fix(tts): reject '..' traversal in output_path

text_to_speech_tool accepts an explicit output_path. Without a traversal guard, a path containing '..' components (whether prompt-injection- controlled, from a confused skill, or just a buggy caller) could escape its declared base and write the audio to a system location — e.g. `output_path='audio/../../etc/cron.d/x'` lands the file outside the intended audio cache. Reject '..' components in the user-supplied path. Explicit absolute paths are unchanged (the agent legitimately writes audio wherever the user/caller asks); only traversal-style escapes are blocked. The terminal tool can still write anywhere with approval — this just keeps the unattended TTS surface from materializing files via traversal. Regression tests cover: '..' in the middle (audio/../../etc/...), bare '..' prefix, and the negative cases (absolute paths + relative paths without '..' both pass through unchanged). Salvaged from PR #6693 by @aaronlab. The original PR confined output to DEFAULT_OUTPUT_DIR-or-cwd, which broke 9 existing tests that legitimately write to tmp_path locations. The traversal-only check covers the actual threat (path-escape via '..' from prompt injection) without restricting where users can choose to write their audio. The remaining pieces of #6693 (skill_commands rglob symlink rejection, delegate_tool batch prefix display) are dropped: - skill_commands rglob: breaks the documented design supporting ~/.hermes/skills/<name> as a symlink to a checked-out skill elsewhere (see comment at agent/skill_commands.py:73-75) - delegate_tool batch prefix: pure UX, doesn't belong in a security PR Co-authored-by: teknium1 <127238744+teknium1@users.noreply.github.com>
2026-05-29 06:31:32 +00:00 · 2026-05-25 05:15:19 -07:00 · 2026-05-25 05:15:19 -07:00 · 5f20322d23
commit 5f20322d23
parent ac5359a3f3
2 changed files with 78 additions and 0 deletions
--- a/tests/tools/test_tts_path_traversal.py
+++ b/tests/tools/test_tts_path_traversal.py
@ -0,0 +1,60 @@
+"""Regression: text_to_speech_tool output_path must reject '..' traversal.
+
+The TTS surface accepts agent/user-supplied absolute paths (writing to a
+chosen file is the whole point). What it must reject is paths that use
+``..`` components to escape their declared base — those are almost
+always either a bug or prompt-injection-controlled
+(e.g. ``output_path="audio/../../etc/cron.d/x"``).
+"""
+
+import json
+
+from tools.tts_tool import text_to_speech_tool
+
+
+def test_output_path_rejects_traversal_escape():
+    """A path with '..' components must be rejected before any provider work."""
+    result = json.loads(text_to_speech_tool(
+        text="hello",
+        output_path="audio/../../etc/cron.d/malicious",
+    ))
+    assert result["success"] is False
+    assert "traversal" in result["error"].lower()
+
+
+def test_output_path_rejects_bare_dotdot():
+    """Bare '..' prefix must be rejected."""
+    result = json.loads(text_to_speech_tool(
+        text="hello",
+        output_path="../escape.mp3",
+    ))
+    assert result["success"] is False
+    assert "traversal" in result["error"].lower()
+
+
+def test_output_path_absolute_path_passes_guard(tmp_path, monkeypatch):
+    """Explicit absolute paths must pass the traversal guard.
+
+    The agent legitimately writes audio to user-specified absolute paths;
+    only ``..`` components are rejected. Any subsequent failure (no
+    provider configured, etc.) is fine — the assertion is specifically
+    that the 'traversal' rejection didn't fire.
+    """
+    inside = tmp_path / "clip.mp3"
+    result = json.loads(text_to_speech_tool(
+        text="hello",
+        output_path=str(inside),
+    ))
+    error = result.get("error", "")
+    assert "traversal" not in error.lower()
+
+
+def test_output_path_relative_no_dotdot_passes_guard(tmp_path, monkeypatch):
+    """Relative paths without '..' components must pass the guard."""
+    monkeypatch.chdir(tmp_path)
+    result = json.loads(text_to_speech_tool(
+        text="hello",
+        output_path="subdir/clip.mp3",
+    ))
+    error = result.get("error", "")
+    assert "traversal" not in error.lower()
--- a/tools/tts_tool.py
+++ b/tools/tts_tool.py
@ -1868,6 +1868,24 @@ def text_to_speech_tool(

    # Determine output path
    if output_path:
+        # Reject '..' traversal components in the user-supplied path. An
+        # explicit absolute path is fine (the agent legitimately writes
+        # audio to user-specified locations), but a path that uses ``..``
+        # to escape its declared base is almost always either a bug or
+        # prompt-injection-controlled — e.g.
+        # ``output_path="audio/../../etc/cron.d/x"``. The terminal tool
+        # can still write anywhere with approval; this just keeps the
+        # unattended TTS surface from materializing files via traversal.
+        from tools.path_security import has_traversal_component
+        if has_traversal_component(output_path):
+            return json.dumps({
+                "success": False,
+                "error": (
+                    f"output_path contains '..' traversal component: "
+                    f"{output_path}. Use an absolute path or one relative "
+                    "to the current directory without '..'."
+                ),
+            }, ensure_ascii=False)
        file_path = Path(output_path).expanduser()
        if command_provider_config is not None:
            # Respect caller-supplied path but align the extension with the