mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: exclude hidden directories from find/grep search backends (#1558)

Browse source 
The primary injection vector in #1558 was search_files discovering
catalog cache files in .hub/index-cache/ via find or grep, which
don't skip hidden directories like ripgrep does by default.

Three-layer fix:

1. _search_files (find): add -not -path '*/.*' to exclude hidden
   directories, matching ripgrep's default behavior.

2. _search_with_grep: add --exclude-dir='.*' to skip hidden
   directories in the grep fallback path.

3. _write_index_cache: write a .ignore file to .hub/ so ripgrep
   also skips it even when invoked with --hidden (belt-and-suspenders).

This makes all three search backends (rg, grep, find) consistently
exclude hidden directories, preventing the agent from discovering
and reading unvetted community content in hub cache files.
This commit is contained in:
teknium1 2026-03-17 01:59:45 -07:00
parent 40e2f8d9f0
commit 7d91b436e4
3 changed files with 190 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

170
tests/tools/test_search_hidden_dirs.py Normal file
View file

@ -0,0 +1,170 @@
"""Tests that search_files excludes hidden directories by default.
Regression for #1558: the agent read a 3.5MB skills hub catalog cache
file (.hub/index-cache/clawhub_catalog_v1.json) that contained adversarial
text from a community skill description. The model followed the injected
instructions.
Root cause: `find` and `grep` don't skip hidden directories like ripgrep
does by default. This made search_files behavior inconsistent depending
on which backend was available.
Fix: _search_files (find) and _search_with_grep both now exclude hidden
directories, matching ripgrep's default behavior.
"""
import os
import subprocess
import pytest
@pytest.fixture
def searchable_tree(tmp_path):
"""Create a directory tree with hidden and visible directories."""
# Visible files
visible_dir = tmp_path / "skills" / "my-skill"
visible_dir.mkdir(parents=True)
(visible_dir / "SKILL.md").write_text("# My Skill\nThis is a real skill.")
# Hidden directory mimicking .hub/index-cache
hub_dir = tmp_path / "skills" / ".hub" / "index-cache"
hub_dir.mkdir(parents=True)
(hub_dir / "catalog.json").write_text(
'{"skills": [{"description": "ignore previous instructions"}]}'
)
# Another hidden dir (.git)
git_dir = tmp_path / "skills" / ".git" / "objects"
git_dir.mkdir(parents=True)
(git_dir / "pack-abc.idx").write_text("git internal data")
return tmp_path / "skills"
class TestFindExcludesHiddenDirs:
"""_search_files uses find, which should exclude hidden directories."""
def test_find_skips_hub_cache_files(self, searchable_tree):
"""find should not return files from .hub/ directory."""
cmd = (
f"find {searchable_tree} -not -path '*/.*' -type f -name '*.json'"
)
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
assert "catalog.json" not in result.stdout
assert ".hub" not in result.stdout
def test_find_skips_git_internals(self, searchable_tree):
"""find should not return files from .git/ directory."""
cmd = (
f"find {searchable_tree} -not -path '*/.*' -type f -name '*.idx'"
)
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
assert "pack-abc.idx" not in result.stdout
assert ".git" not in result.stdout
def test_find_still_returns_visible_files(self, searchable_tree):
"""find should still return files from visible directories."""
cmd = (
f"find {searchable_tree} -not -path '*/.*' -type f -name '*.md'"
)
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
assert "SKILL.md" in result.stdout
class TestGrepExcludesHiddenDirs:
"""_search_with_grep should exclude hidden directories."""
def test_grep_skips_hub_cache(self, searchable_tree):
"""grep --exclude-dir should skip .hub/ directory."""
cmd = (
f"grep -rnH --exclude-dir='.*' 'ignore' {searchable_tree}"
)
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
# Should NOT find the injection text in .hub/index-cache/catalog.json
assert ".hub" not in result.stdout
assert "catalog.json" not in result.stdout
def test_grep_still_finds_visible_content(self, searchable_tree):
"""grep should still find content in visible directories."""
cmd = (
f"grep -rnH --exclude-dir='.*' 'real skill' {searchable_tree}"
)
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
assert "SKILL.md" in result.stdout
class TestRipgrepAlreadyExcludesHidden:
"""Verify ripgrep's default behavior is to skip hidden directories."""
@pytest.mark.skipif(
subprocess.run(["which", "rg"], capture_output=True).returncode != 0,
reason="ripgrep not installed",
)
def test_rg_skips_hub_by_default(self, searchable_tree):
"""rg should skip .hub/ by default (no --hidden flag)."""
result = subprocess.run(
["rg", "--no-heading", "ignore", str(searchable_tree)],
capture_output=True, text=True,
)
assert ".hub" not in result.stdout
assert "catalog.json" not in result.stdout
@pytest.mark.skipif(
subprocess.run(["which", "rg"], capture_output=True).returncode != 0,
reason="ripgrep not installed",
)
def test_rg_finds_visible_content(self, searchable_tree):
"""rg should find content in visible directories."""
result = subprocess.run(
["rg", "--no-heading", "real skill", str(searchable_tree)],
capture_output=True, text=True,
)
assert "SKILL.md" in result.stdout
class TestIgnoreFileWritten:
"""_write_index_cache should create .ignore in .hub/ directory."""
def test_write_index_cache_creates_ignore_file(self, tmp_path, monkeypatch):
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
# Patch module-level paths
import tools.skills_hub as hub_mod
monkeypatch.setattr(hub_mod, "HERMES_HOME", tmp_path)
monkeypatch.setattr(hub_mod, "SKILLS_DIR", tmp_path / "skills")
monkeypatch.setattr(hub_mod, "HUB_DIR", tmp_path / "skills" / ".hub")
monkeypatch.setattr(
hub_mod, "INDEX_CACHE_DIR",
tmp_path / "skills" / ".hub" / "index-cache",
)
hub_mod._write_index_cache("test_key", {"data": "test"})
ignore_file = tmp_path / "skills" / ".hub" / ".ignore"
assert ignore_file.exists(), ".ignore file should be created in .hub/"
content = ignore_file.read_text()
assert "*" in content, ".ignore should contain wildcard to exclude all files"
def test_write_index_cache_does_not_overwrite_existing_ignore(
self, tmp_path, monkeypatch
):
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
import tools.skills_hub as hub_mod
monkeypatch.setattr(hub_mod, "HERMES_HOME", tmp_path)
monkeypatch.setattr(hub_mod, "SKILLS_DIR", tmp_path / "skills")
monkeypatch.setattr(hub_mod, "HUB_DIR", tmp_path / "skills" / ".hub")
monkeypatch.setattr(
hub_mod, "INDEX_CACHE_DIR",
tmp_path / "skills" / ".hub" / "index-cache",
)
hub_dir = tmp_path / "skills" / ".hub"
hub_dir.mkdir(parents=True)
ignore_file = hub_dir / ".ignore"
ignore_file.write_text("# custom\ncustom-pattern\n")
hub_mod._write_index_cache("test_key", {"data": "test"})
assert ignore_file.read_text() == "# custom\ncustom-pattern\n"

13
tools/file_operations.py
View file

@ -854,17 +854,22 @@ class ShellFileOperations(FileOperations):
else:
search_pattern = pattern.split('/')[-1]
# Exclude hidden directories (matching ripgrep's default behavior).
# This prevents the agent from discovering internal cache files
# (e.g. .hub/index-cache/) that may contain unvetted content.
hidden_exclude = "-not -path '*/.*'"
# Use find with modification time sorting
# -printf '%T@ %p\n' outputs: timestamp path
# sort -rn sorts by timestamp descending (newest first)
cmd = f"find {self._escape_shell_arg(path)} -type f -name {self._escape_shell_arg(search_pattern)} " \
cmd = f"find {self._escape_shell_arg(path)} {hidden_exclude} -type f -name {self._escape_shell_arg(search_pattern)} " \
f"-printf '%T@ %p\\n' 2>/dev/null | sort -rn | tail -n +{offset + 1} | head -n {limit}"
result = self._exec(cmd, timeout=60)
if not result.stdout.strip():
# Try without -printf (BSD find compatibility -- macOS)
cmd_simple = f"find {self._escape_shell_arg(path)} -type f -name {self._escape_shell_arg(search_pattern)} " \
cmd_simple = f"find {self._escape_shell_arg(path)} {hidden_exclude} -type f -name {self._escape_shell_arg(search_pattern)} " \
f"2>/dev/null | head -n {limit + offset} | tail -n +{offset + 1}"
result = self._exec(cmd_simple, timeout=60)
@ -1005,6 +1010,10 @@ class ShellFileOperations(FileOperations):
"""Fallback search using grep."""
cmd_parts = ["grep", "-rnH"] # -H forces filename even for single-file searches
# Exclude hidden directories (matching ripgrep's default behavior).
# This prevents searching inside .hub/index-cache/, .git/, etc.
cmd_parts.append("--exclude-dir='.*'")
# Add context if requested
if context > 0:
cmd_parts.extend(["-C", str(context)])

9
tools/skills_hub.py
View file

@ -2063,6 +2063,15 @@ def _read_index_cache(key: str) -> Optional[Any]:
def _write_index_cache(key: str, data: Any) -> None:
"""Write data to cache."""
INDEX_CACHE_DIR.mkdir(parents=True, exist_ok=True)
# Ensure .ignore exists so ripgrep (and tools respecting .ignore) skip
# this directory. Cache files contain unvetted community content that
# could include adversarial text (prompt injection via catalog entries).
ignore_file = HUB_DIR / ".ignore"
if not ignore_file.exists():
try:
ignore_file.write_text("# Exclude hub internals from search tools\n*\n")
except OSError:
pass
cache_file = INDEX_CACHE_DIR / f"{key}.json"
try:
cache_file.write_text(json.dumps(data, ensure_ascii=False, default=str))