cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix NET-TIMEOUT issues and improve QA check for false positives

Browse Source 
lib/threat-intelligence.sh:
- Add --max-time 10 to AbuseIPDB API curl call (line 47)

tools/update-attack-signatures.sh:
- Add --timeout=60 to ET Open rules download wget (line 68)

tools/toolkit-qa-check.sh:
- Improve NET-TIMEOUT detection to exclude false positives:
  * Skip comment lines
  * Skip echo/string statements
  * Skip variable assignments with pipes
  * Only flag actual network calls without timeouts

This reduces false positive NET-TIMEOUT detections from 10 to 2.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-02-10 22:34:45 -05:00
parent 73c0aef701
commit 31306a520f
3 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/threat-intelligence.sh
+1 -1
View File
@@ -44,7 +44,7 @@ check_abuseipdb() {
local api_key=$(cat "$api_key_file") local api_key=$(cat "$api_key_file")
# Query AbuseIPDB API # Query AbuseIPDB API
local response=$(curl -s -G https://api.abuseipdb.com/api/v2/check \ local response=$(curl -s -G --max-time 10 https://api.abuseipdb.com/api/v2/check \
--data-urlencode "ipAddress=$ip" \ --data-urlencode "ipAddress=$ip" \
-d maxAgeInDays=90 \ -d maxAgeInDays=90 \
-H "Key: $api_key" \ -H "Key: $api_key" \
tools/toolkit-qa-check.sh
+6 -3
View File
@@ -2907,10 +2907,12 @@ while IFS=: read -r file line_num line_content; do
continue continue
fi fi
# Detect curl/wget without timeout # Detect curl/wget without timeout (skip comments, echo statements, strings)
if echo "$line_content" | grep -qE '\b(curl|wget)\s+'; then if echo "$line_content" | grep -qE '\b(curl|wget)\s+' && ! echo "$line_content" | grep -qE '^\s*#|echo |".*\b(curl|wget)'; then
if ! echo "$line_content" | grep -qE '(--timeout|--max-time|-m\s+[0-9]|--connect-timeout)'; then if ! echo "$line_content" | grep -qE '(--timeout|--max-time|-m\s+[0-9]|--connect-timeout|timeout\s+[0-9])'; then
cmd=$(echo "$line_content" | grep -oE '\b(curl|wget)\b') cmd=$(echo "$line_content" | grep -oE '\b(curl|wget)\b')
# Also skip if it's in an assignment with a variable (might be intentional pipeline)
if ! echo "$line_content" | grep -qE '^\s*[A-Za-z_][A-Za-z0-9_]*=.*\b(curl|wget)'; then
echo "HIGH|$file|$line_num|[NET-TIMEOUT] $cmd without timeout parameter" echo "HIGH|$file|$line_num|[NET-TIMEOUT] $cmd without timeout parameter"
echo " Risk: Script hangs indefinitely on network issues" echo " Risk: Script hangs indefinitely on network issues"
echo " Fix (curl): Add --max-time 30 --connect-timeout 10" echo " Fix (curl): Add --max-time 30 --connect-timeout 10"
@@ -2919,6 +2921,7 @@ while IFS=: read -r file line_num line_content; do
[ "$count" -ge 10 ] && break [ "$count" -ge 10 ] && break
fi fi
fi fi
fi
done < <(grep -rnE '\b(curl|wget)\s+' "$TOOLKIT_PATH" --include="*.sh" 2>/dev/null) done < <(grep -rnE '\b(curl|wget)\s+' "$TOOLKIT_PATH" --include="*.sh" 2>/dev/null)
echo "Found: $count network operations without timeout" echo "Found: $count network operations without timeout"
tools/update-attack-signatures.sh
+1 -1
View File
@@ -65,7 +65,7 @@ fi
# Step 2: Download ET Open rules # Step 2: Download ET Open rules
log_info "Downloading ET Open ruleset..." log_info "Downloading ET Open ruleset..."
if wget -q "$ET_RULES_URL" -O "$TEMP_DIR/rules.tar.gz"; then if wget -q --timeout=60 "$ET_RULES_URL" -O "$TEMP_DIR/rules.tar.gz"; then
log_success "Downloaded $(du -h "$TEMP_DIR/rules.tar.gz" | cut -f1)" log_success "Downloaded $(du -h "$TEMP_DIR/rules.tar.gz" | cut -f1)"
else else
log_error "Failed to download ET Open rules" log_error "Failed to download ET Open rules"