mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-02 02:01:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
hermes-agent/tools
History
Teknium ab548a9b5e
fix(security): add SSRF protection to browser_navigate (#3058) 
* fix(security): add SSRF protection to browser_navigate

browser_navigate() only checked the website blocklist policy but did
not call is_safe_url() to block private/internal addresses. This
allowed the agent to navigate to localhost, cloud metadata endpoints
(169.254.169.254), and private network IPs via the browser.

web_tools and vision_tools already had this check. Added the same
is_safe_url() pre-flight validation before the blocklist check in
browser_navigate().

* fix: move SSRF import to module level, fix policy test mock

Move is_safe_url import to module level so it can be monkeypatched
in tests. Update test_browser_navigate_returns_policy_block to mock
_is_safe_url so the SSRF check passes and the policy check is reached.

* fix(security): harden browser SSRF protection

Follow-up to cherry-picked PR #3041:

1. Fail-closed fallback: if url_safety module can't import, block all
   URLs instead of allowing all. Security guards should never fail-open.

2. Post-redirect SSRF check: after navigation, verify the final URL
   isn't a private/internal address. If a public URL redirected to
   169.254.169.254 or localhost, navigate to about:blank and return
   an error — prevents the model from reading internal content via
   subsequent browser_snapshot calls.

---------

Co-authored-by: 0xbyt4 <35742124+0xbyt4@users.noreply.github.com>
2026-03-25 15:16:57 -07:00
..
browser_providers feat(browser): multi-provider cloud browser support + Browser Use integration 2026-03-17 00:16:34 -07:00
environments fix(shell): exponential backoff for persistent shell polling (#2996) 2026-03-25 10:56:48 -07:00
neutts_samples refactor(tts): replace NeuTTS optional skill with built-in provider + setup flow 2026-03-17 02:33:12 -07:00
__init__.py chore: remove all remaining mini-swe-agent references 2026-03-24 08:19:23 -07:00
ansi_strip.py fix: strip ANSI at the source — clean terminal output before it reaches the model 2026-03-23 07:43:12 -07:00
approval.py fix(approval): honor bare YAML approvals.mode: off (#2620) 2026-03-23 06:56:09 -07:00
browser_tool.py fix(security): add SSRF protection to browser_navigate (#3058) 2026-03-25 15:16:57 -07:00
checkpoint_manager.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
clarify_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
code_execution_tool.py feat: env var passthrough for skills and user config (#2807) 2026-03-24 08:19:34 -07:00
cronjob_tools.py fix: normalize repeat<=0 to None to prevent cron jobs deleting after first run (#2612) 2026-03-23 06:35:43 -07:00
debug_helpers.py refactor: consolidate debug logging across tools with shared DebugSession class 2026-02-21 03:53:24 -08:00
delegate_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
env_passthrough.py feat: env var passthrough for skills and user config (#2807) 2026-03-24 08:19:34 -07:00
file_operations.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
file_tools.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
fuzzy_match.py fix(tools): browser handler safety + fuzzy_match docstring accuracy 2026-03-17 04:32:39 -07:00
homeassistant_tool.py feat(tools): centralize tool emoji metadata in registry + skin integration 2026-03-15 20:21:21 -07:00
honcho_tools.py fix(honcho): isolate session routing for multi-user gateway (#1500) 2026-03-16 00:23:47 -07:00
image_generation_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
interrupt.py feat: enhance interrupt handling and container resource configuration 2026-02-23 02:11:33 -08:00
mcp_oauth.py fix(mcp-oauth): port mismatch, path traversal, and shared handler state (salvage #2521) (#2552) 2026-03-22 15:02:26 -07:00
mcp_tool.py feat(cli): MCP server management CLI + OAuth 2.1 PKCE auth 2026-03-22 04:52:52 -07:00
memory_tool.py fix(memory): file-lock read-modify-write to prevent concurrent data loss 2026-03-17 04:19:11 -07:00
mixture_of_agents_tool.py feat(tools): centralize tool emoji metadata in registry + skin integration 2026-03-15 20:21:21 -07:00
neutts_synth.py fix(tts): document NeuTTS provider and align install guidance (#1903) 2026-03-18 02:55:30 -07:00
openrouter_client.py refactor: route ad-hoc LLM consumers through centralized provider router 2026-03-11 20:02:36 -07:00
patch_parser.py fix(patch): use regex to detect line-number prefix to avoid corrupting pipe chars 2026-03-14 03:47:13 -07:00
process_registry.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
registry.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
rl_training_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
send_message_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
session_search_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
skill_manager_tool.py fix(skills_guard): agent-created dangerous skills ask instead of block 2026-03-22 03:56:02 -07:00
skills_guard.py fix(skills): agent-created skills were incorrectly treated as untrusted community content 2026-03-24 19:15:03 -07:00
skills_hub.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
skills_sync.py feat: nix flake — uv2nix build, NixOS module, persistent container mode (#20) 2026-03-26 01:08:02 +05:30
skills_tool.py feat: env var passthrough for skills and user config (#2807) 2026-03-24 08:19:34 -07:00
terminal_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
tirith_security.py fix: send_animation metadata, MarkdownV2 inline code splitting, tirith cosign-free install (#1626) 2026-03-16 23:39:41 -07:00
todo_tool.py feat(tools): centralize tool emoji metadata in registry + skin integration 2026-03-15 20:21:21 -07:00
transcription_tools.py fix(stt): respect explicit provider config instead of env-var fallback (#1775) 2026-03-17 10:30:58 -07:00
tts_tool.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
url_safety.py fix(security): add SSRF protection to vision_tools and web_tools (hardened) 2026-03-23 15:40:42 -07:00
vision_tools.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
voice_mode.py chore: remove ~100 unused imports across 55 files (#3016) 2026-03-25 15:02:03 -07:00
web_tools.py fix(security): add SSRF protection to vision_tools and web_tools (hardened) 2026-03-23 15:40:42 -07:00
website_policy.py fix: harden website blocklist — default off, TTL cache, fail-open, guarded imports 2026-03-17 03:11:26 -07:00