mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-29 06:31:32 +00:00
5f20322d23
text_to_speech_tool accepts an explicit output_path. Without a traversal guard, a path containing '..' components (whether prompt-injection- controlled, from a confused skill, or just a buggy caller) could escape its declared base and write the audio to a system location — e.g. `output_path='audio/../../etc/cron.d/x'` lands the file outside the intended audio cache. Reject '..' components in the user-supplied path. Explicit absolute paths are unchanged (the agent legitimately writes audio wherever the user/caller asks); only traversal-style escapes are blocked. The terminal tool can still write anywhere with approval — this just keeps the unattended TTS surface from materializing files via traversal. Regression tests cover: '..' in the middle (audio/../../etc/...), bare '..' prefix, and the negative cases (absolute paths + relative paths without '..' both pass through unchanged). Salvaged from PR #6693 by @aaronlab. The original PR confined output to DEFAULT_OUTPUT_DIR-or-cwd, which broke 9 existing tests that legitimately write to tmp_path locations. The traversal-only check covers the actual threat (path-escape via '..' from prompt injection) without restricting where users can choose to write their audio. The remaining pieces of #6693 (skill_commands rglob symlink rejection, delegate_tool batch prefix display) are dropped: - skill_commands rglob: breaks the documented design supporting ~/.hermes/skills/<name> as a symlink to a checked-out skill elsewhere (see comment at agent/skill_commands.py:73-75) - delegate_tool batch prefix: pure UX, doesn't belong in a security PR Co-authored-by: teknium1 <127238744+teknium1@users.noreply.github.com>
60 lines
2.1 KiB
Python
60 lines
2.1 KiB
Python
"""Regression: text_to_speech_tool output_path must reject '..' traversal.
|
|
|
|
The TTS surface accepts agent/user-supplied absolute paths (writing to a
|
|
chosen file is the whole point). What it must reject is paths that use
|
|
``..`` components to escape their declared base — those are almost
|
|
always either a bug or prompt-injection-controlled
|
|
(e.g. ``output_path="audio/../../etc/cron.d/x"``).
|
|
"""
|
|
|
|
import json
|
|
|
|
from tools.tts_tool import text_to_speech_tool
|
|
|
|
|
|
def test_output_path_rejects_traversal_escape():
|
|
"""A path with '..' components must be rejected before any provider work."""
|
|
result = json.loads(text_to_speech_tool(
|
|
text="hello",
|
|
output_path="audio/../../etc/cron.d/malicious",
|
|
))
|
|
assert result["success"] is False
|
|
assert "traversal" in result["error"].lower()
|
|
|
|
|
|
def test_output_path_rejects_bare_dotdot():
|
|
"""Bare '..' prefix must be rejected."""
|
|
result = json.loads(text_to_speech_tool(
|
|
text="hello",
|
|
output_path="../escape.mp3",
|
|
))
|
|
assert result["success"] is False
|
|
assert "traversal" in result["error"].lower()
|
|
|
|
|
|
def test_output_path_absolute_path_passes_guard(tmp_path, monkeypatch):
|
|
"""Explicit absolute paths must pass the traversal guard.
|
|
|
|
The agent legitimately writes audio to user-specified absolute paths;
|
|
only ``..`` components are rejected. Any subsequent failure (no
|
|
provider configured, etc.) is fine — the assertion is specifically
|
|
that the 'traversal' rejection didn't fire.
|
|
"""
|
|
inside = tmp_path / "clip.mp3"
|
|
result = json.loads(text_to_speech_tool(
|
|
text="hello",
|
|
output_path=str(inside),
|
|
))
|
|
error = result.get("error", "")
|
|
assert "traversal" not in error.lower()
|
|
|
|
|
|
def test_output_path_relative_no_dotdot_passes_guard(tmp_path, monkeypatch):
|
|
"""Relative paths without '..' components must pass the guard."""
|
|
monkeypatch.chdir(tmp_path)
|
|
result = json.loads(text_to_speech_tool(
|
|
text="hello",
|
|
output_path="subdir/clip.mp3",
|
|
))
|
|
error = result.get("error", "")
|
|
assert "traversal" not in error.lower()
|