mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-04-25 00:51:20 +00:00
ba4357d13b
A skill declaring `required_environment_variables: [ANTHROPIC_TOKEN]` in its SKILL.md frontmatter silently bypassed the `execute_code` sandbox's credential-scrubbing guarantee. `register_env_passthrough` had no blocklist, so any name a skill chose flipped `is_env_passthrough(name) => True`, which shortcircuits the sandbox's secret filter. Fix: reject registration when the name appears in `_HERMES_PROVIDER_ENV_BLOCKLIST` (the canonical list of Hermes-managed credentials — provider keys, gateway tokens, etc.). Log a warning naming GHSA-rhgp-j443-p4rf so operators see the rejection in logs. Non-Hermes third-party API keys (TENOR_API_KEY for gif-search, NOTION_TOKEN for notion skills, etc.) remain legitimately registerable — they were never in the sandbox scrub list in the first place. Tests: 16 -> 17 passing. Two old tests that documented the bypass (`test_passthrough_allows_blocklisted_var`, `test_make_run_env_passthrough`) are rewritten to assert the new fail-closed behavior. New `test_non_hermes_api_key_still_registerable` locks in that legitimate third-party keys are unaffected. Reported in GHSA-rhgp-j443-p4rf by @q1uf3ng. Hardening; not CVE-worthy on its own per the decision matrix (attacker must already have operator consent to install a malicious skill).
231 lines
8.9 KiB
Python
231 lines
8.9 KiB
Python
"""Tests for tools.env_passthrough — skill and config env var passthrough."""
|
|
|
|
import os
|
|
import pytest
|
|
import yaml
|
|
|
|
import tools.env_passthrough as _ep_mod
|
|
from tools.env_passthrough import (
|
|
clear_env_passthrough,
|
|
get_all_passthrough,
|
|
is_env_passthrough,
|
|
register_env_passthrough,
|
|
)
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def _clean_passthrough():
|
|
"""Ensure a clean passthrough state for every test."""
|
|
clear_env_passthrough()
|
|
_ep_mod._config_passthrough = None
|
|
yield
|
|
clear_env_passthrough()
|
|
_ep_mod._config_passthrough = None
|
|
|
|
|
|
class TestSkillScopedPassthrough:
|
|
def test_register_and_check(self):
|
|
assert not is_env_passthrough("TENOR_API_KEY")
|
|
register_env_passthrough(["TENOR_API_KEY"])
|
|
assert is_env_passthrough("TENOR_API_KEY")
|
|
|
|
def test_register_multiple(self):
|
|
register_env_passthrough(["FOO_TOKEN", "BAR_SECRET"])
|
|
assert is_env_passthrough("FOO_TOKEN")
|
|
assert is_env_passthrough("BAR_SECRET")
|
|
assert not is_env_passthrough("OTHER_KEY")
|
|
|
|
def test_clear(self):
|
|
register_env_passthrough(["TENOR_API_KEY"])
|
|
assert is_env_passthrough("TENOR_API_KEY")
|
|
clear_env_passthrough()
|
|
assert not is_env_passthrough("TENOR_API_KEY")
|
|
|
|
def test_get_all(self):
|
|
register_env_passthrough(["A_KEY", "B_TOKEN"])
|
|
result = get_all_passthrough()
|
|
assert "A_KEY" in result
|
|
assert "B_TOKEN" in result
|
|
|
|
def test_strips_whitespace(self):
|
|
register_env_passthrough([" SPACED_KEY "])
|
|
assert is_env_passthrough("SPACED_KEY")
|
|
|
|
def test_skips_empty(self):
|
|
register_env_passthrough(["", " ", "VALID_KEY"])
|
|
assert is_env_passthrough("VALID_KEY")
|
|
assert not is_env_passthrough("")
|
|
|
|
|
|
class TestConfigPassthrough:
|
|
def test_reads_from_config(self, tmp_path, monkeypatch):
|
|
config = {"terminal": {"env_passthrough": ["MY_CUSTOM_KEY", "ANOTHER_TOKEN"]}}
|
|
config_path = tmp_path / "config.yaml"
|
|
config_path.write_text(yaml.dump(config))
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
_ep_mod._config_passthrough = None
|
|
|
|
assert is_env_passthrough("MY_CUSTOM_KEY")
|
|
assert is_env_passthrough("ANOTHER_TOKEN")
|
|
assert not is_env_passthrough("UNRELATED_VAR")
|
|
|
|
def test_empty_config(self, tmp_path, monkeypatch):
|
|
config = {"terminal": {"env_passthrough": []}}
|
|
config_path = tmp_path / "config.yaml"
|
|
config_path.write_text(yaml.dump(config))
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
_ep_mod._config_passthrough = None
|
|
|
|
assert not is_env_passthrough("ANYTHING")
|
|
|
|
def test_missing_config_key(self, tmp_path, monkeypatch):
|
|
config = {"terminal": {"backend": "local"}}
|
|
config_path = tmp_path / "config.yaml"
|
|
config_path.write_text(yaml.dump(config))
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
_ep_mod._config_passthrough = None
|
|
|
|
assert not is_env_passthrough("ANYTHING")
|
|
|
|
def test_no_config_file(self, tmp_path, monkeypatch):
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
_ep_mod._config_passthrough = None
|
|
|
|
assert not is_env_passthrough("ANYTHING")
|
|
|
|
def test_union_of_skill_and_config(self, tmp_path, monkeypatch):
|
|
config = {"terminal": {"env_passthrough": ["CONFIG_KEY"]}}
|
|
config_path = tmp_path / "config.yaml"
|
|
config_path.write_text(yaml.dump(config))
|
|
monkeypatch.setenv("HERMES_HOME", str(tmp_path))
|
|
_ep_mod._config_passthrough = None
|
|
|
|
register_env_passthrough(["SKILL_KEY"])
|
|
all_pt = get_all_passthrough()
|
|
assert "CONFIG_KEY" in all_pt
|
|
assert "SKILL_KEY" in all_pt
|
|
|
|
|
|
class TestExecuteCodeIntegration:
|
|
"""Verify that the passthrough is checked in execute_code's env filtering."""
|
|
|
|
def test_secret_substring_blocked_by_default(self):
|
|
"""TENOR_API_KEY should be blocked without passthrough."""
|
|
_SAFE_ENV_PREFIXES = ("PATH", "HOME", "USER", "LANG", "LC_", "TERM",
|
|
"TMPDIR", "TMP", "TEMP", "SHELL", "LOGNAME",
|
|
"XDG_", "PYTHONPATH", "VIRTUAL_ENV", "CONDA")
|
|
_SECRET_SUBSTRINGS = ("KEY", "TOKEN", "SECRET", "PASSWORD", "CREDENTIAL",
|
|
"PASSWD", "AUTH")
|
|
|
|
test_env = {"PATH": "/usr/bin", "TENOR_API_KEY": "test123", "HOME": "/home/user"}
|
|
child_env = {}
|
|
for k, v in test_env.items():
|
|
if is_env_passthrough(k):
|
|
child_env[k] = v
|
|
continue
|
|
if any(s in k.upper() for s in _SECRET_SUBSTRINGS):
|
|
continue
|
|
if any(k.startswith(p) for p in _SAFE_ENV_PREFIXES):
|
|
child_env[k] = v
|
|
|
|
assert "PATH" in child_env
|
|
assert "HOME" in child_env
|
|
assert "TENOR_API_KEY" not in child_env
|
|
|
|
def test_passthrough_allows_secret_through(self):
|
|
"""TENOR_API_KEY should pass through when registered."""
|
|
_SAFE_ENV_PREFIXES = ("PATH", "HOME", "USER", "LANG", "LC_", "TERM",
|
|
"TMPDIR", "TMP", "TEMP", "SHELL", "LOGNAME",
|
|
"XDG_", "PYTHONPATH", "VIRTUAL_ENV", "CONDA")
|
|
_SECRET_SUBSTRINGS = ("KEY", "TOKEN", "SECRET", "PASSWORD", "CREDENTIAL",
|
|
"PASSWD", "AUTH")
|
|
|
|
register_env_passthrough(["TENOR_API_KEY"])
|
|
|
|
test_env = {"PATH": "/usr/bin", "TENOR_API_KEY": "test123", "HOME": "/home/user"}
|
|
child_env = {}
|
|
for k, v in test_env.items():
|
|
if is_env_passthrough(k):
|
|
child_env[k] = v
|
|
continue
|
|
if any(s in k.upper() for s in _SECRET_SUBSTRINGS):
|
|
continue
|
|
if any(k.startswith(p) for p in _SAFE_ENV_PREFIXES):
|
|
child_env[k] = v
|
|
|
|
assert "PATH" in child_env
|
|
assert "HOME" in child_env
|
|
assert "TENOR_API_KEY" in child_env
|
|
assert child_env["TENOR_API_KEY"] == "test123"
|
|
|
|
|
|
class TestTerminalIntegration:
|
|
"""Verify that the passthrough is checked in terminal's env sanitizers."""
|
|
|
|
def test_blocklisted_var_blocked_by_default(self):
|
|
from tools.environments.local import _sanitize_subprocess_env, _HERMES_PROVIDER_ENV_BLOCKLIST
|
|
|
|
# Pick a var we know is in the blocklist
|
|
blocked_var = next(iter(_HERMES_PROVIDER_ENV_BLOCKLIST))
|
|
env = {blocked_var: "secret_value", "PATH": "/usr/bin"}
|
|
result = _sanitize_subprocess_env(env)
|
|
assert blocked_var not in result
|
|
assert "PATH" in result
|
|
|
|
def test_passthrough_cannot_override_provider_blocklist(self):
|
|
"""GHSA-rhgp-j443-p4rf: register_env_passthrough must NOT accept
|
|
Hermes provider credentials — that was the bypass where a skill
|
|
could declare ANTHROPIC_TOKEN / OPENAI_API_KEY as passthrough and
|
|
defeat the execute_code sandbox scrubbing."""
|
|
from tools.environments.local import (
|
|
_sanitize_subprocess_env,
|
|
_HERMES_PROVIDER_ENV_BLOCKLIST,
|
|
)
|
|
|
|
blocked_var = next(iter(_HERMES_PROVIDER_ENV_BLOCKLIST))
|
|
# Attempt to register — must be silently refused (logged warning).
|
|
register_env_passthrough([blocked_var])
|
|
|
|
# is_env_passthrough must NOT report it as allowed
|
|
assert not is_env_passthrough(blocked_var)
|
|
|
|
# Sanitizer still strips the var from subprocess env
|
|
env = {blocked_var: "secret_value", "PATH": "/usr/bin"}
|
|
result = _sanitize_subprocess_env(env)
|
|
assert blocked_var not in result
|
|
assert "PATH" in result
|
|
|
|
def test_make_run_env_blocklist_override_rejected(self):
|
|
"""_make_run_env must NOT expose a blocklisted var to subprocess env
|
|
even after a skill attempts to register it via passthrough."""
|
|
import os
|
|
from tools.environments.local import (
|
|
_make_run_env,
|
|
_HERMES_PROVIDER_ENV_BLOCKLIST,
|
|
)
|
|
|
|
blocked_var = next(iter(_HERMES_PROVIDER_ENV_BLOCKLIST))
|
|
os.environ[blocked_var] = "secret_value"
|
|
try:
|
|
# Without passthrough — blocked
|
|
result_before = _make_run_env({})
|
|
assert blocked_var not in result_before
|
|
|
|
# Skill tries to register it — must be refused, so still blocked
|
|
register_env_passthrough([blocked_var])
|
|
result_after = _make_run_env({})
|
|
assert blocked_var not in result_after
|
|
finally:
|
|
os.environ.pop(blocked_var, None)
|
|
|
|
def test_non_hermes_api_key_still_registerable(self):
|
|
"""Third-party API keys (TENOR_API_KEY, NOTION_TOKEN, etc.) are NOT
|
|
Hermes provider credentials and must still pass through — skills
|
|
that legitimately wrap third-party APIs must keep working."""
|
|
# TENOR_API_KEY is a real example — used by the gif-search skill
|
|
register_env_passthrough(["TENOR_API_KEY"])
|
|
assert is_env_passthrough("TENOR_API_KEY")
|
|
|
|
# Arbitrary skill-specific var
|
|
register_env_passthrough(["MY_SKILL_CUSTOM_CONFIG"])
|
|
assert is_env_passthrough("MY_SKILL_CUSTOM_CONFIG")
|