mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
Fix 10 code review findings: security, correctness, and SQLite compat
- system.php: fix null dereference on fetchOne (TypeError on null['value']) - system.php: validate update_channel to ['stable','beta'] to prevent shell injection - system.php: escapeshellarg remoteBranch in git log/show calls (was RCE vector) - system.php: fix backup path — rsync contents, not directory, so restore is symmetric - system.php: syntax check only changed files (git diff) not all 300+ panel files - system.php: copy VERSION to $webRoot/VERSION not $webRoot/../VERSION (wrong path) - system.php: fix 3× ON DUPLICATE KEY UPDATE → SQLite ON CONFLICT syntax - deploy-runner.sh: hoist DB_PATH/CHANNEL above while loop - deploy-runner.sh: sanitize NEW_VERSION and commit hashes before SQL interpolation - deploy-runner.sh: parse queued branch (4th field) from webhook queue entry - webhook.php: remove dead $branch config variable - webhook.php: include pushed branch in queue entry to eliminate TOCTOU race Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+2
-3
@@ -11,7 +11,6 @@ $cfg = is_file($configFile) ? parse_ini_file($configFile, true) : [];
|
||||
$secret = $cfg['deploy']['webhook_secret'] ?? '';
|
||||
$repoPath = $cfg['deploy']['repo_path'] ?? '/opt/novacpx-src';
|
||||
$webRoot = $cfg['deploy']['web_root'] ?? '/srv/novacpx/public';
|
||||
$branch = $cfg['deploy']['branch'] ?? 'main';
|
||||
$logFile = '/var/log/novacpx/deploy.log';
|
||||
|
||||
header('Content-Type: application/json');
|
||||
@@ -50,9 +49,9 @@ $message = $payload['head_commit']['message'] ?? '';
|
||||
|
||||
log_deploy("Deploy triggered by $pusher | branch $pushedBranch | commit $commit | $message");
|
||||
|
||||
// Queue the deploy — include branch so runner knows what to pull
|
||||
// Queue the deploy — include branch so runner uses the exact pushed branch
|
||||
$queueFile = '/tmp/novacpx-deploy-queue.txt';
|
||||
file_put_contents($queueFile, "$repoPath|$webRoot|$commit\n", FILE_APPEND | LOCK_EX);
|
||||
file_put_contents($queueFile, "$repoPath|$webRoot|$commit|$pushedBranch\n", FILE_APPEND | LOCK_EX);
|
||||
|
||||
http_response_code(200);
|
||||
echo json_encode(['status' => 'queued', 'commit' => $commit]);
|
||||
|
||||
Reference in New Issue
Block a user