mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
hermes-agent/tests/tools/test_hardline_blocklist.py
OpenClaw Agent 9520a1ccdf fix(terminal): block sudo -S password guessing when SUDO_PASSWORD is not set 
Fixes #9590: Block explicit sudo -S (stdin password mode) commands
when the SUDO_PASSWORD environment variable is not configured.

The attack vector: the LLM constructs 'echo guessedpass | sudo -S cmd'
to brute-force sudo passwords, iterates based on sudo's error output
('Sorry, try again').  The existing _transform_sudo_command only
injects -S when SUDO_PASSWORD exists; without it, the LLM's explicit
sudo -S must be treated as a guessing attempt.

Changes:
- Add _check_sudo_stdin_guard() in approval.py: detects sudo -S when
  SUDO_PASSWORD is absent, anchored to command-start positions
  (^ ; && || | etc.) to avoid false positives on literal text
- Integrate into check_all_command_guards() above yolo/mode=off so
  the block is unconditional (like the hardline floor)
- Add 6 tests covering: detection, allow-list, SUDO_PASSWORD bypass,
  integration with check_all_command_guards, yolo non-bypass,
  container backend bypass
2026-05-11 06:56:30 -07:00

378 lines
13 KiB
Python
Raw Blame History

"""Tests for the unconditional hardline command blocklist.
The hardline list is a floor below yolo: a small set of commands so
catastrophic they should never run via the agent, regardless of --yolo,
gateway /yolo, approvals.mode=off, or cron approve mode.
Inspired by Mercury Agent's permission-hardened blocklist.
"""
import os
import pytest
from tools.approval import (
DANGEROUS_PATTERNS,
HARDLINE_PATTERNS,
check_all_command_guards,
check_dangerous_command,
detect_dangerous_command,
detect_hardline_command,
disable_session_yolo,
enable_session_yolo,
reset_current_session_key,
set_current_session_key,
)
# -------------------------------------------------------------------------
# Pattern detection
# -------------------------------------------------------------------------
# Commands that MUST be hardline-blocked.
_HARDLINE_BLOCK = [
# rm -rf targeting root / system dirs / home
"rm -rf /",
"rm -rf /*",
"rm -rf /home",
"rm -rf /home/*",
"rm -rf /etc",
"rm -rf /usr",
"rm -rf /var",
"rm -rf /boot",
"rm -rf /bin",
"rm --recursive --force /",
"rm -fr /",
"sudo rm -rf /",
"rm -rf ~",
"rm -rf ~/",
"rm -rf ~/*",
"rm -rf $HOME",
# Filesystem format
"mkfs.ext4 /dev/sda1",
"mkfs /dev/sdb",
"mkfs.xfs /dev/nvme0n1",
# Raw block device overwrites
"dd if=/dev/zero of=/dev/sda bs=1M",
"dd if=/dev/urandom of=/dev/nvme0n1",
"dd if=anything of=/dev/hda",
"echo bad > /dev/sda",
"cat /dev/urandom > /dev/sdb",
# Fork bomb
":(){ :|:& };:",
# System-wide kill
"kill -9 -1",
"kill -1",
# Shutdown / reboot / halt
"shutdown -h now",
"shutdown -r now",
"sudo shutdown now",
"reboot",
"sudo reboot",
"halt",
"poweroff",
"init 0",
"init 6",
"telinit 0",
"systemctl poweroff",
"systemctl reboot",
"systemctl halt",
# Compound / subshell variants
"ls; reboot",
"echo done && shutdown -h now",
"false || halt",
"$(reboot)",
"`shutdown now`",
"sudo -E shutdown now",
"env FOO=1 reboot",
"exec shutdown",
"nohup reboot",
"setsid poweroff",
]
# Commands that look superficially similar but must NOT be hardline-blocked.
_HARDLINE_ALLOW = [
# rm on non-protected paths
"rm -rf /tmp/foo",
"rm -rf /tmp/*",
"rm -rf ./build",
"rm -rf node_modules",
"rm -rf /home/user/scratch", # subpath of /home, not /home itself
"rm -rf ~/Downloads/old",
"rm -rf $HOME/tmp",
"rm foo.txt",
"rm -rf some/path",
# dd to regular files
"dd if=/dev/zero of=./image.bin",
"dd if=./data of=./backup.bin",
# Redirect to regular files / non-block devices
"echo done > /tmp/flag",
"echo test > /dev/null",
# Reading devices is fine
"ls /dev/sda",
"cat /dev/urandom | head -c 10",
# Unrelated commands that happen to contain the trigger word
"grep 'shutdown' logs.txt",
"echo reboot",
"echo '# init 0 in comment'",
"cat rebooting.log",
"echo 'halt and catch fire'",
"python3 -c 'print(\"shutdown\")'",
"find . -name '*reboot*'",
# Word-boundary protection
"mkfs_helper --version",
# systemctl non-destructive verbs
"systemctl status nginx",
"systemctl restart nginx",
"systemctl stop nginx",
"systemctl start nginx",
# targeted kill
"kill -9 12345",
"kill -HUP 1234",
"pkill python",
# Ordinary ops
"git status",
"npm run build",
"sudo apt update",
"curl https://example.com | head",
]
@pytest.mark.parametrize("command", _HARDLINE_BLOCK)
def test_hardline_detection_blocks(command):
is_hl, desc = detect_hardline_command(command)
assert is_hl, f"expected hardline to match {command!r}"
assert desc, "hardline match must provide a description"
@pytest.mark.parametrize("command", _HARDLINE_ALLOW)
def test_hardline_detection_allows(command):
is_hl, desc = detect_hardline_command(command)
assert not is_hl, f"expected hardline NOT to match {command!r} (got: {desc})"
assert desc is None
# -------------------------------------------------------------------------
# Integration with the approval flow
# -------------------------------------------------------------------------
@pytest.fixture
def clean_session(monkeypatch):
"""Reset session-scoped approval state around each test."""
monkeypatch.delenv("HERMES_YOLO_MODE", raising=False)
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
monkeypatch.delenv("HERMES_GATEWAY_SESSION", raising=False)
monkeypatch.delenv("HERMES_CRON_SESSION", raising=False)
monkeypatch.delenv("HERMES_EXEC_ASK", raising=False)
token = set_current_session_key("hardline_test")
try:
disable_session_yolo("hardline_test")
yield
finally:
disable_session_yolo("hardline_test")
reset_current_session_key(token)
def test_check_dangerous_command_blocks_hardline(clean_session):
result = check_dangerous_command("rm -rf /", "local")
assert result["approved"] is False
assert result.get("hardline") is True
assert "BLOCKED (hardline)" in result["message"]
def test_check_all_command_guards_blocks_hardline(clean_session):
result = check_all_command_guards("rm -rf /", "local")
assert result["approved"] is False
assert result.get("hardline") is True
assert "BLOCKED (hardline)" in result["message"]
def test_yolo_env_var_cannot_bypass_hardline(clean_session, monkeypatch):
"""HERMES_YOLO_MODE=1 must not bypass the hardline floor."""
monkeypatch.setenv("HERMES_YOLO_MODE", "1")
for cmd in ["rm -rf /", "shutdown -h now", "mkfs.ext4 /dev/sda", "reboot"]:
r1 = check_dangerous_command(cmd, "local")
assert r1["approved"] is False, f"yolo leaked hardline on {cmd!r} (check_dangerous_command)"
assert r1.get("hardline") is True
r2 = check_all_command_guards(cmd, "local")
assert r2["approved"] is False, f"yolo leaked hardline on {cmd!r} (check_all_command_guards)"
assert r2.get("hardline") is True
def test_session_yolo_cannot_bypass_hardline(clean_session):
"""Gateway /yolo (session-scoped) must not bypass the hardline floor."""
enable_session_yolo("hardline_test")
result = check_dangerous_command("rm -rf /", "local")
assert result["approved"] is False
assert result.get("hardline") is True
result = check_all_command_guards("rm -rf /", "local")
assert result["approved"] is False
assert result.get("hardline") is True
def test_approvals_mode_off_cannot_bypass_hardline(clean_session, monkeypatch, tmp_path):
"""config approvals.mode=off (yolo-equivalent) must not bypass hardline."""
# _get_approval_mode() reads from hermes config; simplest path: monkeypatch the helper.
import tools.approval as approval_mod
monkeypatch.setattr(approval_mod, "_get_approval_mode", lambda: "off")
result = check_all_command_guards("rm -rf /", "local")
assert result["approved"] is False
assert result.get("hardline") is True
def test_cron_approve_mode_cannot_bypass_hardline(clean_session, monkeypatch):
"""Cron sessions with cron_mode=approve must not bypass hardline."""
monkeypatch.setenv("HERMES_CRON_SESSION", "1")
import tools.approval as approval_mod
monkeypatch.setattr(approval_mod, "_get_cron_approval_mode", lambda: "approve")
result = check_all_command_guards("rm -rf /", "local")
assert result["approved"] is False
assert result.get("hardline") is True
def test_container_backends_still_bypass(clean_session):
"""Containerized backends remain bypass-approved — they can't touch the host.
Hardline only protects environments with real host impact (local, ssh).
"""
for env in ("docker", "singularity", "modal", "daytona", "vercel_sandbox"):
r1 = check_dangerous_command("rm -rf /", env)
assert r1["approved"] is True, f"container {env} should still bypass"
r2 = check_all_command_guards("rm -rf /", env)
assert r2["approved"] is True, f"container {env} should still bypass"
def test_hardline_runs_before_dangerous_detection(clean_session):
"""Hardline command should return hardline block, not dangerous approval prompt."""
# `rm -rf /` is both hardline AND matches DANGEROUS_PATTERNS. Hardline must win.
is_dangerous, _, _ = detect_dangerous_command("rm -rf /")
assert is_dangerous, "precondition: rm -rf / is also in DANGEROUS_PATTERNS"
result = check_dangerous_command("rm -rf /", "local")
assert result.get("hardline") is True
def test_recoverable_dangerous_commands_still_pass_yolo(clean_session, monkeypatch):
"""Yolo still bypasses the regular DANGEROUS_PATTERNS list.
This confirms we haven't broken the yolo escape hatch — only narrowed it.
"""
monkeypatch.setenv("HERMES_YOLO_MODE", "1")
# These are dangerous but NOT hardline — yolo should still pass them.
for cmd in ["rm -rf /tmp/x", "chmod -R 777 .", "git reset --hard", "git push --force"]:
# Sanity: still flagged as dangerous
is_dangerous, _, _ = detect_dangerous_command(cmd)
assert is_dangerous, f"precondition: {cmd!r} should be in DANGEROUS_PATTERNS"
# But NOT hardline
is_hl, _ = detect_hardline_command(cmd)
assert not is_hl, f"{cmd!r} should not be hardline"
# And yolo bypasses the dangerous check
result = check_dangerous_command(cmd, "local")
assert result["approved"] is True, f"yolo should have bypassed {cmd!r}"
def test_hardline_list_is_small():
"""Hardline list stays focused on unrecoverable commands only.
If you're adding a 20th+ pattern, reconsider — it probably belongs in
DANGEROUS_PATTERNS where yolo can still bypass it.
"""
assert len(HARDLINE_PATTERNS) <= 20, (
f"HARDLINE_PATTERNS has grown to {len(HARDLINE_PATTERNS)} entries; "
"only truly unrecoverable commands belong here."
)
# =========================================================================
# Sudo stdin guard — blocks "sudo -S" without SUDO_PASSWORD
# =========================================================================
_SUDO_STDIN_BLOCK = [
"sudo -S whoami",
"echo hunter2 | sudo -S whoami",
"sudo -S -u root whoami",
"sudo -S apt-get install foo",
"echo password | sudo -S systemctl restart nginx",
"sudo -k && sudo -S whoami",
]
_SUDO_STDIN_ALLOW = [
# Plain sudo without -S — goes through normal approval
"sudo whoami",
"sudo apt-get update",
"sudo -u root whoami",
# -S flag not attached to sudo
"echo -S hello",
"some_tool -S thing",
# Literal text mention of sudo
"echo 'use sudo -S to pipe passwords'",
]
_SUDO_STDIN_BLOCK_YOLO = [
"sudo -S whoami",
"echo hunter2 | sudo -S apt-get install",
]
def test_sudo_stdin_guard_detects_without_password():
"""sudo -S is dangerous when SUDO_PASSWORD is not configured."""
import tools.approval as approval_mod
for cmd in _SUDO_STDIN_BLOCK:
is_blocked, desc = approval_mod._check_sudo_stdin_guard(cmd)
assert is_blocked, f"expected sudo stdin guard to block {cmd!r}"
assert "sudo" in desc.lower()
def test_sudo_stdin_guard_allows_benign_commands():
"""Commands without explicit sudo -S are not blocked."""
import tools.approval as approval_mod
for cmd in _SUDO_STDIN_ALLOW:
is_blocked, desc = approval_mod._check_sudo_stdin_guard(cmd)
assert not is_blocked, f"expected sudo stdin guard NOT to block {cmd!r}"
def test_sudo_stdin_guard_bypassed_when_password_configured(monkeypatch):
"""When SUDO_PASSWORD is set, sudo -S is legitimate (injected by transform)."""
import tools.approval as approval_mod
monkeypatch.setenv("SUDO_PASSWORD", "testpass")
for cmd in _SUDO_STDIN_BLOCK:
is_blocked, _ = approval_mod._check_sudo_stdin_guard(cmd)
assert not is_blocked, f"with SUDO_PASSWORD set, {cmd!r} should NOT be blocked"
def test_sudo_stdin_guard_blocks_via_check_all_command_guards(clean_session):
"""Integration: check_all_command_guards returns block for sudo -S."""
for cmd in _SUDO_STDIN_BLOCK:
result = check_all_command_guards(cmd, "local")
assert result["approved"] is False, f"expected block on {cmd!r}"
# Should NOT be marked as hardline (it's sudo-specific)
assert result.get("hardline") is not True
assert "BLOCKED" in result["message"]
assert "sudo -S" in result["message"].lower() or "sudo password" in result["message"].lower()
def test_sudo_stdin_guard_not_blocked_by_yolo(clean_session, monkeypatch):
"""yolo/approvals.mode=off must NOT bypass sudo stdin guard."""
monkeypatch.setenv("HERMES_YOLO_MODE", "1")
for cmd in _SUDO_STDIN_BLOCK_YOLO:
result = check_all_command_guards(cmd, "local")
assert result["approved"] is False, f"yolo leaked sudo guard on {cmd!r}"
def test_sudo_stdin_guard_container_bypass(clean_session):
"""Containerized backends still bypass — they can't touch the host."""
for env in ("docker", "singularity", "modal", "daytona", "vercel_sandbox"):
for cmd in _SUDO_STDIN_BLOCK:
result = check_all_command_guards(cmd, env)
assert result["approved"] is True, f"container {env} should bypass sudo guard on {cmd!r}"
Reference in a new issue View git blame Copy permalink