Skip to content

Security Hardening: Complete rewrite with modern Bash practices #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
liusc45 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security Hardening: Complete rewrite with modern Bash practices #3

liusc45 wants to merge 1 commit into from

Conversation

@liusc45
Copy link

@liusc45 liusc45 commented Jan 21, 2026

BREAKING CHANGE: Script now requires Bash 4.0+ and environment variables

Security Improvements

  • Removed hardcoded MySQL credentials (use MYSQL_USER, MYSQL_PASSWD, MYSQL_DB env vars)
  • Implemented secure temporary file handling with umask 077
  • Added command injection prevention with proper quoting
  • Created idempotent cleanup trap for EXIT signal
  • Added error trap with line number and command context
  • Set explicit secure PATH with absolute paths

Code Quality

  • Enforced Bash 4.0+ requirement with runtime check
  • Implemented set -Eeuo pipefail with safe IFS
  • Used readonly for constants and local for function variables
  • Fixed infinite loop condition ([ 1 = 1 ] -> while :)
  • Converted pages list to array for safety
  • Added curl timeout (5 seconds) to prevent hanging
  • Improved PID file handling with validation

New Features

  • Added -v/--verbose, -d/--debug, -h/--help flags
  • Created dedicated logging functions (log_debug, log_verbose, log_error)
  • Implemented ISO 8601 timestamps to prevent log injection
  • Added stale PID detection and cleanup
  • Enhanced process termination with graceful and force kill

Documentation

  • Updated README.md with security best practices
  • Added comprehensive troubleshooting guide
  • Created systemd service example
  • Documented environment variable configuration

Compatibility

  • Requires Bash 4.0+ (enforced at runtime)
  • Requires CentOS/RHEL with yum package manager
  • All temporary files have secure permissions (0600)
  • ShellCheck compatible with no warnings

Security Hardening: Complete rewrite with modern Bash practices
f00316e 
BREAKING CHANGE: Script now requires Bash 4.0+ and environment variables

## Security Improvements
- Removed hardcoded MySQL credentials (use MYSQL_USER, MYSQL_PASSWD, MYSQL_DB env vars)
- Implemented secure temporary file handling with umask 077
- Added command injection prevention with proper quoting
- Created idempotent cleanup trap for EXIT signal
- Added error trap with line number and command context
- Set explicit secure PATH with absolute paths

## Code Quality
- Enforced Bash 4.0+ requirement with runtime check
- Implemented set -Eeuo pipefail with safe IFS
- Used readonly for constants and local for function variables
- Fixed infinite loop condition ([ 1 = 1 ] -> while :)
- Converted pages list to array for safety
- Added curl timeout (5 seconds) to prevent hanging
- Improved PID file handling with validation

## New Features
- Added -v/--verbose, -d/--debug, -h/--help flags
- Created dedicated logging functions (log_debug, log_verbose, log_error)
- Implemented ISO 8601 timestamps to prevent log injection
- Added stale PID detection and cleanup
- Enhanced process termination with graceful and force kill

## Documentation
- Updated README.md with security best practices
- Added comprehensive troubleshooting guide
- Created systemd service example
- Documented environment variable configuration

## Compatibility
- Requires Bash 4.0+ (enforced at runtime)
- Requires CentOS/RHEL with yum package manager
- All temporary files have secure permissions (0600)
- ShellCheck compatible with no warnings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liusc45