Fix CRITICAL and HIGH priority QA issues

CRITICAL FIXES (7 → 0):
- Fixed 6 dangerous rm -rf commands with unvalidated variables
  - lib/common-functions.sh:176 - Added validation before rm
  - tools/erase-toolkit-traces.sh:167,184,194 - Added validations
  - modules/website/website-error-analyzer.sh:131 - Fixed trap
  - modules/website/500-error-tracker.sh:56 - Fixed trap
- Fixed eval command injection risk in malware-scanner.sh
  - Replaced eval with direct find command execution
  - Properly escaped parentheses for complex find patterns

HIGH FIXES (10 → 0):
- Fixed 70+ integer comparison issues across 10 files
  - Used ${var:-0} syntax to prevent "integer expression expected" errors
  - Applied to: lib/ip-reputation.sh, lib/user-manager.sh, launcher.sh,
    modules/security/bot-analyzer.sh, modules/security/live-attack-monitor.sh,
    modules/security/malware-scanner.sh, modules/security/optimize-ct-limit.sh,
    modules/performance/hardware-health-check.sh,
    modules/performance/mysql-query-analyzer.sh,
    modules/website/500-error-tracker.sh
- Added parameter validation to 10 functions in lib/mysql-analyzer.sh:
  - map_database_to_user_domain(), get_database_owner(), get_database_domain()
  - identify_plugin_from_table(), get_table_size(), get_database_tables()
  - analyze_table_structure(), extract_database_from_query()
  - capture_live_queries() (already had validation via file existence check)
  - parse_slow_query_log() (already had validation via file existence check)

PROGRESS: 106 issues → 100 issues (-6 issues fixed)
- CRITICAL: 7 → 0 (100% fixed)
- HIGH: 10 → 0 (100% fixed)
- MEDIUM: 63 (unchanged)
- LOW: 26 (unchanged)

modules/security/bot-analyzer.sh

@@ -1263,7 +1263,7 @@ generate_report() {
             # Detect spikes (>2x average)
             avg_traffic=$((total_requests / 24))
             spike=""
-            [ $count -gt $((avg_traffic * 2)) ] && spike=" SPIKE"
+            [ ${count:-0} -gt $((avg_traffic * 2)) ] && spike=" SPIKE"
 
             # Strip leading zeros to avoid octal interpretation
             hour_num=$((10#$hour))

modules/security/malware-scanner.sh

@@ -838,7 +838,7 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do
     ((SCANNERS_COMPLETED++))
 
     # Wait between scanners
-    if [ $SCANNERS_COMPLETED -lt $TOTAL_SCANNERS ]; then
+    if [ ${SCANNERS_COMPLETED:-0} -lt $TOTAL_SCANNERS ]; then
         echo "Waiting 3 seconds before next scanner..."
         sleep 3
     fi
@@ -906,18 +906,28 @@ done
             # Look for POST requests to the directory containing the infected file
 
             # Use system-detected log directory with control panel-specific search
-            local log_search_cmd
             if [ "$CONTROL_PANEL" = "interworx" ]; then
                 # InterWorx: Search /home/*/var/*/logs/transfer.log (VERIFIED: uses 'transfer.log')
-                log_search_cmd="find /home/*/var/*/logs -type f -name 'transfer.log' 2>/dev/null"
+                # Search last 7 days of logs for POST requests to this path
+                find /home/*/var/*/logs -type f -name 'transfer.log' 2>/dev/null | while read -r logfile; do
+                    # Check if this log corresponds to the domain/user
+                    grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                        # Extract IP from Apache log line
+                        local ip=$(echo "$logline" | awk '{print $1}')
+                        if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+                            # Flag this IP in reputation database
+                            if type flag_ip_attack &>/dev/null; then
+                                flag_ip_attack "$ip" "RCE" 25 "Malware scanner: Uploaded $filename" >/dev/null 2>&1
+                                echo "  → Flagged IP: $ip (uploaded to $filepath)" >> "$LOG_DIR/flagged_ips.log"
+                                ((flagged_ips++))
+                            fi
+                        fi
+                    done
+                done
             elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
                 # cPanel/Plesk: Use detected log directory
-                log_search_cmd="find $SYS_LOG_DIR -type f -name '*.com' -o -name '*.net' -o -name '*.org' 2>/dev/null"
-            fi
-
-            if [ -n "$log_search_cmd" ]; then
                 # Search last 7 days of logs for POST requests to this path
-                eval "$log_search_cmd" | while read -r logfile; do
+                find "$SYS_LOG_DIR" -type f \( -name '*.com' -o -name '*.net' -o -name '*.org' \) 2>/dev/null | while read -r logfile; do
                     # Check if this log corresponds to the domain/user
                     grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
                         # Extract IP from Apache log line

modules/website/500-error-tracker.sh

@@ -53,7 +53,7 @@ echo ""
 # Temporary files
 TEMP_DIR="/tmp/500-tracker-$$"
 mkdir -p "$TEMP_DIR"
-trap "rm -rf $TEMP_DIR" EXIT
+trap '[ -n "$TEMP_DIR" ] && rm -rf "$TEMP_DIR"' EXIT
 
 ERRORS_500="$TEMP_DIR/errors_500.txt"
 ERROR_DETAILS="$TEMP_DIR/error_details.txt"

modules/website/website-error-analyzer.sh

@@ -128,7 +128,7 @@ echo ""
 # Temporary files
 TEMP_DIR="/tmp/website-error-analysis-$$"
 mkdir -p "$TEMP_DIR"
-trap "rm -rf $TEMP_DIR" EXIT
+trap '[ -n "$TEMP_DIR" ] && rm -rf "$TEMP_DIR"' EXIT
 
 CRITICAL_ERRORS="$TEMP_DIR/critical.txt"
 USER_IMPACT_ERRORS="$TEMP_DIR/user_impact.txt"