mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-30 11:52:04 +00:00
fix(agent): limit .hermes.md parent walk to git repos only
_find_hermes_md walks parent directories looking for .hermes.md/HERMES.md, stopping at the git root. But when there is no git repo (_find_git_root returns None), the stop guard never fires and the loop walks all the way to /. On shared systems (CI runners, multi-tenant servers), a .hermes.md planted at /tmp, /home, or / would be loaded into the system prompt of any agent session not inside a git repo — a cross-user prompt-injection vector. Fix: when there is no git root, only check cwd; do not walk parents. Co-authored-by: Teknium <127238744+teknium1@users.noreply.github.com>
This commit is contained in:
parent
4488fe134b
commit
306b6615cf
1 changed files with 5 additions and 2 deletions
|
|
@ -88,12 +88,15 @@ def _find_hermes_md(cwd: Path) -> Optional[Path]:
|
|||
stop_at = _find_git_root(cwd)
|
||||
current = cwd.resolve()
|
||||
|
||||
for directory in [current, *current.parents]:
|
||||
# When there is no git root, only check cwd itself – walking parents
|
||||
# could pick up a .hermes.md planted in /tmp, /home, etc.
|
||||
search_dirs = [current, *current.parents] if stop_at else [current]
|
||||
|
||||
for directory in search_dirs:
|
||||
for name in _HERMES_MD_NAMES:
|
||||
candidate = directory / name
|
||||
if candidate.is_file():
|
||||
return candidate
|
||||
# Stop walking at the git root (or filesystem root).
|
||||
if stop_at and directory == stop_at:
|
||||
break
|
||||
return None
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue