cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve QA script accuracy - fix false positives

Browse Source 
QA SCRIPT IMPROVEMENTS:

1. CHECK 12 (Dangerous rm) - Skip echo/comment lines
   - Added filter to skip lines starting with 'echo' or '#'
   - Prevents false positives on documentation/examples
   - Example: "echo 'run: rm -rf \$DIR'" is now correctly ignored

2. CHECK 18 (Parameter validation) - Accept variable name patterns
   - Old pattern: Only detected [ -z "$1" ] or [ -n "$1" ]
   - New pattern: Also accepts [ -z "$var_name" ] after assignment
   - Regex: \[\s*-[nz]\s*"\$([1-9]|[a-zA-Z_][a-zA-Z0-9_]*)"\s*\]
   - This recognizes both direct ($1) and indirect ($db_name) validation

BENEFITS:
- Reduces false positives in rm command detection
- More flexible parameter validation detection
- Better matches real-world bash coding patterns
- Accepts both defensive coding styles

TESTING:
✓ No change in issue count (99 issues - still accurate)
✓ CRITICAL: 0 (validated - no false positives)
✓ HIGH: 10 (same functions, better detection logic)
This commit is contained in:
cschantz
2025-12-04 16:24:40 -05:00
parent c35af503c0
commit 05c10278f5
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/toolkit-qa-check.sh
+10 -2
View File
@@ -318,6 +318,11 @@ echo "Issue: rm -rf with potentially empty variables = catastrophic data loss"
echo "" echo ""
while IFS=: read -r file line_num line_content; do while IFS=: read -r file line_num line_content; do
# Skip if it's in an echo/comment (documentation, not execution)
if echo "$line_content" | grep -qE '^\s*(echo|#)'; then
continue
fi
# Check for rm -rf $var patterns where var might be empty # Check for rm -rf $var patterns where var might be empty
if echo "$line_content" | grep -qE 'rm\s+-[a-z]*r[a-z]*f.*\$[A-Z_]+[^/]|rm\s+-[a-z]*r[a-z]*f\s+/?\$'; then if echo "$line_content" | grep -qE 'rm\s+-[a-z]*r[a-z]*f.*\$[A-Z_]+[^/]|rm\s+-[a-z]*r[a-z]*f\s+/?\$'; then
# Skip if it has proper validation ([ -n "$var" ] && rm ...) # Skip if it has proper validation ([ -n "$var" ] && rm ...)
@@ -468,8 +473,11 @@ while read -r file; do
# Check if function uses parameters # Check if function uses parameters
if grep -A 20 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -q '\$[1-9]'; then if grep -A 20 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -q '\$[1-9]'; then
# Check if it validates them # Check if it validates them (accepts both $1 and variable name patterns)
if ! grep -A 5 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -qE '\[\s*-[nz]\s*"\$[1-9]"|\[\s*\$#\s*-'; then # Pattern 1: [ -z "$1" ] or [ -n "$1" ]
# Pattern 2: [ -z "$var_name" ] where var_name was assigned from $1
# Pattern 3: [ $# -lt 1 ] or similar
if ! grep -A 5 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -qE '\[\s*-[nz]\s*"\$([1-9]|[a-zA-Z_][a-zA-Z0-9_]*)"\s*\]|\[\s*\$#\s*-'; then
echo "HIGH|$file|$line_num|Function '$func_name' uses parameters without validation" echo "HIGH|$file|$line_num|Function '$func_name' uses parameters without validation"
count_issue "HIGH" count_issue "HIGH"
((count++)) ((count++))