ISSUE:
The intel_tags logic at lines 2991+ uses variables multi_vector and geo_bonus
to build threat intelligence tags. But these variables were declared as 'local'
INSIDE the skip_scoring conditional block (lines 2855, 2885).
PROBLEM:
In bash, 'local' variables are function-scoped (not block-scoped like other languages).
But declaring them inside a conditional block creates an expectation they're only
needed inside that block. When used OUTSIDE the block (after line 2957), they may
be undefined if the block wasn't executed (e.g., when skip_scoring=1).
BEHAVIOR WITH BUG:
1. When skip_scoring=0 (not whitelisted):
- multi_vector and geo_bonus are initialized inside the block
- Used outside the block - Works (but relies on block being executed)
2. When skip_scoring=1 (whitelisted):
- multi_vector and geo_bonus are NEVER initialized
- Used outside the block at lines 2991, 2999+ with undefined values
- Undefined variables expand to empty strings in bash
- Conditions like [ "$multi_vector" -eq 1 ] silently fail
- Intel tags for multi-vector and geo-based threats not generated
IMPACT:
- Whitelisted IPs: MULTI-VECTOR and HOSTILE tags never shown (even if they should be)
- Intel_tags incomplete for whitelisted attacks with geographic/multi-vector indicators
- Misleading threat summary (appears less sophisticated than actual)
ROOT CAUSE:
Variables needed across scopes were declared inside a conditional block instead
of before the conditional.
FIX:
Declare multi_vector=0 and geo_bonus=0 BEFORE the skip_scoring block (line 2748).
Remove the duplicate 'local' declarations inside the block.
Now both variables:
- Are initialized to 0 before the skip_scoring check
- Can be safely used in intel_tags logic (lines 2991+)
- Work correctly for both whitelisted and non-whitelisted IPs
LINES CHANGED:
- Added declarations at line ~2755 (before skip_scoring block)
- Removed declarations from line 2861 (was in multi_vector logic)
- Removed declarations from line 2891 (was in geo_bonus logic)
VERIFICATION:
- Syntax: ✓ Pass
- Scope: ✓ Variables now accessible throughout IP processing
- Logic: ✓ Same initialization semantics, better scope management
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
073890f062