snort3: improve script reliability

 - Enable missing variable checking by default
 - Explicitly check variables are defined in all 'rm' commands

Signed-off-by: Eric Fahlgren <redacted>

diff --git a/net/snort3/Makefile b/net/snort3/Makefile
index 6f0218d8ea9eb42e41d1de9beaba6213a44592a6..87500abfe0bb96004c35b39125657ab1481a3eee 100644 (file)
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snort3
 PKG_VERSION:=3.1.78.0
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/

diff --git a/net/snort3/files/snort-mgr b/net/snort3/files/snort-mgr
index 625157967df88a91af944473f2fa10ec42bd5d0a..1fc54ca127d27703a2c8bb8e7dd972819a7bc5a8 100644 (file)
--- a/net/snort3/files/snort-mgr
+++ b/net/snort3/files/snort-mgr
@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0
 # shellcheck disable=SC2039,SC2155  # "local" not defined in POSIX sh
 
+set -o nounset
+
 PROG="$(command -v snort)"
 MAIN="/usr/share/snort/main.uc"
 CONF_DIR=$(uci -q get snort.snort.temp_dir || echo "/var/snort.d")
@@ -73,7 +75,7 @@ setup() {
 teardown() {
        # Merely cleans up after.
        nft_rm_table
-       [ -e "$CONF" ] && rm "$CONF"
+       [ -e "$CONF" ] && rm "${CONF:?}"
 }
 
 resetup() {
@@ -110,7 +112,7 @@ check() {
        local test_conf="${CONF_DIR}/test_conf.lua"
        _SNORT_WITHOUT_RULES="$no_rules" print snort > "${test_conf}" || die "Errors during generation of snort config"
        if $PROG -T $warn -c "${test_conf}" 2> $OUT ; then
-               rm "${test_conf}"
+               rm "${test_conf:?}"
        else
                die "Errors in snort config tests.  Examine ${test_conf} for issues"
        fi
@@ -121,7 +123,7 @@ check() {
                print nftables > "${test_nft}" || die "Errors during generation of nftables config"
                $VERBOSE && options='-e'
                if nft $options --check -f "${test_nft}" ; then
-                       rm "${test_nft}"
+                       rm "${test_nft:?}"
                else
                        die "Errors in nftables config tests.  Examine ${test_nft} for issues"
                fi
@@ -173,7 +175,7 @@ report() {
        local msg src srcP dst dstP dir gid sid
        local tmp=$(mktemp -t snort.rep.XXXXXX)
        _filter_by_date "${log_dir}" | while read -r line; do
-               unset -v src dst srcP dstP
+               src='' && dst='' && srcP='' && dstP=''
                eval "$(jsonfilter -s "$line" \
                        -e 'msg=$.msg' \
                        -e 'src=$.src_addr' \
@@ -196,7 +198,7 @@ report() {
        [ "$NLINES" = 0 ] && output="cat" || output="head -n $NLINES"
 
        local lines=$($SORT "$tmp" | uniq -c | $SORT -nr | $output)
-       rm "$tmp"
+       rm "${tmp:?}"
        if [ -z "$lines" ]; then
                echo -n "There were no incidents "
                [ -z "$PATTERN" ] && echo "reported." || echo "matching pattern '$PATTERN'."
@@ -254,7 +256,7 @@ report() {
                echo 'Hosts by name:'
                local IP
                local peerdns=$(ifstatus wan | jsonfilter -e '$["dns-server"][0]')
-               echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | sort -u \
+               echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | $SORT -u \
                | while read -r IP; do
                        [ -z "$IP" ] && continue
                        n=$(nslookup "$IP" | awk '/name = / {n=$NF} END{print n}')
@@ -362,7 +364,7 @@ USAGE
        exit 1
 }
 
-while [ -n "$1" ]; do
+while [ "${1:-}" ]; do
        case "$1" in
                -h|--help)
                        usage

diff --git a/net/snort3/files/snort-rules b/net/snort3/files/snort-rules
index 9547e9b4f17e01bced9b4e2b7955f4cd41fa7c5b..cc83833274735799ba736062bee54179ccd574dc 100644 (file)
--- a/net/snort3/files/snort-rules
+++ b/net/snort3/files/snort-rules
@@ -3,6 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0
 # shellcheck disable=SC2039,SC2155  # "local" not defined in POSIX sh
 
+set -o nounset
+
 alias log='logger -s -t "snort-rules[$$]" -p "info"'
 
 download_rules() {
@@ -30,7 +32,7 @@ download_rules() {
                log "Generating testing rules..."
                archive_loc="testing-rules"
                new_rules="$data_dir/$archive_loc"
-               rm -fr "$new_rules"
+               rm -fr "${new_rules:?}"
                mkdir -p "$new_rules"
                rules_file="$new_rules/testing.rules"
                {
@@ -76,7 +78,7 @@ download_rules() {
 
                old_rules="$data_dir/old.rules"
                if $backup; then
-                       rm -fr "$old_rules"
+                       rm -fr "${old_rules:?}"
                        mkdir -p "$old_rules"
 
                        for rules_file in "$rules_dir"/*; do
@@ -103,7 +105,7 @@ download_rules() {
 
 
        mkdir -p "$conf_dir"
-       rm -fr "$rules_dir"
+       rm -fr "${rules_dir:?}"
        if $persist; then
                mv -f "$new_rules" "$rules_dir"
        else
@@ -145,7 +147,7 @@ USAGE
        exit 1
 }
 
-while [ -n "$1" ]; do
+while [ "${1:-}" ]; do
        case "$1" in
                -h|--help)
                        usage