mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(security): reduce unnecessary shell=True in subprocess calls

Browse source 
- memory_setup.py: use shlex.split() for plugin dep checks instead of shell=True
- transcription_tools.py: avoid shell=True for auto-detected whisper commands
  (user-provided templates via env var still use shell=True for compatibility)
- cli.py: add comment clarifying intentional shell=True for user quick_commands
- Add test verifying auto-detected template is shlex-safe

Addresses CONTRIBUTING.md Priority #3 (Security hardening — shell injection).
This commit is contained in:
iuyup 2026-04-08 20:44:34 +08:00 committed by Teknium
parent a9b8254e5f
commit d6c9711ba8
4 changed files with 53 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cli.py
View file

@ -7600,6 +7600,8 @@ class HermesCLI:
exec_cmd = qcmd.get("command", "")
if exec_cmd:
try:
# shell=True is intentional: quick_commands are user-defined
# shell snippets from config.yaml — not agent/LLM controlled.
result = subprocess.run(
exec_cmd, shell=True, capture_output=True,
text=True, timeout=30