From 630cea7cb7c4653b305c9408feffa03501beae18 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 9 Jan 2026 16:23:17 -0500
Subject: [PATCH] Fix ESCAPE issues in IP reputation and user manager
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Added -- separator to grep/awk commands in lib/ip-reputation.sh (4 fixes)
- Added -- separator to grep commands in lib/user-manager.sh (2 fixes)
- Prevents filename injection attacks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 lib/ip-reputation.sh | 8 ++++----
 lib/user-manager.sh  | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/ip-reputation.sh b/lib/ip-reputation.sh
index 5a5fcbd..fad4063 100644
--- a/lib/ip-reputation.sh
+++ b/lib/ip-reputation.sh
@@ -97,7 +97,7 @@ lookup_ip() {
     # Fast path: Check hash bucket first (much smaller file to grep)
     if [ -f "$hash_file" ]; then
         # Hash bucket contains line numbers for IPs in this bucket
-        local line_num=$(grep -m 1 "^${ip}|" "$hash_file" 2>/dev/null | cut -d'|' -f2)
+        local line_num=$(grep -m 1 "^${ip}|" -- "$hash_file" 2>/dev/null | cut -d'|' -f2)
         if [ -n "$line_num" ]; then
             # Direct line access - O(1) lookup!
             sed -n "${line_num}p" "$IP_REP_DB" 2>/dev/null
@@ -402,7 +402,7 @@ cleanup_old_ips() {
     local temp_file="${IP_REP_DB}.tmp"
 
     # Keep only IPs seen within the cutoff time
-    awk -F'|' -v cutoff="$cutoff_time" '$7 >= cutoff' "$IP_REP_DB" > "$temp_file"
+    awk -F'|' -v cutoff="$cutoff_time" '$7 >= cutoff' -- "$IP_REP_DB" > "$temp_file"
 
     mv "$temp_file" "$IP_REP_DB"
 
@@ -538,7 +538,7 @@ import_ips_from_log() {
     [ ! -f "$log_file" ] && return 1
 
     # Extract IPs and count occurrences
-    grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$log_file" | \
+    grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' -- "$log_file" | \
     sort | uniq -c | while read count ip; do
         update_ip_reputation "$ip" "$count" "$score_per_hit" 0 "Imported from $log_file"
     done
@@ -609,7 +609,7 @@ record_ip_ban() {
 
         # Write updated entry (remove old, add new)
         local temp_file="${IP_REP_DB}.tmp.$$"
-        grep -v "^${ip}|" "$IP_REP_DB" > "$temp_file" 2>/dev/null || touch "$temp_file"
+        grep -v "^${ip}|" -- "$IP_REP_DB" > "$temp_file" 2>/dev/null || touch "$temp_file"
         echo "$ip|$hit_count|$rep_score|$country|$attack_flags|$first_seen|$last_seen|$last_activity|$notes|$ban_count|$last_ban" >> "$temp_file"
         mv "$temp_file" "$IP_REP_DB"
     else
diff --git a/lib/user-manager.sh b/lib/user-manager.sh
index a9c6e46..7d60317 100755
--- a/lib/user-manager.sh
+++ b/lib/user-manager.sh
@@ -124,8 +124,8 @@ get_cpanel_user_info() {
     fi
 
     # Parse cPanel user file
-    local primary_domain=$(grep "^DNS=" "$user_file" | cut -d= -f2)
-    local email=$(grep "^CONTACTEMAIL=" "$user_file" | cut -d= -f2)
+    local primary_domain=$(grep "^DNS=" -- "$user_file" | cut -d= -f2)
+    local email=$(grep "^CONTACTEMAIL=" -- "$user_file" | cut -d= -f2)
 
     # cPanel doesn't store HOMEDIR in user file - it's always /home/username
     local home_dir="/home/${username}"