Fix 8 code-review findings: security + reliability

1. agent.py: shell allow-check reads cfg, not server payload (RCE fix)
2. webhook.php: move WEBHOOK_SECRET to gitignored config.php; rotate secret
3. agent.py: replace recursive main() with while loop (RecursionError fix)
4. jarvis-deploy.sh: push force-revert to GitHub on syntax fail (loop fix)
5. agent.py: self_update() verifies SHA-256 before exec (integrity fix)
6. agent.php: remove JARVIS_IP from browser-action bypass (auth fix)
7. jarvis-watchdog.sh: escape SQL vars in alert() to prevent injection
8. jarvis-deploy.sh: atomic mv instead of cat+truncate (TOCTOU fix)

Also: distribute jarvis-agent.py.sha256 alongside agent for integrity checks
This commit is contained in:
2026-05-25 14:27:27 +00:00
parent 45fef11785
commit ecbc2e09a5
7 changed files with 99 additions and 27 deletions
+1
View File
@@ -0,0 +1 @@
6c93ea50f3a91472444a10838b89d4222b8378cd153efee4ed9f75d7d5fb25b2