hermes-agent/tools/code_execution_tool.py at 49097ba09e2af20e13c7355957da64430c0b1b16

Timmy_Foundation/hermes-agent

Fork 0

Files

Allegro 08abea4905

Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 32s

Details

Tests / test (pull_request) Failing after 30s

Details

Docker Build and Publish / build-and-push (pull_request) Failing after 55s

Details

security: fix secret leakage via whitelist-only env vars (CVSS 9.3)

Replace blacklist approach with explicit whitelist for child process
environment variables to prevent secret exfiltration via creative naming.

Changes:
- tools/code_execution_tool.py: Implement _ALLOWED_ENV_VARS frozenset
- Only pass explicitly listed env vars to sandboxed child processes
- Drop all other variables silently to prevent credential theft

Fixes CWE-526: Exposure of Sensitive Information to an Unauthorized Actor

CVSS: 9.3 (Critical)
Refs: V-003 in SECURITY_AUDIT_REPORT.md

2026-03-30 23:42:43 +00:00

32 KiB

Raw Blame History

View Raw

32 KiB Raw Blame History

32 KiB

Raw Blame History