mirror of
https://github.com/myronblair/jarvis
synced 2026-06-30 17:50:23 -05:00
Fix 8 code-review findings: security + reliability
1. agent.py: shell allow-check reads cfg, not server payload (RCE fix) 2. webhook.php: move WEBHOOK_SECRET to gitignored config.php; rotate secret 3. agent.py: replace recursive main() with while loop (RecursionError fix) 4. jarvis-deploy.sh: push force-revert to GitHub on syntax fail (loop fix) 5. agent.py: self_update() verifies SHA-256 before exec (integrity fix) 6. agent.php: remove JARVIS_IP from browser-action bypass (auth fix) 7. jarvis-watchdog.sh: escape SQL vars in alert() to prevent injection 8. jarvis-deploy.sh: atomic mv instead of cat+truncate (TOCTOU fix) Also: distribute jarvis-agent.py.sha256 alongside agent for integrity checks
This commit is contained in:
@@ -53,7 +53,7 @@ if ($agentAction !== 'register') {
|
||||
if (in_array($agentAction, $browserActions)) {
|
||||
$token = $_SESSION['jarvis_token'] ?? '';
|
||||
$localIP = $_SERVER['REMOTE_ADDR'] ?? '';
|
||||
if (empty($token) && !in_array($localIP, ['127.0.0.1', '::1', JARVIS_IP])) {
|
||||
if (empty($token) && !in_array($localIP, ['127.0.0.1', '::1'])) {
|
||||
agent_error(401, 'Unauthorized');
|
||||
}
|
||||
$agent = null;
|
||||
|
||||
Reference in New Issue
Block a user