From c6d5affbee6ae314a4261a165bac28965501020b Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 9 Jan 2026 16:20:23 -0500 Subject: [PATCH] Fix ESCAPE issues in threat intelligence and reference DB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added -- separator to grep commands in lib/threat-intelligence.sh (5 fixes) - Added -- separator to grep commands in lib/reference-db.sh (3 fixes) - Prevents filename injection attacks where filenames starting with - could be misinterpreted as command options 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- lib/reference-db.sh | 6 +++--- lib/threat-intelligence.sh | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/reference-db.sh b/lib/reference-db.sh index 3ccda0e..3314bc2 100755 --- a/lib/reference-db.sh +++ b/lib/reference-db.sh @@ -289,9 +289,9 @@ build_domains_section() { # Extract domain info from config local domain="$basename" - local doc_root=$(grep "^documentroot:" "$config_file" | awk '{print $2}' || true) - local log_path=$(grep "target:.*domlogs" "$config_file" | head -1 | awk '{print $2}' || true) - local server_alias=$(grep "^serveralias:" "$config_file" | awk '{print $2}' || true) + local doc_root=$(grep "^documentroot:" -- "$config_file" | awk '{print $2}' || true) + local log_path=$(grep "target:.*domlogs" -- "$config_file" | head -1 | awk '{print $2}' || true) + local server_alias=$(grep "^serveralias:" -- "$config_file" | awk '{print $2}' || true) local php_version=$(grep "^phpversion:" "$config_file" | awk '{print $2}' || true) # Determine if primary domain diff --git a/lib/threat-intelligence.sh b/lib/threat-intelligence.sh index da4c0e4..d224a70 100644 --- a/lib/threat-intelligence.sh +++ b/lib/threat-intelligence.sh @@ -139,7 +139,7 @@ is_whitelisted_service() { # Check static whitelist if [ -f "$whitelist_file" ]; then - if grep -q "^$ip$" "$whitelist_file"; then + if grep -q "^$ip$" -- "$whitelist_file"; then return 0 fi fi @@ -175,7 +175,7 @@ add_to_whitelist() { local reason="$2" local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt" - if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then + if ! grep -q "^$ip$" -- "$whitelist_file" 2>/dev/null; then echo "$ip # $reason" >> "$whitelist_file" fi } @@ -276,7 +276,7 @@ matches_known_pattern() { fi # Check if this attack type + similar URI has been seen before - local similar_count=$(grep "|$attack_type|" "$pattern_file" | grep -c "$uri" || echo 0) + local similar_count=$(grep "|$attack_type|" -- "$pattern_file" | grep -c "$uri" || echo 0) if [ "$similar_count" -ge 3 ]; then return 0 # Known pattern @@ -368,7 +368,7 @@ generate_incident_report() { local pattern_file="/tmp/server-toolkit-attack-patterns.log" if [ -f "$pattern_file" ]; then echo "Recent attacks from this IP:" - grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do + grep "|$ip|" -- "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do echo " [$(date -d @$ts '+%Y-%m-%d %H:%M:%S')] $attack_type - $uri" done echo "" @@ -424,7 +424,7 @@ check_shared_threats() { local coordination_file="/tmp/server-toolkit-shared-threats.log" if [ -f "$coordination_file" ]; then - local count=$(grep "|$ip|" "$coordination_file" | wc -l) + local count=$(grep "|$ip|" -- "$coordination_file" | wc -l) echo "$count" else echo "0"