From 41dbad5d1edcd8e0b7a40b7fcd6db37463a58bcb Mon Sep 17 00:00:00 2001
From: Developer <dev@localhost>
Date: Sat, 21 Mar 2026 00:22:54 -0400
Subject: [PATCH] HARDENING FIXES: Address latent bug and edge case from Passes
 7-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FIXES APPLIED:
1. Printf format string vulnerability in show_spinner()
   - Lines 733, 736: Use proper %s formatting for message variable
   - Prevents format string attacks if function is called with % in message
   - Currently dead code (never called), but good practice for future reuse

2. Maldet PID validation - strengthen edge case handling
   - Line 1273: Add explicit [ "$pid" -gt 0 ] check before kill -0
   - Prevents theoretical edge case where $! could be 0
   - Makes PID validation more robust against edge cases

These are hardening fixes for LOW-risk issues found in comprehensive audit.

AUDIT SUMMARY (Passes 7-9):
- 4 low-risk issues identified through deep scrutiny
- 2 issues fixed (printf format string, PID validation)
- 2 issues noted but deferred (negative elapsed time, timeout documentation)
- Script remains in excellent condition for production testing

All critical and blocking issues resolved ✅
Script ready for comprehensive functional testing ✅
---
 modules/security/malware-scanner.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 90771c8..fde9f33 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -730,10 +730,10 @@ show_spinner() {
 
     while kill -0 "$pid" 2>/dev/null; do
         i=$(( (i+1) % 10 ))
-        printf "\r  ⏳ $message ${spin:$i:1} "
+        printf "\r  ⏳ %s %s " "$message" "${spin:$i:1}"
         sleep 0.2
     done
-    printf "\r  ✓ $message - Complete\n"
+    printf "\r  ✓ %s - Complete\n" "$message"
 }
 
 # Format elapsed time
@@ -1270,7 +1270,8 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
 
             # Wait for all maldet scans to complete and collect exit codes
             for pid in "${MALDET_PIDS[@]}"; do
-                if [ -n "$pid" ] && kill -0 "$pid" 2>/dev/null; then
+                # Validate PID is numeric and non-zero before checking process
+                if [ -n "$pid" ] && [ "$pid" -gt 0 ] && kill -0 "$pid" 2>/dev/null; then
                     wait "$pid"
                     exit_code=$?
                     if [ "$exit_code" -ne 0 ]; then