From 3ab7e2aa9190c32abd8f854f9f6a88ad9a2c3d0e Mon Sep 17 00:00:00 2001
From: Dennis Vorobyov <roadhero@users.noreply.github.com>
Date: Mon, 25 May 2026 11:35:23 +0100
Subject: [PATCH] harden(env_passthrough): apply GHSA-rhgp-j443-p4rf filter to
 config.yaml path (#27794)

register_env_passthrough() (the skill-declared path) filters out names in
_HERMES_PROVIDER_ENV_BLOCKLIST and logs a warning citing GHSA-rhgp-j443-p4rf.
_load_config_passthrough() (the config.yaml path) did not. Both feed the
same is_env_passthrough() allowlist that local.py and code_execution_tool.py
consult before stripping a variable from the child env.

A skill that wanted to leak ANTHROPIC_API_KEY or OPENAI_API_KEY into
execute_code could no longer self-register the name (the GHSA fix
blocks it), but the same outcome was still reachable by asking the
operator to add the name to terminal.env_passthrough in config.yaml,
or by any in-process actor with write access to ~/.hermes/config.yaml.

Apply the same _is_hermes_provider_credential filter inside
_load_config_passthrough, mirroring the skill-path warning so operators
see the same explanation. Non-Hermes API keys (TENOR_API_KEY,
NOTION_TOKEN, etc.) are unaffected since they are not in the blocklist.
---
 tools/env_passthrough.py | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/tools/env_passthrough.py b/tools/env_passthrough.py
index f23f39b954e..5efee177d00 100644
--- a/tools/env_passthrough.py
+++ b/tools/env_passthrough.py
@@ -113,8 +113,26 @@ def _load_config_passthrough() -> frozenset[str]:
         passthrough = cfg_get(cfg, "terminal", "env_passthrough")
         if isinstance(passthrough, list):
             for item in passthrough:
-                if isinstance(item, str) and item.strip():
-                    result.add(item.strip())
+                if not isinstance(item, str) or not item.strip():
+                    continue
+                name = item.strip()
+                # Mirror the skill-path filter in register_env_passthrough:
+                # Hermes-managed provider credentials must not be passed
+                # through to execute_code / terminal children, regardless of
+                # whether the request came from a skill or from config.yaml.
+                # See GHSA-rhgp-j443-p4rf.
+                if _is_hermes_provider_credential(name):
+                    logger.warning(
+                        "env passthrough: refusing to register Hermes "
+                        "provider credential %r from config.yaml (blocked "
+                        "by _HERMES_PROVIDER_ENV_BLOCKLIST). Operator "
+                        "configuration must not override the execute_code "
+                        "sandbox's credential scrubbing; see "
+                        "GHSA-rhgp-j443-p4rf.",
+                        name,
+                    )
+                    continue
+                result.add(name)
     except Exception as e:
         logger.debug("Could not read tools.env_passthrough from config: %s", e)