mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-29 06:31:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

fix(file-safety): block read_file on HERMES_HOME credential stores (#17656)

Browse source 
`get_read_block_error` previously only denied reads inside
`${HERMES_HOME}/skills/.hub`, which left `auth.json` (provider OAuth
state + plaintext API keys) and `.anthropic_oauth.json` (Anthropic PKCE
tokens) directly readable by the agent. A prompt-injection reaching
`read_file` could exfiltrate active provider credentials in plaintext.

Mode-0600 file permissions only protect against *other Unix users* —
the agent runs as the file's owner, so `read_file` is unaffected.

Extend the existing deny list with the three credential paths
identified in #17656 (`auth.json`, `auth.lock`, `.anthropic_oauth.json`).
The check uses the same `Path.resolve()` pattern as `skills/.hub`, so
symlink/path-traversal indirection is caught too. The agent doesn't
need to read these directly — `auxiliary_client` and `credential_pool`
consume them through process env / OAuth flows that bypass `read_file`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
briandevans 2026-04-29 16:18:17 -07:00 committed by Teknium
parent 7f7245bf62
commit 056e00a77e
2 changed files with 140 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
agent/file_safety.py
View file

@ -153,4 +153,21 @@ def get_read_block_error(path: str) -> Optional[str]:
"and cannot be read directly to prevent prompt injection. "
"Use the skills_list or skill_view tools instead."
)
# Credential stores under HERMES_HOME hold plaintext provider keys
# and OAuth tokens. The agent never needs to read these directly —
# auxiliary_client / credential_pool consume them through process
# env / OAuth flows that bypass read_file. Block read access so a
# prompt-injection reaching read_file can't exfiltrate them.
blocked_credential_files = {
hermes_home / "auth.json",
hermes_home / "auth.lock",
hermes_home / ".anthropic_oauth.json",
}
if resolved in blocked_credential_files:
return (
f"Access denied: {path} is a Hermes credential store "
"and cannot be read directly. Provider tools consume these "
"credentials through internal channels."
)
return None