cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ESCAPE issues in threat intelligence and reference DB

Browse Source 
- Added -- separator to grep commands in lib/threat-intelligence.sh (5 fixes)
- Added -- separator to grep commands in lib/reference-db.sh (3 fixes)
- Prevents filename injection attacks where filenames starting with - could be misinterpreted as command options

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-01-09 16:20:23 -05:00
parent b6c0ec0e9b
commit c6d5affbee
2 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/threat-intelligence.sh
+5 -5
View File
@@ -139,7 +139,7 @@ is_whitelisted_service() {
# Check static whitelist
if [ -f "$whitelist_file" ]; then
if grep -q "^$ip$" "$whitelist_file"; then
if grep -q "^$ip$" -- "$whitelist_file"; then
return 0
fi
fi
@@ -175,7 +175,7 @@ add_to_whitelist() {
local reason="$2"
local whitelist_file="/tmp/server-toolkit-whitelist_ips.txt"
if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then
if ! grep -q "^$ip$" -- "$whitelist_file" 2>/dev/null; then
echo "$ip # $reason" >> "$whitelist_file"
fi
}
@@ -276,7 +276,7 @@ matches_known_pattern() {
fi
# Check if this attack type + similar URI has been seen before
local similar_count=$(grep "|$attack_type|" "$pattern_file" | grep -c "$uri" || echo 0)
local similar_count=$(grep "|$attack_type|" -- "$pattern_file" | grep -c "$uri" || echo 0)
if [ "$similar_count" -ge 3 ]; then
return 0 # Known pattern
@@ -368,7 +368,7 @@ generate_incident_report() {
local pattern_file="/tmp/server-toolkit-attack-patterns.log"
if [ -f "$pattern_file" ]; then
echo "Recent attacks from this IP:"
grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
grep "|$ip|" -- "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
echo " [$(date -d @$ts '+%Y-%m-%d %H:%M:%S')] $attack_type - $uri"
done
echo ""
@@ -424,7 +424,7 @@ check_shared_threats() {
local coordination_file="/tmp/server-toolkit-shared-threats.log"
if [ -f "$coordination_file" ]; then
local count=$(grep "|$ip|" "$coordination_file" | wc -l)
local count=$(grep "|$ip|" -- "$coordination_file" | wc -l)
echo "$count"
else
echo "0"