mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-04-25 00:51:20 +00:00
1909877e6e
vision_tools.py: _download_image() loads the full HTTP response body into memory via response.content (line 190) with no Content-Length check and no max file size limit. An attacker-hosted multi-gigabyte file causes OOM. Add a 50 MB hard cap: check Content-Length header before download, and verify actual body size before writing to disk. hermes_parser.py: tc_data["name"] at line 57 raises KeyError when the LLM outputs a tool call JSON without a "name" field. The outer except catches it silently, causing the entire tool call to be lost with zero diagnostics. Add "name" field validation before constructing the ChatCompletionMessage. mistral_parser.py: tc["name"] at line 101 has the same KeyError issue in the pre-v11 format path. The fallback decoder (line 112) already checks "name" correctly, but the primary path does not. Add validation to match. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| deepseek_v3_1_parser.py | ||
| deepseek_v3_parser.py | ||
| glm45_parser.py | ||
| glm47_parser.py | ||
| hermes_parser.py | ||
| kimi_k2_parser.py | ||
| llama_parser.py | ||
| longcat_parser.py | ||
| mistral_parser.py | ||
| qwen3_coder_parser.py | ||
| qwen_parser.py | ||