Coderabbit nitpicks.

2025-12-06 17:15:38 -08:00 · 2025-10-19 15:12:27 +00:00
parent 131c0c0f4b
commit dcf250d36f
7 changed files with 48 additions and 18 deletions
--- a/install/production-filesystem/services/config/nginx/README.md
+++ b/install/production-filesystem/services/config/nginx/README.md
@@ -1,6 +1,6 @@
 Nginx's conf is in /services/config/nginx/conf.active.  This is the default configuration when run as a read-only container without a mount. 

-With a tmpfs mount on /services/config/nginx.conf.active, the nginx template will be rewritten to allow ENV customization of listen address and port.
+With a tmpfs mount on /services/config/nginx/conf.active, the nginx template will be rewritten to allow ENV customization of listen address and port.

 The act of running /services/start-nginx.sh writes a new nginx.conf file, using envsubst, then starts nginx based on the parameters in that file.

--- a/install/production-filesystem/services/scripts/check-first-run-config.sh
+++ b/install/production-filesystem/services/scripts/check-first-run-config.sh
@@ -3,8 +3,14 @@

 # Check for app.conf and deploy if required
 if [ ! -f ${NETALERTX_CONFIG}/app.conf ]; then
-    mkdir -p ${NETALERTX_CONFIG}
-    cp /app/back/app.conf ${NETALERTX_CONFIG}/app.conf
+    mkdir -p "${NETALERTX_CONFIG}" || {
+        >&2 echo "ERROR: Failed to create config directory ${NETALERTX_CONFIG}"
+        exit 1
+    }
+    cp /app/back/app.conf "${NETALERTX_CONFIG}/app.conf" || {
+        >&2 echo "ERROR: Failed to copy default config to ${NETALERTX_CONFIG}/app.conf"
+        exit 1
+    }
    CYAN='\033[1;36m'
    RESET='\033[0m'
    >&2 printf "%s" "${CYAN}"
--- a/install/production-filesystem/services/scripts/check-ramdisk.sh
+++ b/install/production-filesystem/services/scripts/check-ramdisk.sh
@@ -33,7 +33,7 @@ EOF


 # If NETALERTX_DEBUG=1 then we will exit
-if [ "${NETALERTX_DEBUG}" -eq 1 ]; then
+if [ "${NETALERTX_DEBUG}" = "1" ]; then
 	exit 0
 fi

@@ -45,6 +45,6 @@ if [ "${failures}" -ne 0 ]; then
    exit 1
 fi

-if [ ! -f "${SYSTEM_NGINIX_CONFIG}/conf.active" ]; then
-    echo "Note: Using default listen address ${LISTEN_ADDR}:${PORT} (no ${SYSTEM_NGINIX_CONFIG}/conf.active override)."
+if [ ! -f "${SYSTEM_NGINX_CONFIG}/conf.active" ]; then
+    echo "Note: Using default listen address ${LISTEN_ADDR}:${PORT} (no ${SYSTEM_NGINX_CONFIG}/conf.active override)."
 fi
--- a/install/production-filesystem/services/scripts/cron_script.sh
+++ b/install/production-filesystem/services/scripts/cron_script.sh
@@ -5,11 +5,12 @@ export INSTALL_DIR=/app

 # Check if there are any entries with cron_restart_backend
 if grep -q "cron_restart_backend" "${LOG_EXECUTION_QUEUE}"; then
-  # Restart python application using s6
  killall python3
  sleep 2
  /services/start-backend.sh &

  # Remove all lines containing cron_restart_backend from the log file
-  sed -i '/cron_restart_backend/d' "${LOG_EXECUTION_QUEUE}"
+  # Atomic replacement with temp file
+  grep -v "cron_restart_backend" "${LOG_EXECUTION_QUEUE}" > "${LOG_EXECUTION_QUEUE}.tmp" && \
+    mv "${LOG_EXECUTION_QUEUE}.tmp" "${LOG_EXECUTION_QUEUE}"
 fi
--- a/install/production-filesystem/services/scripts/update_vendors.sh
+++ b/install/production-filesystem/services/scripts/update_vendors.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -euo pipefail

 # ------------------------------------------------------------------------------
 #  NetAlertX
@@ -14,13 +15,35 @@
 #    /usr/share/arp-scan
 # ----------------------------------------------------------------------

+#!/usr/bin/env bash
+set -euo pipefail
+
+TEMP_FILE="/services/run/tmp/ieee-oui.txt.tmp"
+OUTPUT_FILE="/services/run/tmp/ieee-oui.txt"
+
 # Download the file using wget to stdout and process it
-wget -q "https://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
-    sed -E 's/ *\(base 16\)//' | \
-    awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
-    sort | \
-    awk '{$1=$1; print}' | \
-    sort -u | \
-    awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' \
+if ! wget --timeout=30 --tries=3 "https://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
+	sed -E 's/ *\(base 16\)//' | \
+	awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
+	sort | \
+	awk '{$1=$1; print}' | \
+	sort -u | \
+	awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' \
+	> "${TEMP_FILE}"; then
+	echo "ERROR: Failed to download or process OUI data" >&2
+	rm -f "${TEMP_FILE}"
+	exit 1
+fi
+
+# Validate we got actual content (should have hundreds of thousands of lines)
+if [ ! -s "${TEMP_FILE}" ] || [ "$(wc -l < "${TEMP_FILE}")" -lt 1000 ]; then
+	echo "ERROR: OUI data appears invalid or incomplete" >&2
+	rm -f "${TEMP_FILE}"
+	exit 1
+fi
+
+# Atomic replacement
+mv "${TEMP_FILE}" "${OUTPUT_FILE}"
+echo "Successfully updated IEEE OUI database ($(wc -l < "${OUTPUT_FILE}") entries)"
    > /services/run/tmp/ieee-oui.txt