mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
fix(terminal): require approval for host-bound Docker commands (#54483)
* fix(terminal): require approval for host-bound Docker commands The Docker terminal backend blanket-skips dangerous-command approval on the assumption that the container is isolated from the host. That holds only when nothing is bind-mounted in. Once a host path is exposed (via TERMINAL_DOCKER_MOUNT_CWD_TO_WORKSPACE or a host-path entry in TERMINAL_DOCKER_VOLUMES), a command like `rm -rf /workspace` reaches real host files but is still auto-approved. Detect host bind mounts and route those sessions through the normal approval flow. Isolated Docker keeps the fast path. The same gating is applied to the execute_code guard, which had the identical blanket skip. Co-authored-by: Hermes Agent <agent@nousresearch.com> * chore: add AUTHOR_MAP entry for PR #6436 salvage (Kolektori) * test: accept has_host_access kwarg in _check_all_guards mocks The host-bound Docker approval fix adds a has_host_access kwarg to the _check_all_guards wrapper. Six pre-existing tests monkeypatch it with a fixed (command, env_type) / (cmd, env) lambda signature, which now raises TypeError when terminal_tool passes the new kwarg. Widen those mock signatures to accept **kwargs. --------- Co-authored-by: Kolektori <256073454+Kolektori@users.noreply.github.com> Co-authored-by: Hermes Agent <agent@nousresearch.com>
This commit is contained in:
parent
7cfa2fa13f
commit
9860d93f2a
7 changed files with 176 additions and 20 deletions
|
|
@ -1104,15 +1104,21 @@ def execute_code(
|
|||
return tool_error("No code provided.")
|
||||
|
||||
# Dispatch: remote backends use file-based RPC, local uses UDS
|
||||
from tools.terminal_tool import _get_env_config
|
||||
env_type = _get_env_config()["env_type"]
|
||||
from tools.terminal_tool import _get_env_config, _docker_has_host_access
|
||||
_env_config = _get_env_config()
|
||||
env_type = _env_config["env_type"]
|
||||
|
||||
# execute_code runs arbitrary Python (subprocess/os.system/...) that never
|
||||
# passes through terminal()/DANGEROUS_PATTERNS, so guard the whole script
|
||||
# here before either dispatch path spawns it. Runs synchronously in the
|
||||
# caller (tool-executor) thread, which holds the session context (#30882).
|
||||
# A Docker sandbox with host bind mounts is no longer isolated, so its
|
||||
# script does not get the container fast-path.
|
||||
from tools.approval import check_execute_code_guard
|
||||
_guard = check_execute_code_guard(code, env_type)
|
||||
_guard = check_execute_code_guard(
|
||||
code, env_type,
|
||||
has_host_access=_docker_has_host_access(_env_config),
|
||||
)
|
||||
if not _guard.get("approved", False):
|
||||
return json.dumps({
|
||||
"status": "error",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue