Merge branch 'master' into mattsse/delegatecall-loop-followups

Author: mattsse

crates/lint/README.md

@@ -27,6 +27,7 @@ It helps enforce best practices and improve code quality within Foundry projects
   - `block-timestamp`: Warns when `block.timestamp` is used in a comparison, as it may be manipulated by validators.
   - `delegatecall-loop`: Payable functions should not use `delegatecall` inside a loop.
   - `missing-zero-check`: Address parameter is used in a state write or value transfer without a zero-address check.
+  - `return-bomb`: External calls with a gas limit should not consume unbounded return data.
 - **Informational / Style Guide:**
   - `boolean-equal`: Boolean comparisons to constants should be simplified.
   - `too-many-digits`: Numeric literals with 5+ consecutive zeros are error-prone.

crates/lint/docs/return-bomb.md

@@ -0,0 +1,45 @@
+# Return bomb
+
+**Severity**: `Low`
+**ID**: `return-bomb`
+
+Flags external calls that set an explicit gas limit while copying unbounded dynamic returndata.
+
+## What it does
+
+Detects low-level `call`, `delegatecall`, and `staticcall` expressions that specify `{gas: ...}`.
+Solidity copies the full returndata for these calls even when the second tuple element is ignored.
+It also detects high-level external calls with `{gas: ...}` that consume dynamically encoded return
+values such as `bytes`, `string`, dynamic arrays, or structs containing dynamic fields.
+
+## Why is this bad?
+
+The gas option limits gas forwarded to the callee, but copying returndata into memory is paid by
+the caller after the call returns. A malicious callee can return or revert with large returndata,
+causing the caller to run out of gas while implicitly copying the result.
+
+## Example
+
+### Bad
+
+```solidity
+function callTarget(address target, bytes memory payload, uint256 gasLimit) external {
+    (bool ok, ) = target.call{gas: gasLimit}(payload);
+    require(ok);
+}
+```
+
+### Good
+
+```solidity
+function callTarget(address target, bytes memory payload, uint256 gasLimit) external {
+    bool ok;
+    assembly {
+        ok := call(gasLimit, target, 0, add(payload, 0x20), mload(payload), 0, 0)
+    }
+    require(ok);
+}
+```
+
+Ignoring the second tuple element does not avoid the copy. If the returndata is needed, copy only a
+bounded number of bytes with a helper that caps returndata size.

crates/lint/src/sol/calls.rs

@@ -1,6 +1,7 @@
 use solar::{
     ast::{Expr, ExprKind},
     interface::kw,
+    sema::hir,
 };
 
 /// Checks if an expression is a low-level call.
@@ -23,3 +24,21 @@ pub(crate) const fn is_low_level_call(expr: &Expr<'_>) -> bool {
     }
     false
 }
+
+/// Checks if a HIR expression is any call with an explicit gas option.
+pub(crate) fn is_call_with_gas_limit(expr: &hir::Expr<'_>) -> bool {
+    let Some((_, opts)) = call_with_options(expr) else {
+        return false;
+    };
+
+    opts.iter().any(|opt| opt.name.name == kw::Gas)
+}
+
+fn call_with_options<'hir>(
+    expr: &'hir hir::Expr<'hir>,
+) -> Option<(&'hir hir::Expr<'hir>, &'hir [hir::NamedArg<'hir>])> {
+    let hir::ExprKind::Call(callee, _, Some(opts)) = &expr.peel_parens().kind else {
+        return None;
+    };
+    Some((callee, opts))
+}

crates/lint/src/sol/low/mod.rs

@@ -9,8 +9,12 @@ use delegatecall_loop::DELEGATECALL_LOOP;
 mod missing_zero_check;
 use missing_zero_check::MISSING_ZERO_CHECK;
 
+mod return_bomb;
+use return_bomb::RETURN_BOMB;
+
 register_lints!(
     (BlockTimestamp, early, (BLOCK_TIMESTAMP)),
     (DelegatecallLoop, late, (DELEGATECALL_LOOP)),
     (MissingZeroCheck, late, (MISSING_ZERO_CHECK)),
+    (ReturnBomb, late, (RETURN_BOMB)),
 );