phase57 doctrine195 WEVIA WHITELIST ELARGIE + GOLD AUTO | deny-list au lieu allow-list - WEVIA peut ecrire partout sauf master-api chat-v2 cx nginx php config | GOLD backup auto si fichier existe doctrine 148 Yacine | WEVIA peut modifier pages existantes (brain-council.html agents-hub.html etc) | veritable autonomie file-system | economie tokens Opus
Some checks failed
WEVAL NonReg / nonreg (push) Has been cancelled
Some checks failed
WEVAL NonReg / nonreg (push) Has been cancelled
This commit is contained in:
Opus
@@ -80,10 +80,35 @@ def default_path(lang, job):
|
||||
return f"{SCRIPTS_DIR}/wevia-gen-{job}.{ext}"
|
||||
|
||||
def safe_path(path, allowed_dirs):
|
||||
"""Security: only allow paths in whitelisted dirs"""
|
||||
"""Security v2: DENY-LIST approach - allow everything except critical files
|
||||
WEVIA doit pouvoir ecrire partout pour etre autonome (doctrine Yacine)
|
||||
"""
|
||||
real = os.path.realpath(path)
|
||||
for d in allowed_dirs:
|
||||
if real.startswith(os.path.realpath(d) + "/") or real == os.path.realpath(d):
|
||||
# Critical files WEVIA ne doit JAMAIS ecraser sans confirmation explicite
|
||||
deny = [
|
||||
"/etc/passwd", "/etc/shadow", "/etc/sudoers",
|
||||
"/var/www/html/api/wevia-master-api.php",
|
||||
"/var/www/html/api/wevia-chat-v2-direct.php",
|
||||
"/var/www/html/api/cx",
|
||||
"/etc/nginx/", "/etc/php/",
|
||||
"/opt/wevia-brain/priority-intents-nl.json",
|
||||
"/opt/weval-ops/opus-intents/wevia_generate_helper.py",
|
||||
"/opt/weval-ops/opus-intents/wevia-generate-code.sh",
|
||||
"/.env", "/root/.ssh/",
|
||||
]
|
||||
for d in deny:
|
||||
if real == d or real.startswith(d):
|
||||
return False
|
||||
# Allow everything under /var/www/html/, /opt/weval-ops/, /opt/wevia-brain/ (sauf deny)
|
||||
allow_prefixes = [
|
||||
"/var/www/html/",
|
||||
"/opt/weval-ops/opus-intents/",
|
||||
"/opt/wevia-brain/",
|
||||
"/opt/weval-ops/generated/",
|
||||
"/tmp/wevia-",
|
||||
]
|
||||
for p in allow_prefixes:
|
||||
if real.startswith(p):
|
||||
return True
|
||||
return False
|
||||
|
||||
@@ -94,6 +119,12 @@ def deploy(block, job):
|
||||
if not safe_path(path, [GEN_DIR, SCRIPTS_DIR]):
|
||||
return {"err": f"path not allowed (whitelist: {GEN_DIR}, {SCRIPTS_DIR})", "path": path}
|
||||
os.makedirs(os.path.dirname(path), exist_ok=True)
|
||||
# GOLD backup automatique si fichier existe (doctrine 148 Yacine)
|
||||
if os.path.exists(path):
|
||||
gold = f"{path}.GOLD-{time.strftime('%Y%m%d-%H%M%S')}-wevia-gen"
|
||||
try:
|
||||
subprocess.run(["cp", path, gold], check=True, capture_output=True, timeout=5)
|
||||
except: pass
|
||||
with open(path, "w") as f:
|
||||
f.write(block["code"])
|
||||
if path.endswith(".sh") or path.endswith(".py"):
|
||||
|
||||
Reference in New Issue
Block a user