mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-03 02:11:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
hermes-agent/gateway/platforms
History
aaronagent 37bb4f807b fix(dingtalk,api): validate session webhook URL origin, cap webhook cache, reject header injection 
dingtalk.py: The session_webhook URL from incoming DingTalk messages is POSTed to
without any origin validation (line 290), enabling SSRF attacks via crafted webhook
URLs (e.g. http://169.254.169.254/ to reach cloud metadata).  Add a regex check
that only accepts the official DingTalk API origin (https://api.dingtalk.com/).
Also cap _session_webhooks dict at 500 entries with FIFO eviction to prevent
unbounded memory growth from long-running gateway instances.

api_server.py: The X-Hermes-Session-Id request header is accepted and echoed back
into response headers (lines 675, 697) without sanitization.  A session ID
containing \r\n enables HTTP response splitting / header injection.  Add a check
that rejects session IDs containing control characters (\r, \n, \x00).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 03:05:04 -07:00
..
__init__.py Enhance CLI with multi-platform messaging integration and configuration management 2026-02-02 19:01:51 -08:00
ADDING_A_PLATFORM.md docs: finish cron terminology cleanup 2026-03-14 19:20:58 -07:00
api_server.py fix(dingtalk,api): validate session webhook URL origin, cap webhook cache, reject header injection 2026-04-10 03:05:04 -07:00
base.py fix: add SOCKS proxy support, DISCORD_PROXY env var, and send_message proxy coverage 2026-04-09 14:19:06 -07:00
bluebubbles.py feat(gateway): add BlueBubbles iMessage platform adapter (#6437) 2026-04-08 23:54:03 -07:00
dingtalk.py fix(dingtalk,api): validate session webhook URL origin, cap webhook cache, reject header injection 2026-04-10 03:05:04 -07:00
discord.py feat(discord): add allowed_channels whitelist config 2026-04-10 03:02:42 -07:00
email.py fix(email): close SMTP and IMAP connections on failure (#3804) 2026-03-29 15:38:32 -07:00
feishu.py fix(feishu): add adaptive batch delay for split long messages 2026-04-09 23:25:27 -07:00
homeassistant.py fix(gateway): add request timeouts to HA, Email, Mattermost, SMS adapters (#3258) 2026-03-26 14:36:07 -07:00
matrix.py fix(gateway): bypass text batching when delay is 0 (#6996) 2026-04-09 23:59:20 -07:00
mattermost.py fix(security): consolidated security hardening — SSRF, timing attack, tar traversal, credential leakage (#5944) 2026-04-07 17:28:37 -07:00
signal.py fix: Signal duplicate replies with streaming + per-platform tool_progress (#6348) 2026-04-08 17:39:45 -07:00
slack.py fix(slack): add rate-limit retry and TTL cache to thread context fetching 2026-04-09 14:07:32 -07:00
sms.py fix: store asyncio task references to prevent GC mid-execution (#3267) 2026-03-26 14:36:24 -07:00
telegram.py fix(telegram): adaptive batch delay for split long messages 2026-04-09 23:25:27 -07:00
telegram_network.py feat(gateway): unified proxy support for Discord and Telegram with macOS auto-detection 2026-04-09 14:19:06 -07:00
webhook.py fix(gateway/webhook): don't pop delivery_info on send 2026-04-07 17:27:09 -07:00
wecom.py fix(gateway): bypass text batching when delay is 0 (#6996) 2026-04-09 23:59:20 -07:00
whatsapp.py refactor: codebase-wide lint cleanup — unused imports, dead code, and inefficient patterns (#5821) 2026-04-07 10:25:31 -07:00