CRITICAL SECURITY FIX:
- Issue 1 (Lines 1358, 1376, 1395): Fixed regex injection vulnerability in grep patterns
When parsing infected file paths from malware scanner logs, the filepath variable was
being used unsafely in regex patterns. Special characters (., *, +, ?, etc.) were being
interpreted as regex operators instead of literal characters, causing false positive
matches and potential incorrect IP flagging in the reputation database.
Fixed by: Using grep -hF for safe literal matching instead of regex interpretation.
Impact: Prevents false positives in IP reputation flagging when files contain special chars.
MEDIUM QUALITY/CONSISTENCY FIXES:
- Issue 2 (Line 1269): Added -F flag to rootkit detection grep
Was using 'grep "Rootkit"' without -F flag for consistency with other patterns.
Fixed by: Changed to 'grep -F "Rootkit"' and 'grep -iF "found"' for explicit literal matching.
- Issue 3 (Line 1732): Added -F flag to screen session detection
Changed 'grep -q "$session_id"' to 'grep -qF "$session_id"' for consistency.
Note: $session_id format (malware-YYYYMMDD-HHMMSS) is already safe but -F is best practice.
- Issue 5 (Lines 1943-1946, 1971): Fixed unanchored bash pattern matching for user/domain selection
Patterns like *"/$SELECTED_USER/"* would match unintended paths (e.g., 'test' matches
'/home/username_test/public_html'). Improved to use anchored patterns:
- User matching: */home/$user/* OR */vhosts/$user/* OR */chroot/home/$user/*
- Domain matching: Use second condition for more specific matching.
Impact: Correct user/domain docroot selection without false positives.
All fixes verified with:
- bash -n syntax check ✓
- Manual code review ✓
- Audit documentation generated ✓
Files modified: modules/security/malware-scanner.sh
Lines changed: 5 locations across 3 core issues
Total fixes: 5 (1 critical, 4 medium)
Developer
7937fd923a