mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-17 04:31:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

fix(delegation): add edge-case tests and SSRF caveat docstring

Browse source 
Red-team QA pass found no bugs but two test gaps:

- Whitespace-only api_key now tested (falls through to placeholder)
- IPv6 loopback [::1] now tested (already worked, just untested)
- 172.32.x boundary now tested (correctly NOT treated as private)
- Docstring note about private-network SSRF caveat: placeholder key
  gets 401'd by real auth servers, fail-fast by design
This commit is contained in:
AJ 2026-04-22 23:09:51 -04:00
parent 0e4bc9474d
commit 501ac3ff0a
2 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

22
tests/tools/test_delegation_local_provider.py
View file

@ -107,6 +107,18 @@ class TestLocalProviderCredentials(unittest.TestCase):
creds = _resolve_delegation_credentials(cfg, parent)
self.assertEqual(creds["api_key"], "my-secret-key")
def test_localhost_base_url_whitespace_api_key_gets_placeholder(self):
"""Whitespace-only api_key should be treated as absent and get placeholder."""
parent = _make_mock_parent()
cfg = {
"model": "devstral-small-2:24b-cloud",
"provider": "custom",
"base_url": "http://localhost:11434/v1",
"api_key": " ",
}
creds = _resolve_delegation_credentials(cfg, parent)
self.assertEqual(creds["api_key"], "ollama")
# --- base_url path (remote) should still require API key ---
def test_remote_base_url_still_requires_api_key(self):
@ -224,6 +236,16 @@ class TestIsLocalBaseUrlHelper(unittest.TestCase):
from tools.delegate_tool import _is_local_base_url
self.assertFalse(_is_local_base_url(None))
def test_ipv6_loopback(self):
"""IPv6 loopback [::1] should be recognized as local."""
from tools.delegate_tool import _is_local_base_url
self.assertTrue(_is_local_base_url("http://[::1]:11434/v1"))
def test_172_outside_private_range(self):
"""172.32.x.x is NOT in 172.16/12 and should not be treated as local."""
from tools.delegate_tool import _is_local_base_url
self.assertFalse(_is_local_base_url("http://172.32.0.1:11434/v1"))
if __name__ == "__main__":
unittest.main()