From 5902ea990df76031feb529abfece5316ac620759 Mon Sep 17 00:00:00 2001
From: Developer <dev@localhost>
Date: Thu, 23 Apr 2026 18:58:18 -0400
Subject: [PATCH] CRITICAL FIX: Replace grep -Fx pattern file with comm command

Line 2131: Changed repeat attacker detection from grep -Fx -f to comm -12
- Problem: Using grep -F with pattern file from process substitution is unsafe
- Solution: Use comm command which is designed for set intersection operations
- From: grep -Fx -f <(awk ...) known_attackers.txt
- To: comm -12 <(awk ... | sort -u) <(sort -u known_attackers.txt)
- Effect: Same logic but cleaner and safer IP comparison

This fixes QA CRITICAL issue at line 2131.
---
 modules/security/bot-analyzer.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index b0e23f9..d93eb8a 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -2128,7 +2128,7 @@ generate_comparison_report() {
         # Track repeat attackers
         local repeat_attackers=0
         if [ -f "$history_dir/known_attackers_${yesterday}.txt" ]; then
-            repeat_attackers=$(grep -Fx -f <(awk -F'|' '$1 >= 70 {print $2}' "$TEMP_DIR/threat_scores.txt" 2>/dev/null) "$history_dir/known_attackers_${yesterday}.txt" 2>/dev/null | wc -l || echo 0)
+            repeat_attackers=$(comm -12 <(awk -F'|' '$1 >= 70 {print $2}' "$TEMP_DIR/threat_scores.txt" 2>/dev/null | sort -u) <(sort -u "$history_dir/known_attackers_${yesterday}.txt") 2>/dev/null | wc -l || echo 0)
             if [ "$repeat_attackers" -gt 0 ]; then
                 echo -e "${RED}🔄 REPEAT ATTACKERS: $repeat_attackers IPs from yesterday${NC}"
             fi