mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-08 13:12:08 +00:00
Mitigates indirect prompt injection (CWE-863) in Slack thread context. When the bot is mentioned mid-thread for the first time, _fetch_thread_context pulls the full thread via conversations.replies and prepends every reply to the LLM prompt. Replies from senders not on the allowlist were rendered identically to authorised senders, letting a third party in a shared channel inject instructions the model might act on when answering the next authorised message. - BasePlatformAdapter.set_authorization_check / _is_sender_authorized, registered by GatewayRunner._make_adapter_auth_check() with a closure over the existing _is_user_authorized chain (platform/global/group allowlists, allow-all flags, pairing store all stay the single source of truth — no env-var re-parsing). - Tags non-bot thread messages whose sender fails the auth check with an [unverified] prefix; strengthens the header with soft guidance only when at least one unverified message is present, so setups without an allowlist see no behaviour change. - Wired into all three adapter-init sites in run.py (start, reconnect watcher, restart) so the reconnect path is covered too. Softened wording: adapted from the original [untrusted] tag to [unverified] and non-accusatory header framing — the label reflects allowlist status, not a judgment about the person. Adapter relocated to plugins/platforms/slack/ since the PR was authored. Salvaged from #17059. |
||
|---|---|---|
| .. | ||
| browser | ||
| context_engine | ||
| cron_providers | ||
| dashboard_auth | ||
| disk-cleanup | ||
| google_meet | ||
| hermes-achievements | ||
| image_gen | ||
| kanban | ||
| memory | ||
| model-providers | ||
| observability | ||
| platforms | ||
| security-guidance | ||
| spotify | ||
| teams_pipeline | ||
| video_gen | ||
| web | ||
| __init__.py | ||
| plugin_utils.py | ||