mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hermes-agent/hermes_cli
History
Teknium 99bcc2de5b
fix(security): harden dashboard API against unauthenticated access (#9800) 
Addresses responsible disclosure from FuzzMind Security Lab (CVE pending).

The web dashboard API server had 36 endpoints, of which only 5 checked
the session token. The token itself was served from an unauthenticated
GET /api/auth/session-token endpoint, rendering the protection circular.
When bound to 0.0.0.0 (--host flag), all API keys, config, and cron
management were accessible to any machine on the network.

Changes:
- Add auth middleware requiring session token on ALL /api/ routes except
  a small public whitelist (status, config/defaults, config/schema,
  model/info)
- Remove GET /api/auth/session-token endpoint entirely; inject the token
  into index.html via a <script> tag at serve time instead
- Replace all inline token comparisons (!=) with hmac.compare_digest()
  to prevent timing side-channel attacks
- Block non-localhost binding by default; require --insecure flag to
  override (with warning log)
- Update frontend fetchJSON() to send Authorization header on all
  requests using the injected window.__HERMES_SESSION_TOKEN__

Credit: Callum (@0xca1x) and @migraine-sudo at FuzzMind Security Lab
2026-04-14 10:57:56 -07:00
..
__init__.py chore: release v0.9.0 (v2026.4.13) (#9182) 2026-04-13 11:52:09 -07:00
auth.py chore: rename AI Gateway → Vercel AI Gateway, move Xiaomi to #5 (#9326) 2026-04-13 19:51:54 -07:00
auth_commands.py fix(config): restore custom providers after v11→v12 migration 2026-04-13 10:50:52 -07:00
backup.py feat: fix SQLite safety in hermes backup + add --quick snapshots + /snapshot command (#8971) 2026-04-13 04:46:13 -07:00
banner.py refactor: remove dead code — 1,784 lines across 77 files (#9180) 2026-04-13 16:32:04 -07:00
callbacks.py refactor: remove 24 confirmed dead functions — 432 lines of unused code 2026-04-07 11:41:26 -07:00
claw.py fix: unify OpenClaw detection, add isatty guard, fix print_warning import 2026-04-12 16:40:37 -07:00
cli_output.py refactor: remove dead code — 1,784 lines across 77 files (#9180) 2026-04-13 16:32:04 -07:00
clipboard.py feat(gateway): WSL-aware gateway with smart systemd detection (#7510) 2026-04-10 21:15:47 -07:00
codex_models.py fix: add gpt-5.4-mini to Codex fallback catalog (#3855) 2026-03-29 20:10:00 -07:00
colors.py feat: respect NO_COLOR env var and TERM=dumb (#4079) 2026-03-30 17:07:21 -07:00
commands.py feat: improve file search UX — fuzzy @ completions, mtime sorting, better suggestions (#9467) 2026-04-13 23:54:45 -07:00
completion.py fix: preserve profile name completion in dynamic shell completion 2026-04-14 10:45:42 -07:00
config.py feat: gateway proxy mode — forward messages to remote API server 2026-04-14 10:49:48 -07:00
copilot_auth.py fix(copilot): resolve GHE token poisoning when GITHUB_TOKEN is set 2026-04-13 05:12:36 -07:00
cron.py feat(cron): track delivery failures in job status (#6042) 2026-04-07 22:49:01 -07:00
curses_ui.py feat(cli): add native /model picker modal for provider → model selection 2026-04-11 17:16:06 -07:00
debug.py feat: add hermes debug share — upload debug report to pastebin (#8681) 2026-04-12 18:05:14 -07:00
default_soul.py fix: reset default SOUL.md to baseline identity text (#3159) 2026-03-26 01:34:27 -07:00
doctor.py fix(cli): fix doctor checks for Kimi China credentials 2026-04-14 10:16:30 -07:00
dump.py fix: QQBot missing integration points, timestamp parsing, test fix 2026-04-14 00:11:49 -07:00
env_loader.py fix: sanitize .env before loading to prevent token duplication (#8908) 2026-04-13 04:35:37 -07:00
gateway.py feat(gateway): unify QQBot branding, add PLATFORM_HINTS, fix streaming, restore missing setup functions 2026-04-14 00:11:49 -07:00
logs.py feat: component-separated logging with session context and filtering (#7991) 2026-04-11 17:23:36 -07:00
main.py fix(security): harden dashboard API against unauthenticated access (#9800) 2026-04-14 10:57:56 -07:00
mcp_config.py feat: add --env and --preset support to hermes mcp add 2026-04-11 15:34:57 -07:00
memory_setup.py fix: memory_setup.py - write non-secret env vars, check all fields in status 2026-04-14 10:49:35 -07:00
model_normalize.py feat(providers): add Arcee AI as direct API provider 2026-04-13 18:40:06 -07:00
model_switch.py fix: auto-correct close model name matches in /model validation (#9424) 2026-04-13 23:09:39 -07:00
models.py fix: auto-correct close model name matches in /model validation (#9424) 2026-04-13 23:09:39 -07:00
nous_subscription.py feat(tools): add Voxtral TTS provider (Mistral AI) 2026-04-11 01:56:55 -07:00
pairing.py chore: fix 154 f-strings, simplify getattr/URL patterns, remove dead code (#3119) 2026-03-25 19:47:58 -07:00
platforms.py feat(gateway): unify QQBot branding, add PLATFORM_HINTS, fix streaming, restore missing setup functions 2026-04-14 00:11:49 -07:00
plugins.py feat(plugins): namespaced skill registration for plugin skill bundles 2026-04-14 10:42:58 -07:00
plugins_cmd.py fix: no auto-activation + unified hermes plugins UI with provider categories 2026-04-10 19:15:50 -07:00
profiles.py fix: improve profile creation UX — seed SOUL.md + credential warning (#8553) 2026-04-12 12:22:34 -07:00
providers.py feat(providers): add Arcee AI as direct API provider 2026-04-13 18:40:06 -07:00
runtime_provider.py fix: resolve CI test failures — add missing functions, fix stale tests (#9483) 2026-04-14 01:43:45 -07:00
setup.py feat(gateway): unify QQBot branding, add PLATFORM_HINTS, fix streaming, restore missing setup functions 2026-04-14 00:11:49 -07:00
skills_config.py refactor: remove dead code — 1,784 lines across 77 files (#9180) 2026-04-13 16:32:04 -07:00
skills_hub.py fix(skills): cache GitHub repo trees to avoid rate-limit exhaustion on install 2026-04-12 16:39:04 -07:00
skin_engine.py feat(skin): add warm-lightmode skin from PR #4811 2026-04-13 23:51:21 -07:00
status.py feat(gateway): unify QQBot branding, add PLATFORM_HINTS, fix streaming, restore missing setup functions 2026-04-14 00:11:49 -07:00
tips.py refactor: remove dead code — 1,784 lines across 77 files (#9180) 2026-04-13 16:32:04 -07:00
tools_config.py fix(browser): fix Camofox JS eval endpoint, userId, and package rename (#9774) 2026-04-14 10:21:54 -07:00
uninstall.py refactor: remove dead code — 1,784 lines across 77 files (#9180) 2026-04-13 16:32:04 -07:00
web_server.py fix(security): harden dashboard API against unauthenticated access (#9800) 2026-04-14 10:57:56 -07:00
webhook.py refactor: replace inline HERMES_HOME re-implementations with get_hermes_home() 2026-04-07 10:40:34 -07:00