From 5d1cc93aee12d8e930fae69319d4b255ad948a3d Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 2 Jan 2026 17:23:02 -0500 Subject: [PATCH] Fix integer comparison safety issues (6 HIGH priority) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added parameter expansion with defaults to prevent comparison errors on potentially empty variables: - live-attack-monitor-v2.sh: IPSET_CREATE_EXIT, IPTABLES_EXIT - live-attack-monitor.sh: IPSET_CREATE_EXIT, IPTABLES_EXIT - malware-scanner.sh: START_EXIT - email-diagnostics.sh: check_type, account_found Pattern: Changed "$VAR" to "${VAR:-default}" in integer comparisons to ensure safe comparisons even if variable is unexpectedly empty. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- modules/email/email-diagnostics.sh | 2 +- modules/security/live-attack-monitor-v2.sh | 4 ++-- modules/security/live-attack-monitor.sh | 4 ++-- modules/security/malware-scanner.sh | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/email/email-diagnostics.sh b/modules/email/email-diagnostics.sh index f31d605..66a1d0c 100755 --- a/modules/email/email-diagnostics.sh +++ b/modules/email/email-diagnostics.sh @@ -709,7 +709,7 @@ if [ "$greylist" -gt 0 ] && [ "$delivered" -eq 0 ]; then echo "" fi -if [ "$check_type" != "2" ] && [ $account_found -eq 0 ]; then +if [ "${check_type:-1}" != "2" ] && [ "${account_found:-0}" -eq 0 ]; then echo "Email account not found:" echo " 1. Verify the email address is spelled correctly" echo " 2. Check if domain DNS points to this server" diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 8035500..ca66805 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -93,7 +93,7 @@ if command -v ipset &>/dev/null; then IPSET_CREATE_OUTPUT=$(ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>&1) IPSET_CREATE_EXIT=$? - if [ $IPSET_CREATE_EXIT -eq 0 ]; then + if [ "${IPSET_CREATE_EXIT:-1}" -eq 0 ]; then IPSET_AVAILABLE=1 IPSET_SUPPORTS_TIMEOUT=1 @@ -101,7 +101,7 @@ if command -v ipset &>/dev/null; then IPTABLES_OUTPUT=$(iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>&1) IPTABLES_EXIT=$? - if [ $IPTABLES_EXIT -ne 0 ]; then + if [ "${IPTABLES_EXIT:-1}" -ne 0 ]; then # iptables rule failed - clean up ipset and report error ipset destroy "$IPSET_NAME" 2>/dev/null IPSET_AVAILABLE=0 diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 66aba5f..89ca32e 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -93,7 +93,7 @@ if command -v ipset &>/dev/null; then IPSET_CREATE_OUTPUT=$(ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>&1) IPSET_CREATE_EXIT=$? - if [ $IPSET_CREATE_EXIT -eq 0 ]; then + if [ "${IPSET_CREATE_EXIT:-1}" -eq 0 ]; then IPSET_AVAILABLE=1 IPSET_SUPPORTS_TIMEOUT=1 @@ -101,7 +101,7 @@ if command -v ipset &>/dev/null; then IPTABLES_OUTPUT=$(iptables -I INPUT -m set --match-set "$IPSET_NAME" src -j DROP 2>&1) IPTABLES_EXIT=$? - if [ $IPTABLES_EXIT -ne 0 ]; then + if [ "${IPTABLES_EXIT:-1}" -ne 0 ]; then # iptables rule failed - clean up ipset and report error ipset destroy "$IPSET_NAME" 2>/dev/null IPSET_AVAILABLE=0 diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index 24276f7..e0cb106 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -853,7 +853,7 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do imunify-antivirus malware on-demand start --path="$path" &>> "$LOG_DIR/imunify.log" START_EXIT=$? - if [ $START_EXIT -ne 0 ]; then + if [ "${START_EXIT:-1}" -ne 0 ]; then log_message "ERROR: ImunifyAV scan failed to start for $path (exit code: $START_EXIT)" echo " ✗ Scan failed to start for $path (check logs)" continue