Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 55 Pull Requests 3 Actions 41 Packages Projects Releases Wiki Activity
Files
security/fix-docker-privilege
hermes-agent/tools/code_execution_tool.py
Allegro 08abea4905
Some checks failed
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 32s
Details
Tests / test (pull_request) Failing after 30s
Details
Docker Build and Publish / build-and-push (pull_request) Failing after 55s
Details
security: fix secret leakage via whitelist-only env vars (CVSS 9.3) 
Replace blacklist approach with explicit whitelist for child process
environment variables to prevent secret exfiltration via creative naming.

Changes:
- tools/code_execution_tool.py: Implement _ALLOWED_ENV_VARS frozenset
- Only pass explicitly listed env vars to sandboxed child processes
- Drop all other variables silently to prevent credential theft

Fixes CWE-526: Exposure of Sensitive Information to an Unauthorized Actor

CVSS: 9.3 (Critical)
Refs: V-003 in SECURITY_AUDIT_REPORT.md
2026-03-30 23:42:43 +00:00

32 KiB
Raw Permalink Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink