From 1a6abaf0f178a992db8838cd3dcb179f18772de8 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Mon, 1 Dec 2025 16:34:47 -0500
Subject: [PATCH] Add IP validation to live-attack-monitor blocking functions

SECURITY ENHANCEMENT:
Added IP format validation before calling CSF firewall commands to prevent
potential command injection or invalid IP blocking attempts.

CHANGES:
- block_ip_temporary() - Added is_valid_ip() check before csf -td
- block_ip_permanent() - Added is_valid_ip() check before csf -d
- Both functions now return error if IP format is invalid

IMPACT:
Prevents invalid or malformed IPs from being passed to CSF commands,
improving security and preventing potential firewall corruption.
---
 modules/security/live-attack-monitor.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 8e80ad8..e63e0f0 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -703,6 +703,12 @@ block_ip_temporary() {
     local reason="${3:-Auto-block by live monitor}"
     local seconds=$((hours * 3600))
 
+    # Validate IP format before blocking
+    if ! is_valid_ip "$ip"; then
+        echo "✗ Error: Invalid IP format: $ip"
+        return 1
+    fi
+
     if command -v csf &>/dev/null; then
         echo "Blocking $ip for ${hours}h: $reason"
         csf -td "$ip" "$seconds" "$reason" >/dev/null 2>&1
@@ -767,6 +773,12 @@ block_ip_permanent() {
     local ip="$1"
     local reason="${2:-Permanent block by live monitor}"
 
+    # Validate IP format before blocking
+    if ! is_valid_ip "$ip"; then
+        echo "✗ Error: Invalid IP format: $ip"
+        return 1
+    fi
+
     if command -v csf &>/dev/null; then
         echo "Permanently blocking $ip: $reason"
         csf -d "$ip" "$reason" >/dev/null 2>&1