hermes-agent/tests/providers
solyanviktor-star a061788d43 security(providers): strip credential headers on cross-host redirects in fetch_models
fetch_models() sends Authorization: Bearer <api_key> plus any
default_headers (x-api-key etc.) via urllib.request.urlopen, and
urllib's redirect handler forwards every header when following a
3xx — including to a different host. A catalog endpoint (or a
compromised/misconfigured proxy in front of it) answering with a
redirect to another origin therefore received the provider API key.

Install an HTTPRedirectHandler that drops authorization, x-api-key,
api-key, x-goog-api-key and cookie when the redirect target hostname
differs from the original request, mirroring the pattern already used
in skills/creative/comfyui/scripts/_common.py. Same-host redirects
keep credentials so legitimate path-level redirects still work.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-11 12:28:55 +05:30
..
__init__.py feat: provider modules — ProviderProfile ABC, 33 providers, fetch_models, transport single-path 2026-05-05 13:40:01 -07:00
test_e2e_wiring.py feat: provider modules — ProviderProfile ABC, 33 providers, fetch_models, transport single-path 2026-05-05 13:40:01 -07:00
test_fetch_models_base_url.py security(providers): strip credential headers on cross-host redirects in fetch_models 2026-07-11 12:28:55 +05:30
test_plugin_discovery.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
test_profile_wiring.py fix(openrouter): never send reasoning field for adaptive Anthropic models (#43012) 2026-06-10 00:18:23 +05:30
test_provider_profiles.py fix(routing): preserve profile and delegation parity 2026-07-10 13:10:45 +05:30
test_transport_parity.py fix(nous): forward provider routing through Portal 2026-07-10 13:10:45 +05:30