mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-10 13:31:38 +00:00
The model-facing cronjob tool accepts free-form provider + base_url. On fire, the scheduler pairs the named provider's stored credential with the job's base_url, so a prompt-injected job (e.g. provider=anthropic, base_url=https://attacker/v1) sends the real API key to an attacker endpoint. A base_url with no provider inherits the default provider's key for the same effect. Add a fail-closed guard at the tool boundary: a base_url override is allowed only for the custom/BYOK sentinel, a configured custom_providers entry, or when the override host matches the named provider's own endpoint; an override without an explicit provider is rejected. The trust boundary is the caller, so operator-configured base_urls for named providers are unaffected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| conftest.py | ||
| test_blueprint_catalog.py | ||
| test_claim_job_for_fire.py | ||
| test_codex_execution_paths.py | ||
| test_compute_next_run_last_run_at.py | ||
| test_cron_context_from.py | ||
| test_cron_inactivity_timeout.py | ||
| test_cron_no_agent.py | ||
| test_cron_profile_isolation.py | ||
| test_cron_prompt_injection_skill.py | ||
| test_cron_provider_pin.py | ||
| test_cron_script.py | ||
| test_cron_workdir.py | ||
| test_cronjob_schema.py | ||
| test_file_permissions.py | ||
| test_jobs.py | ||
| test_jobs_changed_notify.py | ||
| test_jobs_crossprocess_lock.py | ||
| test_parallel_pool.py | ||
| test_rewrite_skill_refs.py | ||
| test_run_one_job.py | ||
| test_scheduler.py | ||
| test_scheduler_mcp_init.py | ||
| test_scheduler_provider.py | ||
| test_suggestions.py | ||