResult>> {
+        let mut errors = Vec::new();
+        for for_stmt in codebase.list_for_statement_nodes() {
+            let index_access_expressions = codebase.get_children_cmp(for_stmt.id, |n| {
+                matches!(n, NodeType::Expression(Expression::IndexAccess(_)))
+            });
+            let upper_bound = for_stmt.upper_bound_nat();
+            if upper_bound.is_none() {
+                continue;
+            }
+            let upper_bound = upper_bound.unwrap();
+
+            for index_access in index_access_expressions {
+                if let NodeType::Expression(Expression::IndexAccess(index_access)) = index_access {
+                    let arr_type = codebase.get_symbol_type_by_id(index_access.base.id());
+                    if let Some(Type::Vector(t_vec)) = arr_type {
+                        if t_vec.size_nat().unwrap_or(0) >= upper_bound {
+                            let parent = codebase.get_parent_container(index_access.id);
+                            let mut parent_type = "circuit";
+                            let parent_name = match parent {
+                                Some(NodeType::Definition(Definition::Circuit(c))) => c.name(),
+                                Some(NodeType::Declaration(Declaration::Constructor(_))) => {
+                                    parent_type = "constructor";
+                                    String::default()
+                                }
+                                _ => String::from("Unknown"),
+                            };
+                            errors.push(
+                                DetectorResult {
+                                    file_path: codebase.find_node_file(index_access.id).unwrap().fname,
+                                    offset_start: index_access.location.offset_start,
+                                    offset_end: index_access.location.offset_end,
+                                    extra: {
+                                        let mut map = HashMap::new();
+                                        map.insert("ARRAY_INDEX_ACCESS".to_string(), index_access.location.source.clone());
+                                        map.insert("PARENT_NAME".to_string(), parent_name);
+                                        map.insert("PARENT_TYPE".to_string(), parent_type.to_string());
+                                        Some(map)
+                                    },
+                                },
+                            );
+                        }
+                    }
+                }
+            }
+        }
+        if errors.is_empty() {
+            None
+        } else {
+            Some(errors)
+        }
+    }
+}
+
+impl DetectorReportTemplate for ArrayLoopBoundCheck {
+    fn id(&self) -> String {
+        String::from("array-loop-bound-check")
+    }
+    fn uid(&self) -> String {
+        String::from("3fTuAe")
+    }
+    fn description(&self) -> String {
+        String::from("Detects potential out-of-bounds array index accesses within loops, which can cause runtime errors or unexpected behavior.")
+    }
+    fn severity(&self) -> String {
+        String::from("medium")
+    }
+    fn tags(&self) -> Vec<String> {
+        vec![
+            String::from("audit"),
+            String::from("reportable"),
+            String::from("compact"),
+        ]
+    }
+    fn title_single_instance(&self) -> String {
+        String::from("Potential Out-of-Bounds Array Index Access Detected")
+    }
+    fn title_multiple_instance(&self) -> String {
+        String::from(
+            "The following potential out-of-bounds array index accesses were found in the code:",
+        )
+    }
+    fn opening(&self) -> String {
+        String::from("Accessing array elements outside their valid index range can lead to runtime errors, security vulnerabilities, or unpredictable program behavior. This issue typically occurs when a loop iterates beyond the array's defined bounds, resulting in unsafe memory access.")
+    }
+    fn body_single_file_single_instance(&self) -> String {
+        String::from("In `$file_name`, a potential out-of-bounds array index access was detected in the `$PARENT_NAME` $PARENT_TYPE on line $instance_line. The array access statement `$ARRAY_INDEX_ACCESS` may exceed the array's valid index range.")
+    }
+    fn body_single_file_multiple_instance(&self) -> String {
+        String::from("In `$file_name`, multiple potential out-of-bounds array index accesses were detected. Review each instance below to ensure array accesses remain within valid bounds.")
+    }
+    fn body_multiple_file_multiple_instance(&self) -> String {
+        String::from("Across $total_files files, multiple potential out-of-bounds array index accesses were detected. Review each instance below to ensure array accesses remain within valid bounds.")
+    }
+    fn body_list_item_single_file(&self) -> String {
+        {
+            "{body_list_item}".to_string()
+        }
+    }
+    fn body_list_item_multiple_file(&self) -> String {
+        {
+            "{body_list_item}".to_string()
+        }
+    }
+    fn closing(&self) -> String {
+        String::from("To resolve this issue, ensure that all array index accesses within loops are properly bounded and do not exceed the array's size. Failing to address this may result in runtime exceptions, data corruption, or exploitable vulnerabilities.")
+    }
+    fn template(&self) -> String {
+        String::from(
+            r#"template:
+      title: Potential Out-of-Bounds Array Index Access Detected
+      opening: Accessing array elements outside their valid index range can lead to runtime errors, security vulnerabilities, or unpredictable program behavior. This issue typically occurs when a loop iterates beyond the array's defined bounds, resulting in unsafe memory access.
+      body-single-file-single-instance: |
+        In `$file_name`, a potential out-of-bounds array index access was detected in the `$PARENT_NAME` $PARENT_TYPE on line $instance_line. The array access statement `$ARRAY_INDEX_ACCESS` may exceed the array's valid index range.
+      body-single-file-multiple-instance: |
+        In `$file_name`, multiple potential out-of-bounds array index accesses were detected. Review each instance below to ensure array accesses remain within valid bounds.
+      body-multiple-file-multiple-instance: |
+        Across $total_files files, multiple potential out-of-bounds array index accesses were detected. Review each instance below to ensure array accesses remain within valid bounds.
+      body-list-item-intro: 'The following potential out-of-bounds array index accesses were found in the code:'
+      body-list-item-always: '- The `$ARRAY_INDEX_ACCESS` statement in the `$PARENT_NAME` $PARENT_TYPE on line $instance_line of [`$file_name`]($instance_line_link)'
+      closing: |
+        To resolve this issue, ensure that all array index accesses within loops are properly bounded and do not exceed the array's size. Failing to address this may result in runtime exceptions, data corruption, or exploitable vulnerabilities.
+"#,
+        )
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn external_detector() -> *mut DetectorOpaque {
+    let detector: CompactDetector = Box::new(ArrayLoopBoundCheck);
+    Box::into_raw(detector) as *mut DetectorOpaque
+}
diff --git a/sdk/src/detector.rs b/sdk/src/detector.rs
@@ -54,6 +54,11 @@ macro_rules! detectors {
     () => {};
 }
 
+#[repr(C)]
+pub struct DetectorOpaque {
+    _private: [u8; 0],
+}
+
 pub trait CombinedDetector: Detector + DetectorReportTemplate {}
 
 impl<T: Detector + DetectorReportTemplate> CombinedDetector for T {}

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,8 @@ pub(crate) enum Commands {`
`8`	`8`	`detectors: Option<Vec<String>>,`
`9`	`9`	`#[arg(long = "project-root", required = false, value_parser)]`
`10`	`10`	`project_root: Option<std::path::PathBuf>,`
	`11`	`+ #[arg(long = "load", required = false, value_parser)]`
	`12`	`+ load_lib: Option<std::path::PathBuf>,`
`11`	`13`	`},`
`12`	`14`	`Metadata,`
`13`	`15`	`}`