fix(gateway): denylist config.yaml for media delivery (belt-and-suspenders)

Defense-in-depth on top of the EphemeralReply gate: even if a config.yaml path reaches response text via some other path, it can never be delivered as a native attachment. Matches existing protection for .env, auth.json, and credentials/. Co-authored-by: JezzaHehn <jezzahehn@gmail.com>
2026-06-09 08:21:50 +00:00 · 2026-05-30 14:40:59 -07:00 · 2026-05-30 14:40:59 -07:00 · 4ec0adebe8
commit 4ec0adebe8
parent bdfba45247
1 changed files with 4 additions and 2 deletions
--- a/gateway/platforms/base.py
+++ b/gateway/platforms/base.py
@ -954,11 +954,13 @@ def _media_delivery_denied_paths() -> List[Path]:
    home = Path(os.path.expanduser("~"))
    for sub in _MEDIA_DELIVERY_DENIED_HOME_SUBPATHS:
        denied.append(home / sub)
-    # The Hermes home itself contains credentials (auth.json, .env) — only the
-    # cache subdirectories under it are explicitly allowlisted above.
+    # The Hermes home itself contains credentials (auth.json, .env) and
+    # configuration (config.yaml) — only the cache subdirectories under it
+    # are explicitly allowlisted above.
    denied.append(_HERMES_HOME / ".env")
    denied.append(_HERMES_HOME / "auth.json")
    denied.append(_HERMES_HOME / "credentials")
+    denied.append(_HERMES_HOME / "config.yaml")
    return denied