cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix NET-TIMEOUT issues and improve QA check for false positives

Browse Source 
lib/threat-intelligence.sh:
- Add --max-time 10 to AbuseIPDB API curl call (line 47)

tools/update-attack-signatures.sh:
- Add --timeout=60 to ET Open rules download wget (line 68)

tools/toolkit-qa-check.sh:
- Improve NET-TIMEOUT detection to exclude false positives:
  * Skip comment lines
  * Skip echo/string statements
  * Skip variable assignments with pipes
  * Only flag actual network calls without timeouts

This reduces false positive NET-TIMEOUT detections from 10 to 2.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-02-10 22:34:45 -05:00
parent 73c0aef701
commit 31306a520f
3 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/toolkit-qa-check.sh
+12 -9
View File
@@ -2907,16 +2907,19 @@ while IFS=: read -r file line_num line_content; do
continue
fi
# Detect curl/wget without timeout
if echo "$line_content" | grep -qE '\b(curl|wget)\s+'; then
if ! echo "$line_content" | grep -qE '(--timeout|--max-time|-m\s+[0-9]|--connect-timeout)'; then
# Detect curl/wget without timeout (skip comments, echo statements, strings)
if echo "$line_content" | grep -qE '\b(curl|wget)\s+' && ! echo "$line_content" | grep -qE '^\s*#|echo |".*\b(curl|wget)'; then
if ! echo "$line_content" | grep -qE '(--timeout|--max-time|-m\s+[0-9]|--connect-timeout|timeout\s+[0-9])'; then
cmd=$(echo "$line_content" | grep -oE '\b(curl|wget)\b')
echo "HIGH|$file|$line_num|[NET-TIMEOUT] $cmd without timeout parameter"
echo " Risk: Script hangs indefinitely on network issues"
echo " Fix (curl): Add --max-time 30 --connect-timeout 10"
echo " Fix (wget): Add --timeout=30"
((count++))
[ "$count" -ge 10 ] && break
# Also skip if it's in an assignment with a variable (might be intentional pipeline)
if ! echo "$line_content" | grep -qE '^\s*[A-Za-z_][A-Za-z0-9_]*=.*\b(curl|wget)'; then
echo "HIGH|$file|$line_num|[NET-TIMEOUT] $cmd without timeout parameter"
echo " Risk: Script hangs indefinitely on network issues"
echo " Fix (curl): Add --max-time 30 --connect-timeout 10"
echo " Fix (wget): Add --timeout=30"
((count++))
[ "$count" -ge 10 ] && break
fi
fi
fi
done < <(grep -rnE '\b(curl|wget)\s+' "$TOOLKIT_PATH" --include="*.sh" 2>/dev/null)
tools/update-attack-signatures.sh
+1 -1
View File
@@ -65,7 +65,7 @@ fi
# Step 2: Download ET Open rules
log_info "Downloading ET Open ruleset..."
if wget -q "$ET_RULES_URL" -O "$TEMP_DIR/rules.tar.gz"; then
if wget -q --timeout=60 "$ET_RULES_URL" -O "$TEMP_DIR/rules.tar.gz"; then
log_success "Downloaded $(du -h "$TEMP_DIR/rules.tar.gz" | cut -f1)"
else
log_error "Failed to download ET Open rules"