mosaicstack/bootstrap
Archived
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: address code and security review findings from Phase 2A

Browse Source 
- Remove committed __pycache__ artifacts; add to .gitignore
- Wrap config JSON parse in try/except to prevent CLI crash on malformed config
- Add SSRF mitigation to webhook_adapter: reject non-http(s) schemes,
  refuse auth_token over cleartext to non-localhost, block private IPs
- Add _sanitize() to discord_formatter: strip ANSI/control chars,
  neutralize @everyone/@here Discord mentions
This commit is contained in:
Jarvis
2026-03-27 21:12:04 -05:00
parent 63c30b564d
commit b42762d7f4
8 changed files with 63 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bin/mosaic-macp
View File

@@ -229,7 +229,11 @@ from webhook_adapter import create_webhook_callback
config = {}
if config_path.exists():
config = json.loads(config_path.read_text(encoding="utf-8"))
try:
config = json.loads(config_path.read_text(encoding="utf-8"))
except (json.JSONDecodeError, OSError) as e:
print(f"[macp] Warning: could not parse config {config_path}: {e}", file=sys.stderr)
config = {}
macp = dict(config.get("macp") or {})
watcher = EventWatcher(