From cbb32d375bd26f4bc0b25bb9b90c5ffa795cbdf5 Mon Sep 17 00:00:00 2001
From: Dirk <dirk@testssl.sh>
Date: Mon, 30 Oct 2023 21:39:30 +0100
Subject: [PATCH 1/3] Fix output: PROXY string vs $PROXY variable

See also #2428.
---
 testssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testssl.sh b/testssl.sh
index ed7fc7b93..71819edf5 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -22182,7 +22182,7 @@ datebanner() {
      local scan_time_f=""
      local node_banner=""
 
-     if [[ -n "PROXY" ]] && $DNS_VIA_PROXY;then
+     if [[ -n "$PROXY" ]] && "$DNS_VIA_PROXY"; then
             node_banner="$NODE:$PORT"
      else
             node_banner="$NODEIP:$PORT ($NODE)"

From 502c08ce5486f8a35d5ceb4b7055f0aad50e9d71 Mon Sep 17 00:00:00 2001
From: meisam <meisam@noreply.codeberg.org>
Date: Wed, 18 Oct 2023 17:40:03 +0200
Subject: [PATCH 2/3] add shellcheck to ci

---
 .github/workflows/shellcheck.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/shellcheck.yml

diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
new file mode 100644
index 000000000..17c015312
--- /dev/null
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,20 @@
+---
+name: Shellcheck
+on: [push, pull_request]
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    env:
+      LANG: C.UTF-8
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install shellcheck
+        run: sudo apt update && sudo apt install -y shellcheck && shellcheck --version
+
+      - name: Check shell scripts
+        run: shellcheck -x -P "SCRIPTDIR"/utils --severity=error testssl.sh
\ No newline at end of file

From 4886b85e10d28f9d6d010530d54dc91217ff05a1 Mon Sep 17 00:00:00 2001
From: meisam <meisam@noreply.codeberg.org>
Date: Tue, 31 Oct 2023 10:59:12 +0100
Subject: [PATCH 3/3] fix SC2068, SC2145, SC2199

---
 testssl.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 71819edf5..770ca374b 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -17325,19 +17325,19 @@ run_breach() {
 
                # Final verdict (if not happened preemptively before). We reuse $detected_compression here
                detected_compression=""
-               if [[ ${has_compression[@]} =~ warn ]]; then
+               if [[ ${has_compression[*]} =~ warn ]]; then
                     # warn_empty / warn_stalled
-                    if [[ ${has_compression[@]} =~ warn_empty ]]; then
-                         pr_warning "At least 1/4 checks failed (HTTP header request was empty, debug: ${has_compression[@]}"
-                         out ", debug: ${has_compression[@]})"
-                         fileout "$jsonID" "WARN" "Test failed as HTTP response was empty, debug: ${has_compression[@]}" "$cve" "$cwe"
+                    if [[ ${has_compression[*]} =~ warn_empty ]]; then
+                         pr_warning "At least 1/4 checks failed (HTTP header request was empty, debug: ${has_compression[*]}"
+                         out ", debug: ${has_compression[*]})"
+                         fileout "$jsonID" "WARN" "Test failed as HTTP response was empty, debug: ${has_compression[*]}" "$cve" "$cwe"
                     else # warn_stalled
                          pr_warning "At least 1/4 checks failed (HTTP header request stalled and was terminated"
-                         out ", debug: ${has_compression[@]})"
+                         out ", debug: ${has_compression[*]})"
                          fileout "$jsonID" "WARN" "Test failed as HTTP request stalled and was terminated" "$cve" "$cwe"
                     fi
                else
-                    for c in ${has_compression[@]}; do
+                    for c in "${has_compression[@]}"; do
                          if [[ $c =~ yes ]]; then
                               detected_compression+="${c%:*} "
                          fi
@@ -17348,7 +17348,7 @@ run_breach() {
                     outln "${spaces}${when_makesense}"
                     fileout "$jsonID" "MEDIUM" "potentially VULNERABLE, $detected_compression HTTP compression detected $disclaimer" "$cve" "$cwe" "$hint"
                fi
-               debugme outln "${spaces}has_compression: ${has_compression[@]}"
+               debugme outln "${spaces}has_compression: ${has_compression[*]}"
                ;;
      esac
 
@@ -18743,7 +18743,7 @@ run_winshock() {
           # Check whether there are any TLS extension which should not be available under <= Windows 2012 R2
           for tls_ext in $TLS_EXTENSIONS; do
                # We use the whole array, got to be careful when the array becomes bigger (unintended match)
-               if [[ ${forbidden_tls_ext[@]} =~ $tls_ext ]]; then
+               if [[ ${forbidden_tls_ext[*]} =~ $tls_ext ]]; then
                     pr_svrty_best "not vulnerable (OK)"; outln " - TLS extension $tls_ext detected"
                     fileout "$jsonID" "OK" "not vulnerable  - TLS extension $tls_ext detected" "$cve" "$cwe"
                     return 0
@@ -23134,7 +23134,7 @@ debug_globals() {
 set_skip_tests() {
      local t
 
-     for t in ${SKIP_TESTS[@]} ; do
+     for t in "${SKIP_TESTS[@]}" ; do
           t="do_${t}"
           # declare won't do it here --> local scope
           eval "$t"=false
@@ -23318,7 +23318,7 @@ parse_cmd_line() {
                     # then we need to make sure we catch --ids-friendly. Normally we do not,
                     # see #1717.  The following statement makes sure. In the do-while + case-esac
                     # loop it will be execute again, but it does not hurt
-                    if [[ "${CMDLINE_ARRAY[@]}" =~ --ids-friendly ]]; then
+                    if [[ "${CMDLINE_ARRAY[*]}" =~ --ids-friendly ]]; then
                          OFFENSIVE=false
                     fi
                     do_vulnerabilities=true