mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(url-safety): allow only http and https schemes

Browse source
This commit is contained in:
aydnOktay 2026-03-24 13:45:33 +03:00 committed by Teknium
parent 8373956850
commit 6af9942327
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tests/tools/test_url_safety.py
View file

@ -22,6 +22,14 @@ class TestIsSafeUrl:
]):
assert is_safe_url("https://example.com/image.png") is True
def test_ftp_scheme_blocked(self):
"""Only http/https should be allowed for fetch tools."""
assert is_safe_url("ftp://example.com/file.txt") is False
def test_missing_scheme_blocked(self):
"""Bare host/path should be rejected to avoid ambiguous handling."""
assert is_safe_url("example.com/path") is False
def test_localhost_blocked(self):
with patch("socket.getaddrinfo", return_value=[
(2, 1, 6, "", ("127.0.0.1", 0)),

3
tools/url_safety.py
View file

@ -263,6 +263,9 @@ def is_safe_url(url: str) -> bool:
parsed = urlparse(url)
hostname = (parsed.hostname or "").strip().lower().rstrip(".")
scheme = (parsed.scheme or "").strip().lower()
if scheme not in {"http", "https"}:
logger.warning("Blocked request — unsupported URL scheme: %s", scheme or "<empty>")
return False
if not hostname:
return False