CRITICAL ISSUES FIXED:
1. Grep pipefail errors (12 locations: lines 72, 81, 90, 100, 111, 803, 1030, 1038, 1069, 1126, 1212)
- Added || true to all piped grep commands to prevent script exit on no-match
- With set -o pipefail, grep returning 1 (no match) causes script exit
- Fixed proper operator precedence with subshell nesting
2. Domain regex escaping vulnerability (Line 1210)
- CRITICAL: sed escaping incomplete - missing & \ and other metacharacters
- Attack vector: domains like "example.com:evil" could break pattern
- Fix: Switched from grep + sed to awk with variable comparison (safer)
3. RKHUNTER pipefail logic error (Line 1499, 1038, 1030)
- Used || false instead of || true with set -o pipefail
- Caused script exit when EPEL check found no matches
- Fixed: Changed to || true throughout
4. Domain matching false positives (Lines 2754-2757)
- Glob patterns *"/$domain/"* matched partial domains
- "example.com" matched in "/test/example-prod.com/"
- Fix: Added regex escape and word boundary checking
5. Temporary file cleanup missing (Lines 527, 538)
- Installation logs created but not cleaned on Ctrl+C
- Added trap RETURN to ensure cleanup even on interrupt
- Files now cleaned up safely on function exit
6. Inconsistent scanner detection (Lines 195-218, 171-192)
- detect_scanners() bypassed cache, called detection functions directly
- cache_scanner_detection() cached results but main() called in wrong order
- Fix: Reordered main() to cache first, detect_scanners() now uses cache when available
- Reduced redundant system calls on startup
HIGH PRIORITY IMPROVEMENTS:
- Added safety checks for all grep operations in pipes
- Improved domain matching with escape handling
- Better resource cleanup on interrupts
- More efficient cache usage pattern
TESTING:
✓ Syntax validation passed
✓ All grep pipefail patterns fixed
✓ Domain matching improved with word boundaries
✓ Cache integration optimized
Code quality improvement: Better error handling, reduced system calls, improved security.
Developer
fc24beac94