mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
Two related redaction bugs from #43083: 1. build_assistant_message redacted tool-call arguments in-memory. That dict feeds both the replayed conversation history and state.db (which is itself replayed verbatim on session resume), so the model read back its own PGPASSWORD='***' psql call and copied the placeholder, breaking every credential-dependent command on the second turn. The masking gave no real protection either — the same secret still leaks through tool OUTPUT. Remove it. Keeping secrets out of the replayable store is a separate tokenization/vault concern (security.redact_secrets still governs storage-time redaction elsewhere). 2. _AUTH_HEADER_RE's greedy \S+ credential class ate a closing quote when the token sat flush against it (Authorization: Bearer sk-.."), turning value corruption into syntax corruption (unterminated quote -> shell EOF / SyntaxError). Exclude " and ' from the token class; real credentials never contain them. Closes #43083.
91 lines
2.8 KiB
Python
91 lines
2.8 KiB
Python
"""Regression test for #43083.
|
|
|
|
``build_assistant_message`` must NOT redact tool-call arguments. The dict it
|
|
returns enters the in-memory conversation history that is replayed to the model
|
|
on every subsequent turn AND is persisted to state.db, which is itself replayed
|
|
verbatim on session resume. Masking a credential to ``***`` there poisons the
|
|
replay: the model reads back its own ``PGPASSWORD='***' psql ...`` call and
|
|
copies the placeholder into the next tool call, breaking every
|
|
credential-dependent command on the second turn.
|
|
"""
|
|
|
|
from unittest.mock import MagicMock
|
|
|
|
from agent.chat_completion_helpers import build_assistant_message
|
|
|
|
|
|
class _FakeToolCall:
|
|
def __init__(self, tc_id, name, arguments):
|
|
self.id = tc_id
|
|
self.type = "function"
|
|
self.function = MagicMock()
|
|
self.function.name = name
|
|
self.function.arguments = arguments
|
|
self.extra_content = None
|
|
|
|
def __getattr__(self, _name):
|
|
return None
|
|
|
|
|
|
class _FakeAssistantMsg:
|
|
def __init__(self, content, tool_calls):
|
|
self.content = content
|
|
self.tool_calls = tool_calls
|
|
self.function_call = None
|
|
self.reasoning_content = None
|
|
self.model_extra = None
|
|
self.reasoning_details = None
|
|
|
|
def __getattr__(self, _name):
|
|
return None
|
|
|
|
|
|
class _FakeAgent:
|
|
stream_delta_callback = None
|
|
_stream_callback = None
|
|
reasoning_callback = None
|
|
verbose_logging = False
|
|
|
|
def _extract_reasoning(self, _msg):
|
|
return None
|
|
|
|
def _strip_think_blocks(self, text):
|
|
return text
|
|
|
|
def _needs_thinking_reasoning_pad(self):
|
|
return False
|
|
|
|
def _split_responses_tool_id(self, _raw):
|
|
return (None, None)
|
|
|
|
def _derive_responses_function_call_id(self, _call_id, _resp_id):
|
|
return None
|
|
|
|
def _deterministic_call_id(self, _name, _args, idx):
|
|
return f"det_{idx}"
|
|
|
|
|
|
def _build(arguments):
|
|
tc = _FakeToolCall("call_1", "terminal", arguments)
|
|
msg = build_assistant_message(_FakeAgent(), _FakeAssistantMsg("ok", [tc]), "tool_calls")
|
|
return msg["tool_calls"][0]["function"]["arguments"]
|
|
|
|
|
|
def test_pgpassword_preserved_verbatim(monkeypatch):
|
|
# Force redaction ON to prove build_assistant_message bypasses it for
|
|
# tool-call args regardless of the global toggle.
|
|
monkeypatch.setattr("agent.redact._REDACT_ENABLED", True, raising=False)
|
|
args = '{"command": "PGPASSWORD=\'honchorulez\' psql -h 127.0.0.1"}'
|
|
got = _build(args)
|
|
assert got == args
|
|
assert "honchorulez" in got
|
|
assert "***" not in got
|
|
|
|
|
|
def test_bearer_token_preserved_verbatim(monkeypatch):
|
|
monkeypatch.setattr("agent.redact._REDACT_ENABLED", True, raising=False)
|
|
args = '{"command": "curl -H \'Authorization: Bearer sk-abcdef1234567890\'"}'
|
|
got = _build(args)
|
|
assert got == args
|
|
assert "sk-abcdef1234567890" in got
|
|
assert "***" not in got
|