Major QA script enhancement - Add 9 comprehensive security and quality checks

ENHANCEMENT: Expanded from 11 to 20 bug/security checks for comprehensive monitoring NEW CHECKS ADDED: CHECK 12: Dangerous rm commands (CRITICAL) - Detects rm -rf with potentially empty variables - Prevents catastrophic data loss scenarios - Found: 6 dangerous rm -rf instances CHECK 13: Unquoted variable expansions (HIGH) - Detects unquoted $var in rm/cp/mv/chmod/chown - Prevents word splitting and globbing issues - Critical for file operation safety CHECK 14: Command injection via eval (CRITICAL) - Detects eval command usage - Prevents arbitrary code execution risks - Found: 1 eval instance in malware-scanner.sh CHECK 15: Temp file security (MEDIUM) - Detects predictable /tmp file names - Recommends mktemp for security - Prevents race condition attacks CHECK 16: TODO/FIXME/HACK markers (LOW) - Tracks technical debt markers - Helps identify incomplete features - Found: 2 instances CHECK 17: Duplicate function definitions (MEDIUM) - Detects same function in multiple files - Prevents unpredictable behavior - Found: 27 duplicates (mostly 'main' functions) CHECK 18: Missing input validation (HIGH) - Detects functions using $1/$2 without validation - Critical security and reliability issue - Found: 10 unvalidated parameter usages CHECK 19: Long functions (MEDIUM) - Detects functions >100 lines - Maintainability and testability concern - Helps identify refactoring candidates CHECK 20: ShellCheck integration (VARIES) - Integrates shellcheck if available - Finds common bash pitfalls - Optional but highly recommended IMPACT: ✓ 20 bug/security checks (was 11) ✓ 5 performance checks (unchanged) ✓ Found 52 new issues on first run: - 7 CRITICAL (dangerous rm, eval) - 10 HIGH (missing validation) - 33 MEDIUM (duplicates) - 2 LOW (tech debt) BENEFITS: + Comprehensive security scanning + Catches dangerous patterns before production + Tracks code quality metrics + Optional ShellCheck integration + Better technical debt visibility The QA script is now a powerful development tool that can catch security vulnerabilities, code quality issues, and maintainability problems automatically.
2025-12-04 15:57:29 -05:00
parent 154afff7fc
commit 99e1fe5c74
1 changed files with 268 additions and 11 deletions
@@ -58,7 +58,7 @@ echo ""
 #==============================================================================
 # CHECK 1: grep -F with regex anchors (CRITICAL - causes wrong results)
 #==============================================================================
-echo "[1/8] Checking: grep -F with regex anchors..."
+echo "[1/20] Checking: grep -F with regex anchors..."
 {
 echo "## CHECK 1: grep -F with regex anchors"
 echo "Severity: CRITICAL"
@@ -79,7 +79,7 @@ echo ""
 #==============================================================================
 # CHECK 2: SCRIPT_DIR collisions (HIGH - causes path errors)
 #==============================================================================
-echo "[2/8] Checking: SCRIPT_DIR variable collisions..."
+echo "[2/20] Checking: SCRIPT_DIR variable collisions..."
 {
 echo "## CHECK 2: SCRIPT_DIR variable collisions"
 echo "Severity: HIGH"
@@ -99,7 +99,7 @@ echo ""
 #==============================================================================
 # CHECK 3: SYS_* variable resets (CRITICAL - breaks system detection)
 #==============================================================================
-echo "[3/8] Checking: SYS_* variable resets..."
+echo "[3/20] Checking: SYS_* variable resets..."
 {
 echo "## CHECK 3: SYS_* variable resets without protection"
 echo "Severity: CRITICAL"
@@ -120,7 +120,7 @@ echo ""
 #==============================================================================
 # CHECK 4: Missing function exports (HIGH - functions unavailable)
 #==============================================================================
-echo "[4/8] Checking: Missing function exports..."
+echo "[4/20] Checking: Missing function exports..."
 {
 echo "## CHECK 4: Missing function exports in libraries"
 echo "Severity: HIGH"
@@ -145,7 +145,7 @@ echo ""
 #==============================================================================
 # CHECK 5: Integer comparisons without empty checks (HIGH - causes errors)
 #==============================================================================
-echo "[5/8] Checking: Unsafe integer comparisons (top 10)..."
+echo "[5/20] Checking: Unsafe integer comparisons (top 10)..."
 {
 echo "## CHECK 5: Integer comparisons without empty checks"
 echo "Severity: HIGH"
@@ -170,7 +170,7 @@ echo ""
 #==============================================================================
 # CHECK 6: Missing common-functions.sh (HIGH - command not found)
 #==============================================================================
-echo "[6/8] Checking: Missing common-functions.sh..."
+echo "[6/20] Checking: Missing common-functions.sh..."
 {
 echo "## CHECK 6: Missing common-functions.sh sourcing"
 echo "Severity: HIGH"
@@ -190,7 +190,7 @@ echo ""
 #==============================================================================
 # CHECK 7: exit in libraries (HIGH - terminates parent script)
 #==============================================================================
-echo "[7/8] Checking: exit in library files..."
+echo "[7/20] Checking: exit in library files..."
 {
 echo "## CHECK 7: exit in sourced libraries"
 echo "Severity: HIGH"
@@ -215,7 +215,7 @@ echo ""
 #==============================================================================
 # CHECK 8: bc command usage (LOW - external dependency)
 #==============================================================================
-echo "[8/11] Checking: bc command usage..."
+echo "[8/20] Checking: bc command usage..."
 {
 echo "## CHECK 8: bc command usage"
 echo "Severity: LOW"
@@ -238,7 +238,7 @@ echo ""
 #==============================================================================
 # CHECK 9: Hardcoded /var/cpanel paths (MEDIUM - breaks multi-panel)
 #==============================================================================
-echo "[9/11] Checking: Hardcoded /var/cpanel paths..."
+echo "[9/20] Checking: Hardcoded /var/cpanel paths..."
 {
 echo "## CHECK 9: Hardcoded /var/cpanel paths"
 echo "Severity: MEDIUM"
@@ -264,7 +264,7 @@ echo ""
 #==============================================================================
 # CHECK 10: Undefined color variables (LOW - cosmetic issue)
 #==============================================================================
-echo "[10/11] Checking: Undefined color variables..."
+echo "[10/20] Checking: Undefined color variables..."
 {
 echo "## CHECK 10: Undefined color variables"
 echo "Severity: LOW"
@@ -289,7 +289,7 @@ echo ""
 #==============================================================================
 # CHECK 11: Bash syntax validation (CRITICAL - prevents execution)
 #==============================================================================
-echo "[11/11] Checking: Bash syntax errors..."
+echo "[11/20] Checking: Bash syntax errors..."
 {
 echo "## CHECK 11: Bash syntax validation"
 echo "Severity: CRITICAL"
@@ -307,6 +307,263 @@ done < <(find "$TOOLKIT_PATH" -name "*.sh" 2>/dev/null)
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 12: Dangerous rm commands (CRITICAL - data loss risk)
 #==============================================================================
 echo "[12/20] Checking: Dangerous rm commands..."
 {
 echo "## CHECK 12: Dangerous rm commands"
 echo "Severity: CRITICAL"
 echo "Issue: rm -rf with potentially empty variables = catastrophic data loss"
 echo ""
 while IFS=: read -r file line_num line_content; do
    # Check for rm -rf $var patterns where var might be empty
    if echo "$line_content" | grep -qE 'rm\s+-[a-z]*r[a-z]*f.*\$[A-Z_]+[^/]|rm\s+-[a-z]*r[a-z]*f\s+/?\$'; then
        # Skip if it has proper validation ([ -n "$var" ] && rm ...)
        if ! echo "$line_content" | grep -q '\[\s*-[nz]'; then
            echo "CRITICAL|$file|$line_num|Dangerous rm -rf with unvalidated variable"
            count_issue "CRITICAL"
        fi
    fi
 done < <(grep -rn 'rm\s\+-[a-z]*r' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | head -10)
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 13: Unquoted variable expansions (HIGH - word splitting/globbing risks)
 #==============================================================================
 echo "[13/20] Checking: Unquoted variables in dangerous contexts..."
 {
 echo "## CHECK 13: Unquoted variable expansions"
 echo "Severity: HIGH"
 echo "Issue: Unquoted \$var in rm/cp/mv can cause unintended file operations"
 echo ""
 while IFS=: read -r file line_num line_content; do
    # Check for dangerous commands with unquoted variables
    if echo "$line_content" | grep -qE '(rm|cp|mv|chmod|chown)\s+[^"'"'"']*\$[A-Z_a-z]+[^"]'; then
        # Skip comments and quoted contexts
        if ! echo "$line_content" | grep -qE '^\s*#|".*\$.*"|'"'"'.*\$.*'"'"''; then
            echo "HIGH|$file|$line_num|Unquoted variable in dangerous command"
            count_issue "HIGH"
        fi
    fi
 done < <(grep -rnE '(rm|cp|mv|chmod|chown)\s+.*\$' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | head -10)
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 14: Command injection via eval (CRITICAL - arbitrary code execution)
 #==============================================================================
 echo "[14/20] Checking: Command injection risks..."
 {
 echo "## CHECK 14: Command injection via eval"
 echo "Severity: CRITICAL"
 echo "Issue: eval with user-controlled input = remote code execution risk"
 echo ""
 while IFS=: read -r file line_num line_content; do
    # Check for eval usage - always risky
    if ! echo "$line_content" | grep -q '^\s*#'; then
        echo "CRITICAL|$file|$line_num|Uses eval command (code injection risk)"
        count_issue "CRITICAL"
    fi
 done < <(grep -rn '\beval\s' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | head -5)
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 15: Temp file security (MEDIUM - race conditions/predictable names)
 #==============================================================================
 echo "[15/20] Checking: Temp file security..."
 {
 echo "## CHECK 15: Insecure temp file creation"
 echo "Severity: MEDIUM"
 echo "Issue: Predictable temp file names = race condition attacks"
 echo ""
 while IFS=: read -r file line_num line_content; do
    # Check for /tmp usage without mktemp
    if echo "$line_content" | grep -qE '/tmp/[a-zA-Z_-]+\.(txt|tmp|log|dat)'; then
        if ! echo "$line_content" | grep -qE 'mktemp|TEMP_DIR'; then
            echo "MEDIUM|$file|$line_num|Hardcoded /tmp path (use mktemp)"
            count_issue "MEDIUM"
        fi
    fi
 done < <(grep -rn '/tmp/' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | head -10)
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 16: TODO/FIXME/HACK markers (LOW - technical debt tracking)
 #==============================================================================
 echo "[16/20] Checking: Technical debt markers..."
 {
 echo "## CHECK 16: TODO/FIXME/HACK comments"
 echo "Severity: LOW"
 echo "Issue: Tracks incomplete features and known issues"
 echo ""
 count=0
 while IFS=: read -r file line_num line_content; do
    marker=$(echo "$line_content" | grep -oE 'TODO|FIXME|HACK|XXX' | head -1)
    echo "LOW|$file|$line_num|Technical debt: $marker"
    count_issue "LOW"
    ((count++))
    [ "$count" -ge 10 ] && break
 done < <(grep -rnE '\b(TODO|FIXME|HACK|XXX)\b' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null)
 total_debt=$(grep -rE '\b(TODO|FIXME|HACK|XXX)\b' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | wc -l)
 echo "Total found: $total_debt (showing first 10)"
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 17: Duplicate function definitions (MEDIUM - causes conflicts)
 #==============================================================================
 echo "[17/20] Checking: Duplicate function definitions..."
 {
 echo "## CHECK 17: Duplicate function definitions"
 echo "Severity: MEDIUM"
 echo "Issue: Same function in multiple files causes unpredictable behavior"
 echo ""
 # Extract all function names and find duplicates
 declare -A func_files
 while IFS=: read -r file func_name; do
    if [ -n "${func_files[$func_name]}" ]; then
        echo "MEDIUM|$file|N/A|Duplicate function '$func_name' (also in ${func_files[$func_name]})"
        count_issue "MEDIUM"
    else
        func_files[$func_name]="$file"
    fi
 done < <(grep -rh '^\s*[a-zA-Z_][a-zA-Z0-9_]*\s*()' "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | \
         sed 's/^\s*//; s/(.*$//' | sort | uniq -d | \
         while read func; do grep -rl "^[[:space:]]*$func()" "$TOOLKIT_PATH" --include="*.sh" --exclude="toolkit-qa-check.sh" 2>/dev/null | sed "s|$|:$func|"; done)
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 18: Missing input validation (HIGH - security/reliability risk)
 #==============================================================================
 echo "[18/20] Checking: Missing input validation..."
 {
 echo "## CHECK 18: Functions without parameter validation"
 echo "Severity: HIGH"
 echo "Issue: Functions accepting parameters without validation"
 echo ""
 count=0
 while read -r file; do
    # Find functions that use $1, $2 etc but don't validate them
    while IFS=: read -r line_num func_line; do
        # Get function name
        func_name=$(echo "$func_line" | sed 's/^\s*//; s/(.*$//')
        # Check if function uses parameters
        if grep -A 20 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -q '\$[1-9]'; then
            # Check if it validates them
            if ! grep -A 5 "^[[:space:]]*$func_name()" "$file" 2>/dev/null | grep -qE '\[\s*-[nz]\s*"\$[1-9]"|\[\s*\$#\s*-'; then
                echo "HIGH|$file|$line_num|Function '$func_name' uses parameters without validation"
                count_issue "HIGH"
                ((count++))
                [ "$count" -ge 10 ] && break 2
            fi
        fi
    done < <(grep -n '^\s*[a-zA-Z_][a-zA-Z0-9_]*\s*()' "$file" 2>/dev/null)
 done < <(find "$TOOLKIT_PATH" -name "*.sh" -not -name "toolkit-qa-check.sh" 2>/dev/null)
 echo "Found: $count issues (showing first 10)"
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 19: Long functions (MEDIUM - maintainability issue)
 #==============================================================================
 echo "[19/20] Checking: Overly long functions..."
 {
 echo "## CHECK 19: Long functions (>100 lines)"
 echo "Severity: MEDIUM"
 echo "Issue: Long functions are hard to maintain and test"
 echo ""
 count=0
 while read -r file; do
    # Find function definitions and count lines until closing brace
    awk '
    /^[[:space:]]*[a-zA-Z_][a-zA-Z0-9_]*[[:space:]]*\(\)/ {
        func_name = $0
        gsub(/[[:space:]]*\(\).*/, "", func_name)
        gsub(/^[[:space:]]*/, "", func_name)
        func_line = NR
        brace_count = 0
        line_count = 0
        in_function = 1
        next
    }
    in_function {
        line_count++
        if (/\{/) brace_count += gsub(/\{/, "{")
        if (/\}/) brace_count -= gsub(/\}/, "}")
        if (brace_count == 0 && line_count > 100) {
            print FILENAME ":" func_line ":Function '\''" func_name "'\'' is " line_count " lines"
            in_function = 0
        }
        if (brace_count == 0) in_function = 0
    }
    ' "$file" 2>/dev/null
 done < <(find "$TOOLKIT_PATH" -name "*.sh" -not -name "toolkit-qa-check.sh" 2>/dev/null) | while IFS=: read -r file line_num message; do
    echo "MEDIUM|$file|$line_num|$message"
    count_issue "MEDIUM"
    ((count++))
    [ "$count" -ge 10 ] && break
 done
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # CHECK 20: ShellCheck integration (if available)
 #==============================================================================
 echo "[20/20] Checking: ShellCheck warnings (if available)..."
 {
 echo "## CHECK 20: ShellCheck static analysis"
 echo "Severity: VARIES"
 echo "Issue: ShellCheck finds many common bash pitfalls"
 echo ""
 if command -v shellcheck >/dev/null 2>&1; then
    count=0
    while read -r file; do
        # Run shellcheck and capture warnings
        shellcheck_output=$(shellcheck -f gcc "$file" 2>/dev/null | head -5)
        if [ -n "$shellcheck_output" ]; then
            echo "$shellcheck_output" | while IFS=: read -r f line col severity message; do
                case "$severity" in
                    *error*) echo "HIGH|$f|$line|ShellCheck: $message"; count_issue "HIGH" ;;
                    *warning*) echo "MEDIUM|$f|$line|ShellCheck: $message"; count_issue "MEDIUM" ;;
                    *info*|*style*) echo "LOW|$f|$line|ShellCheck: $message"; count_issue "LOW" ;;
                esac
                ((count++))
                [ "$count" -ge 20 ] && break 2
            done
        fi
    done < <(find "$TOOLKIT_PATH" -name "*.sh" -not -name "toolkit-qa-check.sh" 2>/dev/null | head -10)
    echo "Note: Ran ShellCheck on first 10 files (showing first 20 issues)"
 else
    echo "INFO: ShellCheck not installed - skipping advanced checks"
    echo "Install with: dnf install ShellCheck (or: apt install shellcheck)"
 fi
 echo ""
 } >> "$REPORT"
 #==============================================================================
 # PERFORMANCE CHECKS (INFO level - not counted as issues)
 #==============================================================================