mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-24 10:52:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

fix(security): quote HERMES_TIMEZONE in remote code execution to prevent shell injection

Browse source
This commit is contained in:
Dusk1e 2026-04-12 03:06:53 +03:00 committed by Teknium
parent bef1d3e4ff
commit 84fcbbf6a9
2 changed files with 42 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tools/code_execution_tool.py
View file

@ -961,7 +961,7 @@ def _execute_remote(
)
tz = os.getenv("HERMES_TIMEZONE", "").strip()
if tz:
env_prefix += f" TZ={tz}"
env_prefix += f" TZ={shlex.quote(tz)}"
# Execute the script on the remote backend
logger.info("Executing code on %s backend (task %s)...",