From 16537b1ff0ac7fe2bda9ea5646dfced8f92bb15b Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Sat, 13 Dec 2025 02:45:30 -0500
Subject: [PATCH] Fix URL sample limit logic in historical attack analyzer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug Found During Logic Review:
The URL sample storage was supposed to keep max 3 URLs per IP,
but was actually storing 4 URLs.

Root Cause (lines 254-263):
The logic counted delimiters AFTER checking the limit:
  url_count = delimiters in string  # 0 for first URL, 1 for second, 2 for third
  if url_count < 3: add URL         # Allows 0,1,2 → stores 3 URLs ✅

But on 4th URL:
  url_count = 2 (two delimiters)
  if 2 < 3: add URL  # TRUE! Stores 4th URL ❌

The check needs to count EXISTING URLs, not delimiters.

Fix Applied:
Count URLs correctly by adding 1 to delimiter count:
  url_count = (delimiters + 1)  # Actual URL count
  if url_count < 3: add URL     # Only adds if <3 URLs exist

Testing:
Before:
  5 URLs attempted → stored 4 URLs ❌

After:
  5 URLs attempted → stored 3 URLs ✅
  /test1.php||/test2.php||/test3.php
  URLs 4 and 5 correctly skipped

QA Check Results:
✅ No CRITICAL issues
✅ No syntax errors
✅ All logic tests pass
- 3 minor issues (duplicate function, no parameter validation)
  These are acceptable for a tool script
---
 tools/analyze-historical-attacks.sh | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tools/analyze-historical-attacks.sh b/tools/analyze-historical-attacks.sh
index 2071709..a3f225e 100755
--- a/tools/analyze-historical-attacks.sh
+++ b/tools/analyze-historical-attacks.sh
@@ -253,11 +253,14 @@ uri="${temp#*||}"
 
                 # Store sample URL (keep first 3)
                 current_urls="${IP_SAMPLE_URLS[$ip]}"
-                url_count=$(echo "$current_urls" | grep -o "||" | wc -l)
-                if [ "$url_count" -lt 3 ]; then
-                    if [ -z "$current_urls" ]; then
-                        IP_SAMPLE_URLS["$ip"]="${uri:0:100}"
-                    else
+                if [ -z "$current_urls" ]; then
+                    # First URL
+                    IP_SAMPLE_URLS["$ip"]="${uri:0:100}"
+                else
+                    # Count existing URLs by counting delimiters + 1
+                    url_count=$(echo "$current_urls" | grep -o "||" | wc -l)
+                    url_count=$((url_count + 1))
+                    if [ "$url_count" -lt 3 ]; then
                         IP_SAMPLE_URLS["$ip"]="$current_urls||${uri:0:100}"
                     fi
                 fi