mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(security): reduce unnecessary shell=True in subprocess calls

Browse source 
- memory_setup.py: use shlex.split() for plugin dep checks instead of shell=True
- transcription_tools.py: avoid shell=True for auto-detected whisper commands
  (user-provided templates via env var still use shell=True for compatibility)
- cli.py: add comment clarifying intentional shell=True for user quick_commands
- Add test verifying auto-detected template is shlex-safe

Addresses CONTRIBUTING.md Priority #3 (Security hardening — shell injection).
This commit is contained in:
iuyup 2026-04-08 20:44:34 +08:00 committed by Teknium
parent a9b8254e5f
commit d6c9711ba8
4 changed files with 53 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
hermes_cli/memory_setup.py
View file

@ -10,6 +10,7 @@ from __future__ import annotations
import getpass
import os
import sys
import shlex
from pathlib import Path
from hermes_constants import get_hermes_home
@ -134,7 +135,7 @@ def _install_dependencies(provider_name: str) -> None:
if check_cmd:
try:
subprocess.run(
check_cmd, shell=True, capture_output=True, timeout=5
shlex.split(check_cmd), check=True, capture_output=True, timeout=5
)
except Exception:
if install_cmd: