hermes-agent

Files

Mariano A. Nicolini af9a9f773c fix(security): sanitize workdir parameter in terminal tool backends

Shell injection via unquoted workdir interpolation in docker, singularity,
and SSH backends.  When workdir contained shell metacharacters (e.g.
~/;id), arbitrary commands could execute.

Changes:
- Add shlex.quote() at each interpolation point in docker.py,
  singularity.py, and ssh.py with tilde-aware quoting (keep ~
  unquoted for shell expansion, quote only the subpath)
- Add _validate_workdir() allowlist in terminal_tool.py as
  defense-in-depth before workdir reaches any backend

Original work by Mariano A. Nicolini (PR #5620).  Salvaged with fixes
for tilde expansion (shlex.quote breaks cd ~/path) and replaced
incomplete deny-list with strict character allowlist.

Co-authored-by: Mariano A. Nicolini <entropidelic@users.noreply.github.com>

2026-04-06 13:19:22 -07:00

__init__.py

feat(environments): add Daytona cloud sandbox backend

2026-03-05 10:02:21 -08:00

base.py

feat: execute_code runs on remote terminal backends (#5088 )

2026-04-04 12:57:49 -07:00

daytona.py

feat: mount skills directory into all remote backends with live sync (#3890 )

2026-03-30 02:45:41 -07:00

docker.py

fix(security): sanitize workdir parameter in terminal tool backends