mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-30 06:41:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 15

fix(dashboard): require auth for plugin rescan (#27340)

Browse source
This commit is contained in:
Jiaming Guo 2026-05-24 19:45:07 +08:00 committed by GitHub
parent 5acaeba2bb
commit ee002e7fc5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hermes_cli/web_server.py
View file

@ -119,7 +119,6 @@ _PUBLIC_API_PATHS: frozenset = frozenset({
"/api/model/info",
"/api/dashboard/themes",
"/api/dashboard/plugins",
"/api/dashboard/plugins/rescan",
})

6
tests/hermes_cli/test_web_server.py
View file

@ -327,6 +327,12 @@ class TestWebServerEndpoints:
# Public endpoints should still work
resp = unauth_client.get("/api/status")
assert resp.status_code == 200
resp = unauth_client.get("/api/dashboard/plugins")
assert resp.status_code == 200
resp = unauth_client.get("/api/dashboard/plugins/rescan")
assert resp.status_code == 401
resp = self.client.get("/api/dashboard/plugins/rescan")
assert resp.status_code == 200
def test_path_traversal_blocked(self):
"""Verify URL-encoded path traversal is blocked."""