cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix NET-TIMEOUT issues and improve QA check for false positives

Browse Source 
lib/threat-intelligence.sh:
- Add --max-time 10 to AbuseIPDB API curl call (line 47)

tools/update-attack-signatures.sh:
- Add --timeout=60 to ET Open rules download wget (line 68)

tools/toolkit-qa-check.sh:
- Improve NET-TIMEOUT detection to exclude false positives:
  * Skip comment lines
  * Skip echo/string statements
  * Skip variable assignments with pipes
  * Only flag actual network calls without timeouts

This reduces false positive NET-TIMEOUT detections from 10 to 2.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-02-10 22:34:45 -05:00
parent 73c0aef701
commit 31306a520f
3 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/threat-intelligence.sh
+1 -1
View File
@@ -44,7 +44,7 @@ check_abuseipdb() {
local api_key=$(cat "$api_key_file")
# Query AbuseIPDB API
local response=$(curl -s -G https://api.abuseipdb.com/api/v2/check \
local response=$(curl -s -G --max-time 10 https://api.abuseipdb.com/api/v2/check \
--data-urlencode "ipAddress=$ip" \
-d maxAgeInDays=90 \
-H "Key: $api_key" \
tools/toolkit-qa-check.sh
+12 -9
View File
@@ -2907,16 +2907,19 @@ while IFS=: read -r file line_num line_content; do
continue
fi
# Detect curl/wget without timeout
if echo "$line_content" | grep -qE '\b(curl|wget)\s+'; then
if ! echo "$line_content" | grep -qE '(--timeout|--max-time|-m\s+[0-9]|--connect-timeout)'; then
# Detect curl/wget without timeout (skip comments, echo statements, strings)
if echo "$line_content" | grep -qE '\b(curl|wget)\s+' && ! echo "$line_content" | grep -qE '^\s*#|echo |".*\b(curl|wget)'; then
if ! echo "$line_content" | grep -qE '(--timeout|--max-time|-m\s+[0-9]|--connect-timeout|timeout\s+[0-9])'; then
cmd=$(echo "$line_content" | grep -oE '\b(curl|wget)\b')
echo "HIGH|$file|$line_num|[NET-TIMEOUT] $cmd without timeout parameter"
echo " Risk: Script hangs indefinitely on network issues"
echo " Fix (curl): Add --max-time 30 --connect-timeout 10"
echo " Fix (wget): Add --timeout=30"
((count++))
[ "$count" -ge 10 ] && break
# Also skip if it's in an assignment with a variable (might be intentional pipeline)
if ! echo "$line_content" | grep -qE '^\s*[A-Za-z_][A-Za-z0-9_]*=.*\b(curl|wget)'; then
echo "HIGH|$file|$line_num|[NET-TIMEOUT] $cmd without timeout parameter"
echo " Risk: Script hangs indefinitely on network issues"
echo " Fix (curl): Add --max-time 30 --connect-timeout 10"
echo " Fix (wget): Add --timeout=30"
((count++))
[ "$count" -ge 10 ] && break
fi
fi
fi
done < <(grep -rnE '\b(curl|wget)\s+' "$TOOLKIT_PATH" --include="*.sh" 2>/dev/null)
tools/update-attack-signatures.sh
+1 -1
View File
@@ -65,7 +65,7 @@ fi
# Step 2: Download ET Open rules
log_info "Downloading ET Open ruleset..."
if wget -q "$ET_RULES_URL" -O "$TEMP_DIR/rules.tar.gz"; then
if wget -q --timeout=60 "$ET_RULES_URL" -O "$TEMP_DIR/rules.tar.gz"; then
log_success "Downloaded $(du -h "$TEMP_DIR/rules.tar.gz" | cut -f1)"
else
log_error "Failed to download ET Open rules"