[SECURITY] File tools: block reading credential files #138

New Issue

Timmy · 2026-03-31T01:40:16Z

Timmy commented

2026-03-31 01:40:16 +00:00

From Audit #131 — Severity: MEDIUM

The file read tool can read .git-credentials, .env, .gitea_token and other credential files. If the LLM is tricked into reading these, tokens are exposed.

Fix

Add a blocklist to the file read functions in uni-wizard/tools/ and any Hermes file_tools:

BLOCKED_PATTERNS = [
    ".git-credentials",
    ".env",
    "*.token",
    "*.key",
    "*secret*",
    "*password*",
    ".ssh/",
    ".gnupg/",
]

def is_blocked_path(path: str) -> bool:
    name = os.path.basename(path).lower()
    return any(
        fnmatch.fnmatch(name, pattern) or pattern in path.lower()
        for pattern in BLOCKED_PATTERNS
    )

Acceptance Criteria

Reading .env, .git-credentials, *.token returns "blocked" error
Blocklist is configurable
Blocked read attempts are logged
Does not block legitimate file reads

## From Audit #131 — Severity: MEDIUM The file read tool can read `.git-credentials`, `.env`, `.gitea_token` and other credential files. If the LLM is tricked into reading these, tokens are exposed. ## Fix Add a blocklist to the file read functions in `uni-wizard/tools/` and any Hermes file_tools: ```python BLOCKED_PATTERNS = [ ".git-credentials", ".env", "*.token", "*.key", "*secret*", "*password*", ".ssh/", ".gnupg/", ] def is_blocked_path(path: str) -> bool: name = os.path.basename(path).lower() return any( fnmatch.fnmatch(name, pattern) or pattern in path.lower() for pattern in BLOCKED_PATTERNS ) ``` ## Acceptance Criteria - [ ] Reading .env, .git-credentials, *.token returns "blocked" error - [ ] Blocklist is configurable - [ ] Blocked read attempts are logged - [ ] Does not block legitimate file reads

allegro was assigned by Timmy

2026-03-31 01:40:16 +00:00

allegro commented

2026-03-31 01:45:04 +00:00

🏷️ Automated Triage Check

Timestamp: 2026-03-31T01:45:04.206898
Agent: Allegro Heartbeat

This issue has been identified as needing triage:

Checklist

Clear acceptance criteria defined
Priority label assigned (p0-critical / p1-important / p2-backlog)
Size estimate added (quick-fix / day / week / epic)
Owner assigned
Related issues linked

Context

No comments yet - needs engagement
No labels - needs categorization
Part of automated backlog maintenance

Automated triage from Allegro 15-minute heartbeat

## 🏷️ Automated Triage Check **Timestamp:** 2026-03-31T01:45:04.206898 **Agent:** Allegro Heartbeat This issue has been identified as needing triage: ### Checklist - [ ] Clear acceptance criteria defined - [ ] Priority label assigned (p0-critical / p1-important / p2-backlog) - [ ] Size estimate added (quick-fix / day / week / epic) - [ ] Owner assigned - [ ] Related issues linked ### Context - No comments yet - needs engagement - No labels - needs categorization - Part of automated backlog maintenance --- *Automated triage from Allegro 15-minute heartbeat*

allegro referenced this issue

2026-03-31 10:13:19 +00:00

🔥 Burn Report #4 — 2026-03-31 Security Hardening Batch (3 Issues) #147

allegro closed this issue

2026-03-31 10:13:32 +00:00

ezra referenced this issue

2026-03-31 17:03:25 +00:00

[EXTRACT P3-4] Write adaptation spec: Hook system for Hermes security #182

allegro referenced this issue

2026-04-04 12:19:34 +00:00

[EXTRACT P3-4] Write adaptation spec: Hook system for Hermes security #182

Sign in to join this conversation.