hermes-agent/scripts
Teknium 11183e8332 fix(profiles): validate custom alias names to prevent path traversal
`hermes profile alias <profile> --name <custom>` accepted arbitrary
strings and used them verbatim as a filename under ~/.local/bin. Because
normalize_profile_name only lowercases/strips (no regex gate), a value
like `../../.bashrc` escaped the wrapper directory and clobbered
arbitrary user-writable files. remove_wrapper_script had the same sink.

Add validate_alias_name (reusing the profile-id regex, which forbids
`/`, `.`, and `..`) and wire it into check_alias_collision,
create_wrapper_script, remove_wrapper_script, and the CLI alias action so
the rejection surfaces a clear "Invalid alias name" error instead of
silently writing or unlinking outside the wrapper dir.

Co-authored-by: Gutslabs <gutslabsxyz@gmail.com>
Co-authored-by: Xowiek <xowiekk@gmail.com>
2026-06-28 18:53:33 -07:00
..
ci fix(ci): only run supplychain checks in pr 2026-06-23 09:46:25 -07:00
lib fix(hermes): heal broken managed Node tree instead of PATH fallback 2026-06-26 20:10:20 +05:30
tests test(install): add ConvertTo-LongPath helper for 8.3 short paths 2026-06-20 16:24:52 -07:00
whatsapp-bridge test(whatsapp-bridge): drop structural send-queue integration test 2026-06-28 01:10:14 -07:00
analyze_livetest.py test(tool-search): add live A/B harness, drop checked-in transcripts 2026-05-29 02:04:12 -07:00
benchmark_browser_eval.py perf(browser): route browser_console eval through supervisor's persistent CDP WS (180x faster) (#23226) 2026-05-10 07:37:55 -07:00
build_model_catalog.py codebase: add encoding='utf-8' to all bare open() calls (PLW1514) 2026-05-08 14:27:40 -07:00
build_skills_index.py fix(skills): let ClawHub index build walk past the 12s browse budget (#44500) 2026-06-11 18:03:11 -04:00
check-windows-footguns.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
check_subprocess_stdin.py fix: keep interactive OAuth setup-token inheriting stdin 2026-06-08 22:46:57 -07:00
contributor_audit.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
discord-voice-doctor.py codebase: add encoding='utf-8' to all bare open() calls (PLW1514) 2026-05-08 14:27:40 -07:00
docker_config_migrate.py fix(docker): restore config backups after failed boot migration 2026-06-24 15:23:23 +10:00
hermes-gateway fix: prevent systemd restart storm on gateway connection failure 2026-03-21 09:26:39 -07:00
install.cmd fix(docs): update all install instructions everywhere 2026-06-04 21:07:45 -04:00
install.ps1 fix(windows): repair missing hermes.exe after pip install (#52931) 2026-06-28 17:01:31 -05:00
install.sh fix(install): time-box desktop + node-deps installs so a stalled download self-heals (#39219) 2026-06-28 02:47:47 -07:00
install_psutil_android.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
keystroke_diagnostic.py docs: add Windows-Specific Quirks section to hermes-agent skill + keystroke diagnostic 2026-05-08 14:27:40 -07:00
kill_modal.sh refactor: replace swe-rex with native Modal SDK for Modal backend (#3538) 2026-03-28 11:21:44 -07:00
lint_diff.py feat(ci): add typecheck (warnings only in CI) 2026-05-06 10:58:12 -04:00
LIVETEST_README.md test(tool-search): add live A/B harness, drop checked-in transcripts 2026-05-29 02:04:12 -07:00
profile-tui.py revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
release.py fix(profiles): validate custom alias names to prevent path traversal 2026-06-28 18:53:33 -07:00
run_tests.sh fix(tests): bare pytest flags pass through run_tests.sh without a '--' separator (#54008) 2026-06-27 22:43:26 -07:00
run_tests_parallel.py test(ci): raise per-file timeout 140s → 300s to stop false timeouts (#54143) 2026-06-28 02:41:07 -07:00
sample_and_compress.py refactor: codebase-wide lint cleanup — unused imports, dead code, and inefficient patterns (#5821) 2026-04-07 10:25:31 -07:00
setup_open_webui.sh fix(install): use resolved python variable in setup_open_webui.sh 2026-05-16 22:54:22 -07:00
tool_search_livetest.py test(tool-search): redact secrets from harness transcripts + console 2026-05-29 02:04:12 -07:00