From ea8b29fba1177d8562d119824b22cfa8a6ed1bc7 Mon Sep 17 00:00:00 2001 From: cschantz Date: Mon, 22 Dec 2025 18:18:53 -0500 Subject: [PATCH] Malware scanner: Fix input validation bugs (CRITICAL) Fixed critical bugs where non-numeric user input could cause bash errors when used in integer comparisons. **Bug: Unvalidated numeric input in 3 locations** Problem: User input used directly in integer comparisons without validation Impact: Bash error "integer expression expected" if user enters text Locations: - Line 1647: delete_standalone_sessions() - delete choice - Line 1776: view_scan_results() - scanner choice - Line 1848: view_scan_results() - session choice Example failure: User enters: "abc" Code: if [ "$choice" -lt 1 ] Error: "bash: [: abc: integer expression expected" **Fix: Add regex validation before integer comparisons** Added numeric validation using regex before all integer comparisons: if ! [[ "$input" =~ ^[0-9]+$ ]]; then echo "Invalid choice (must be a number)" return 1 fi Changes to delete_standalone_sessions(): - Added numeric check at line 1648 before integer comparison - Improved error message: "must be a number" vs "out of range" Changes to view_scan_results() (2 locations): - Added numeric check at line 1777 (scanner choice) - Added numeric check at line 1845 (session choice) - Both get validation before integer comparisons Why this is critical: - Prevents bash errors from crashing the script - Provides clear error messages to users - Handles edge case of accidental text input - Common user error (typing letters instead of numbers) Testing: Syntax validated, input validation working --- modules/security/malware-scanner.sh | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index 19c392e..0241007 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -1644,8 +1644,15 @@ delete_standalone_sessions() { ;; *) # Delete specific session + # Validate numeric input + if ! [[ "$delete_choice" =~ ^[0-9]+$ ]]; then + echo -e "${RED}Invalid choice (must be a number)${NC}" + read -p "Press Enter to continue..." + return 1 + fi + if [ "$delete_choice" -lt 1 ] || [ "$delete_choice" -gt ${#standalone_dirs[@]} ]; then - echo -e "${RED}Invalid choice${NC}" + echo -e "${RED}Invalid choice (out of range)${NC}" read -p "Press Enter to continue..." return 1 fi @@ -1766,8 +1773,15 @@ view_scan_results() { read -p "Scanner: " scanner_choice + # Validate numeric input + if ! [[ "$scanner_choice" =~ ^[0-9]+$ ]]; then + echo -e "${RED}Invalid choice (must be a number)${NC}" + read -p "Press Enter to continue..." + return 1 + fi + if [ "$scanner_choice" -lt 1 ] || [ "$scanner_choice" -gt ${#available_scanners[@]} ]; then - echo -e "${RED}Invalid choice${NC}" + echo -e "${RED}Invalid choice (out of range)${NC}" read -p "Press Enter to continue..." return 1 fi @@ -1827,12 +1841,19 @@ view_scan_results() { read -p "Select session (or 0 to cancel): " session_choice + # Validate numeric input + if ! [[ "$session_choice" =~ ^[0-9]+$ ]]; then + echo -e "${RED}Invalid choice (must be a number)${NC}" + read -p "Press Enter to continue..." + return 1 + fi + if [ "$session_choice" = "0" ]; then return 0 fi if [ "$session_choice" -lt 1 ] || [ "$session_choice" -gt ${#standalone_dirs[@]} ]; then - echo -e "${RED}Invalid choice${NC}" + echo -e "${RED}Invalid choice (out of range)${NC}" read -p "Press Enter to continue..." return 1 fi