From 886a1af35e0a6482ef9c18edada9f70d0a76d318 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 9 Jan 2026 16:26:04 -0500
Subject: [PATCH] Fix ESCAPE issues in rate anomaly detector
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Added -- separator to awk commands (3 fixes at lines 36-38)
- Prevents filename injection attacks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 lib/rate-anomaly-detector.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/rate-anomaly-detector.sh b/lib/rate-anomaly-detector.sh
index 1a13622..0081573 100644
--- a/lib/rate-anomaly-detector.sh
+++ b/lib/rate-anomaly-detector.sh
@@ -33,9 +33,9 @@ detect_rate_anomaly() {
     fi
 
     # Count requests in different time windows
-    local req_1sec=$(awk -v cutoff="$((current_time - 1))" '$1 > cutoff' "$rate_file" 2>/dev/null | wc -l)
-    local req_10sec=$(awk -v cutoff="$((current_time - 10))" '$1 > cutoff' "$rate_file" 2>/dev/null | wc -l)
-    local req_60sec=$(awk -v cutoff="$((current_time - 60))" '$1 > cutoff' "$rate_file" 2>/dev/null | wc -l)
+    local req_1sec=$(awk -v cutoff="$((current_time - 1))" '$1 > cutoff' -- "$rate_file" 2>/dev/null | wc -l)
+    local req_10sec=$(awk -v cutoff="$((current_time - 10))" '$1 > cutoff' -- "$rate_file" 2>/dev/null | wc -l)
+    local req_60sec=$(awk -v cutoff="$((current_time - 60))" '$1 > cutoff' -- "$rate_file" 2>/dev/null | wc -l)
 
     local anomaly_score=0
     local anomaly_type="NORMAL"