openclaw/hermes-agent
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

fix(file_tools): block agent writes to ~/.hermes/config.yaml to prevent silent approval bypass

Browse Source
This commit is contained in:
sbw2025
2026-04-24 00:34:34 +08:00
committed by Teknium
parent 023149f665
commit 8f2931e3ee
2 changed files with 95 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
tools/file_tools.py
View File

@ -238,6 +238,26 @@ _SENSITIVE_PATH_PREFIXES = (
)
_SENSITIVE_EXACT_PATHS = {"/var/run/docker.sock", "/run/docker.sock"}
_hermes_config_resolved: str | None = None
_hermes_config_resolved_loaded = False
def _get_hermes_config_resolved() -> str | None:
"""Return the resolved absolute path of the Hermes config file (cached)."""
global _hermes_config_resolved, _hermes_config_resolved_loaded
if _hermes_config_resolved_loaded:
return _hermes_config_resolved
_hermes_config_resolved_loaded = True
try:
from hermes_cli.config import get_config_path
_hermes_config_resolved = str(get_config_path().resolve())
except Exception:
try:
_hermes_config_resolved = str(Path("~/.hermes/config.yaml").expanduser().resolve())
except Exception:
_hermes_config_resolved = None
return _hermes_config_resolved
def _check_sensitive_path(filepath: str, task_id: str = "default") -> str | None:
"""Return an error message if the path targets a sensitive system location."""
@ -255,6 +275,17 @@ def _check_sensitive_path(filepath: str, task_id: str = "default") -> str | None
return _err
if resolved in _SENSITIVE_EXACT_PATHS or normalized in _SENSITIVE_EXACT_PATHS:
return _err
# Prevent agents from modifying the Hermes config file directly.
# approvals.mode and other security settings live here; a malicious or
# prompt-injected agent could silently disable exec approval by writing to
# this file.
hermes_config = _get_hermes_config_resolved()
if hermes_config and (resolved == hermes_config or normalized == hermes_config):
return (
f"Refusing to write to Hermes config file: {filepath}\n"
"Agent cannot modify security-sensitive configuration. "
"Edit ~/.hermes/config.yaml directly or use 'hermes config' instead."
)
return None