yanis/html
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
7cd1a35cd522a15fb7232ea77b69fcfdffeb18b2
html/api/droid.php
WEVIA b9b1c1c75c reinit-after-reset
2026-04-12 22:57:03 +02:00

91 lines
3.7 KiB
PHP
Raw Blame History

<?php
// === WEVAL SECRETS LOADER ===
$_WEVAL_SECRETS = [];
if (file_exists('/etc/weval/secrets.env')) {
foreach (file('/etc/weval/secrets.env', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $line) {
if (strpos($line, '#') === 0) continue;
if (strpos($line, '=') !== false) {
list($k, $v) = explode('=', $line, 2);
$_WEVAL_SECRETS[trim($k)] = trim($v);
}
}
}
function weval_secret($key, $default='') {
global $_WEVAL_SECRETS;
return $_WEVAL_SECRETS[$key] ?? getenv($key) ?: $default;
}
// === INPUT SANITIZATION ===
function weval_input($key, $type='string', $method='GET') {
$src = $method === 'POST' ? INPUT_POST : INPUT_GET;
$val = filter_input($src, $key, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if ($val === null || $val === false) {
$val = ($method === 'POST') ? ($_POST[$key] ?? '') : ($_GET[$key] ?? '');
$val = htmlspecialchars(strip_tags(trim($val)), ENT_QUOTES, 'UTF-8');
}
if ($type === 'int') return intval($val);
if ($type === 'email') return filter_var($val, FILTER_SANITIZE_EMAIL);
return $val;
}
// === WEDROID CAPABILITIES (CrowdSec threat intel + enhanced audit) ===
function crowdsec_check_ip($ip) {
$out = @shell_exec("sudo cscli decisions list -i $ip -o json 2>/dev/null");
$decisions = json_decode($out, true) ?: [];
return count($decisions) > 0;
}
function droid_enhanced_audit($ip, $cmd, $result_len) {
$entry = json_encode(['ts'=>date('c'), 'ip'=>$ip, 'cmd_hash'=>md5($cmd), 'cmd_len'=>strlen($cmd), 'result_len'=>$result_len, 'user'=>get_current_user()]);
@file_put_contents('/var/log/droid-audit.log', $entry . "
", FILE_APPEND);
}
function droid_health_snapshot() {
$ch = curl_init("http://127.0.0.1/api/wevia-capabilities.php?cap=health");
curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>5, CURLOPT_HTTPHEADER=>['Host: weval-consulting.com']]);
$r = json_decode(curl_exec($ch), true); curl_close($ch);
return $r;
}
header("Content-Type:application/json");
// IP whitelist: only CF, private net, localhost
$ip = $_SERVER["REMOTE_ADDR"] ?? "";
$cf_ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $ip;
$allowed_ranges = ["10.1.0.", "127.0.0.", "172."];
$cf_ok = in_array(substr($ip, 0, 4), ["162.", "172.", "173.", "104.", "108.", "141.", "198.", "103.", "188.", "190.", "131."]);
$priv_ok = false;
foreach($allowed_ranges as $r) { if(strpos($ip, $r) === 0) $priv_ok = true; }
if(!$cf_ok && !$priv_ok && $ip !== "127.0.0.1") {
http_response_code(403); die(json_encode(["error"=>"forbidden","ip"=>$ip]));
}
$k=$_POST["k"]??$_GET["k"]??"";
if($k!=weval_secret('DROID_KEY','DROID2026')&&$k!=weval_secret('CX_KEY','WEVADS2026'))die(json_encode(["error"=>"no"]));
// Command logging
$c_raw = $_POST["c"]??"";
$d = base64_decode($c_raw); if($d) $c_raw = $d;
$log = date("c") . " | " . $cf_ip . " | " . substr($c_raw, 0, 200) . "\n";
@file_put_contents("/var/log/droid-audit.log", $log, FILE_APPEND | LOCK_EX);
$a=$_POST["action"]??"";
if(in_array($a,["chat","status","providers"])){
$ch=curl_init("http://weval:REDACTED_AUTH@10.1.0.3:5890/api/wedroid-brain-api.php");
curl_setopt_array($ch,[CURLOPT_POST=>1,CURLOPT_POSTFIELDS=>$_POST,CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>45]);
$r=curl_exec($ch);curl_close($ch);
echo $r?:json_encode(["ok"=>false,"error"=>"S95 unreachable"]);exit;
}
$c=$_POST["c"]??"";$d=base64_decode($c);if($d)$c=$d;
// CrowdSec threat check
if (crowdsec_check_ip($cf_ip)) {
droid_enhanced_audit($cf_ip, $c, 0);
die(json_encode(["error"=>"blocked","reason"=>"crowdsec"]));
}
$t=microtime(1);$o=shell_exec($c." 2>&1");
droid_enhanced_audit($cf_ip, $c, strlen($o ?? ''));
echo json_encode(["ok"=>true,"output"=>$o,"duration_ms"=>round((microtime(1)-$t)*1e3),"timestamp"=>date("c")]);
Reference in New Issue View Git Blame Copy Permalink