mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(vision): make SSRF redirect guard async for httpx.AsyncClient

Browse source 
httpx.AsyncClient awaits event hooks. The sync _ssrf_redirect_guard
returned None, causing 'object NoneType can't be used in await
expression' on any vision_analyze call that followed redirects.

Caught during live PTY testing of the merged SSRF protection.
This commit is contained in:
Teknium 2026-03-23 15:44:52 -07:00
parent 0791efe2c3
commit ad5f973a8d
No known key found for this signature in database
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tools/vision_tools.py
View file

@ -97,11 +97,13 @@ async def _download_image(image_url: str, destination: Path, max_retries: int =
# Create parent directories if they don't exist
destination.parent.mkdir(parents=True, exist_ok=True)
def _ssrf_redirect_guard(response):
async def _ssrf_redirect_guard(response):
"""Re-validate each redirect target to prevent redirect-based SSRF.
Without this, an attacker can host a public URL that 302-redirects
to http://169.254.169.254/ and bypass the pre-flight is_safe_url check.
Must be async because httpx.AsyncClient awaits event hooks.
"""
if response.is_redirect and response.next_request:
redirect_url = str(response.next_request.url)