Fix ESCAPE issues in threat intelligence and reference DB

- Added -- separator to grep commands in lib/threat-intelligence.sh (5 fixes)
- Added -- separator to grep commands in lib/reference-db.sh (3 fixes)
- Prevents filename injection attacks where filenames starting with - could be misinterpreted as command options

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

lib/reference-db.sh

@@ -289,9 +289,9 @@ build_domains_section() {
 
                 # Extract domain info from config
                 local domain="$basename"
-                local doc_root=$(grep "^documentroot:" "$config_file" | awk '{print $2}' || true)
-                local log_path=$(grep "target:.*domlogs" "$config_file" | head -1 | awk '{print $2}' || true)
-                local server_alias=$(grep "^serveralias:" "$config_file" | awk '{print $2}' || true)
+                local doc_root=$(grep "^documentroot:" -- "$config_file" | awk '{print $2}' || true)
+                local log_path=$(grep "target:.*domlogs" -- "$config_file" | head -1 | awk '{print $2}' || true)
+                local server_alias=$(grep "^serveralias:" -- "$config_file" | awk '{print $2}' || true)
                 local php_version=$(grep "^phpversion:" "$config_file" | awk '{print $2}' || true)
 
                 # Determine if primary domain

lib/threat-intelligence.sh

@@ -139,7 +139,7 @@ is_whitelisted_service() {
 
     # Check static whitelist
     if [ -f "$whitelist_file" ]; then
-        if grep -q "^$ip$" "$whitelist_file"; then
+        if grep -q "^$ip$" -- "$whitelist_file"; then
             return 0
         fi
     fi
@@ -175,7 +175,7 @@ add_to_whitelist() {
     local reason="$2"
     local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt"
 
-    if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then
+    if ! grep -q "^$ip$" -- "$whitelist_file" 2>/dev/null; then
         echo "$ip  # $reason" >> "$whitelist_file"
     fi
 }
@@ -276,7 +276,7 @@ matches_known_pattern() {
     fi
 
     # Check if this attack type + similar URI has been seen before
-    local similar_count=$(grep "|$attack_type|" "$pattern_file" | grep -c "$uri" || echo 0)
+    local similar_count=$(grep "|$attack_type|" -- "$pattern_file" | grep -c "$uri" || echo 0)
 
     if [ "$similar_count" -ge 3 ]; then
         return 0  # Known pattern
@@ -368,7 +368,7 @@ generate_incident_report() {
         local pattern_file="/tmp/server-toolkit-attack-patterns.log"
         if [ -f "$pattern_file" ]; then
             echo "Recent attacks from this IP:"
-            grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
+            grep "|$ip|" -- "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
                 echo "  [$(date -d @$ts '+%Y-%m-%d %H:%M:%S')] $attack_type - $uri"
             done
             echo ""
@@ -424,7 +424,7 @@ check_shared_threats() {
     local coordination_file="/tmp/server-toolkit-shared-threats.log"
 
     if [ -f "$coordination_file" ]; then
-        local count=$(grep "|$ip|" "$coordination_file" | wc -l)
+        local count=$(grep "|$ip|" -- "$coordination_file" | wc -l)
         echo "$count"
     else
         echo "0"