mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-14 04:02:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

fix: harden install.sh against inherited Python env leakage

Browse source
This commit is contained in:
adybag14-cyber 2026-05-06 00:36:21 +01:00 committed by Teknium
parent e70e49016f
commit 043a118d41
2 changed files with 53 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

25
scripts/install.sh
View file

@ -15,6 +15,19 @@
set -e set -e
# Guard against environment leakage when the installer is launched from another
# Python-driven tool session (e.g. Hermes terminal tool). A pre-set PYTHONPATH
# can force pip/entrypoints to import a different checkout than the one being
# installed, which makes fresh installs appear broken or stale.
if [ -n "${PYTHONPATH:-}" ]; then
echo "⚠ Ignoring inherited PYTHONPATH during install to avoid module shadowing"
unset PYTHONPATH
fi
if [ -n "${PYTHONHOME:-}" ]; then
echo "⚠ Ignoring inherited PYTHONHOME during install"
unset PYTHONHOME
fi
# Colors # Colors
RED='\033[0;31m' RED='\033[0;31m'
GREEN='\033[0;32m' GREEN='\033[0;32m'
@ -1047,9 +1060,17 @@ setup_path() {
command_link_display_dir="$(get_command_link_display_dir)" command_link_display_dir="$(get_command_link_display_dir)"
# Create a user-facing shim for the hermes command. # Create a user-facing shim for the hermes command.
# We intentionally clear PYTHONPATH/PYTHONHOME here so inherited env vars
# can't make this launcher import modules from another checkout.
mkdir -p "$command_link_dir" mkdir -p "$command_link_dir"
ln -sf "$HERMES_BIN" "$command_link_dir/hermes" cat > "$command_link_dir/hermes" <<EOF
log_success "Symlinked hermes → $command_link_display_dir/hermes" #!/usr/bin/env bash
unset PYTHONPATH
unset PYTHONHOME
exec "$HERMES_BIN" "\$@"
EOF
chmod +x "$command_link_dir/hermes"
log_success "Installed hermes launcher → $command_link_display_dir/hermes"
if [ "$DISTRO" = "termux" ]; then if [ "$DISTRO" = "termux" ]; then
export PATH="$command_link_dir:$PATH" export PATH="$command_link_dir:$PATH"

30
tests/test_install_sh_pythonpath_sanitization.py Normal file
View file

@ -0,0 +1,30 @@
"""Regression tests for install.sh Python environment sanitization.
When install.sh is launched from another Python-driven tool session, inherited
PYTHONPATH/PYTHONHOME can shadow the freshly installed checkout. The installer
must sanitize those vars both during installation and at runtime launch.
"""
from pathlib import Path
REPO_ROOT = Path(__file__).resolve().parent.parent
INSTALL_SH = REPO_ROOT / "scripts" / "install.sh"
def test_install_script_unsets_pythonpath_and_pythonhome_early() -> None:
text = INSTALL_SH.read_text()
# During install, inherited Python env must be sanitized before pip/venv use.
assert 'unset PYTHONPATH' in text
assert 'unset PYTHONHOME' in text
def test_hermes_launcher_wrapper_clears_python_env_before_exec() -> None:
text = INSTALL_SH.read_text()
# Wrapper should clear env and forward args untouched to the venv entrypoint.
assert 'cat > "$command_link_dir/hermes" <<EOF' in text
assert 'unset PYTHONPATH' in text
assert 'unset PYTHONHOME' in text
assert 'exec "$HERMES_BIN" "\\$@"' in text