openclaw/hermes-agent
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity
Files
ac76bbe21f8a61445583d11e0bd2087fdb03f2e9
hermes-agent/tests/test_packaging_metadata.py
Teknium 0437137fff security: pin patched Starlette (>=1.0.1) for CVE-2026-48710 BadHost (#35118) 
Starlette < 1.0.1 is affected by CVE-2026-48710 ("BadHost", CWE-444).
The HTTP Host header was not validated before being used to rebuild
`request.url`, so a malformed Host could make `request.url.path` desync
from the raw ASGI path the router actually dispatched. Middleware and
endpoints that apply path-based authorization off `request.url` (rather
than `scope["path"]`) can therefore be bypassed.

Hermes pulls Starlette transitively, never directly:
  - [web]          -> fastapi==0.133.1  (starlette>=0.40.0, no upper bound)
  - [mcp]          -> mcp==1.26.0 + sse-starlette (starlette>=0.27 / >=0.49.1)
  - [computer-use] -> mcp==1.26.0
  - [dev]          -> mcp==1.26.0

A fresh resolve landed starlette 0.52.1 — vulnerable. With no upper
bound on the transitive specs, pip/uv could resolve any pre-1.0.1
release on a fresh install.

Fix: pin starlette==1.0.1 directly in every extra that exposes a
Starlette-backed server surface, regenerate uv.lock (only starlette
moves: 0.52.1 -> 1.0.1, hash-verified), and mirror the pin in the
lazy-install map (tools/lazy_deps.py `tool.dashboard`) so `hermes`
on-demand dashboard installs can't re-resolve a vulnerable version.

1.0.1 is the advisory's named fix floor and the oldest patched release
(more bake time than 1.1.0/1.2.0, which are days old); it satisfies
every carrier constraint and our requires-python>=3.11.

Scope note: this is a dependency-level fix complementing the
application-layer Host-header validator added in #34162
(`hermes_cli/web_server.py` `_is_accepted_host`). Defense in depth at
both the framework and app layers.

Guards: two invariant tests in tests/test_packaging_metadata.py assert
every server-surface extra pins starlette and that pyproject + uv.lock
both resolve >= the 1.0.1 CVE floor — a dropped pin or stale lock fails
in CI instead of shipping the bypass.

Closes #35067
2026-05-29 23:23:54 -07:00

203 lines
8.8 KiB
Python
Raw Blame History

from pathlib import Path
import tomllib
import pytest
# setuptools is declared in the [dev] extra and is the build backend, but
# guard the import so a runner without it skips these packaging checks
# instead of erroring out collection for the whole shard (it used to be
# picked up ambiently from the CI image; newer ubuntu-latest images don't
# ship it in the test venv).
find_packages = pytest.importorskip("setuptools", exc_type=ImportError).find_packages
REPO_ROOT = Path(__file__).resolve().parents[1]
def _packages_find_include():
data = tomllib.loads((REPO_ROOT / "pyproject.toml").read_text(encoding="utf-8"))
return data["tool"]["setuptools"]["packages"]["find"]["include"]
def test_every_on_disk_subpackage_is_covered_by_packages_find():
"""Regression test for #34701 (and the bug class behind #34034 / #28149).
``[tool.setuptools.packages.find]`` ``include`` is hand-maintained. Every
top-level package is listed twice — bare (``hermes_cli``) for the package
itself and ``hermes_cli.*`` for its subpackages — EXCEPT when someone
forgets the wildcard. v0.15.x listed ``hermes_cli`` without ``hermes_cli.*``,
so the wheel shipped ``hermes_cli/*.py`` but dropped the ``dashboard_auth``
and ``proxy`` subpackages. The dashboard then died on every install with
``ModuleNotFoundError: No module named 'hermes_cli.dashboard_auth'``.
This drives setuptools' own discovery against the live tree: every package
that exists on disk and would be found by a permissive ``<name>.*`` scan
must also be found by the actual ``include`` list. A subpackage added under
any listed package without the matching wildcard fails here instead of in a
user's container.
"""
include = _packages_find_include()
# What the real include list actually selects.
selected = set(find_packages(where=str(REPO_ROOT), include=include))
# Top-level packages we ship (bare names in the include list, no wildcard).
top_level = sorted({name for name in include if "." not in name})
# For each shipped top-level package, every on-disk subpackage must be
# covered by the include list.
expected = set(
find_packages(
where=str(REPO_ROOT),
include=[pattern for name in top_level for pattern in (name, f"{name}.*")],
)
)
missing = sorted(expected - selected)
assert not missing, (
"These packages exist on disk but are dropped from the wheel because "
"[tool.setuptools.packages.find] include is missing a wildcard. Add the "
f"matching '<name>.*' entry in pyproject.toml: {missing}"
)
def test_faster_whisper_is_not_a_base_dependency():
data = tomllib.loads((REPO_ROOT / "pyproject.toml").read_text(encoding="utf-8"))
deps = data["project"]["dependencies"]
assert not any(dep.startswith("faster-whisper") for dep in deps)
voice_extra = data["project"]["optional-dependencies"]["voice"]
assert any(dep.startswith("faster-whisper") for dep in voice_extra)
def test_manifest_includes_bundled_skills():
manifest = (REPO_ROOT / "MANIFEST.in").read_text(encoding="utf-8")
assert "graft skills" in manifest
assert "graft optional-skills" in manifest
def test_bundled_plugin_manifests_ship_in_both_wheel_and_sdist():
"""Regression test for #34034 / #28149.
Plugin discovery (hermes_cli/plugins.py) registers each bundled plugin by
reading its ``plugin.yaml`` / ``plugin.yml`` manifest. Those manifests are
data files, not Python modules, so they only reach installed packages when
declared explicitly:
- wheel -> ``[tool.setuptools.package-data]`` ``plugins`` glob
- sdist -> ``MANIFEST.in`` (Homebrew and other downstream packagers build
from the sdist)
v0.15.0 declared neither, so the wheel shipped every adapter's Python code
but none of its manifests, and *every* gateway platform failed with
"No adapter available for <platform>". Both channels must cover manifests.
"""
# There must actually be manifests on disk for the globs to match.
on_disk = list((REPO_ROOT / "plugins").rglob("plugin.yaml")) + list(
(REPO_ROOT / "plugins").rglob("plugin.yml")
)
assert on_disk, "expected bundled plugin manifests under plugins/"
# Wheel channel: package-data must declare a glob that matches plugin
# manifests anywhere under the plugins package.
data = tomllib.loads((REPO_ROOT / "pyproject.toml").read_text(encoding="utf-8"))
plugins_pkg_data = data["tool"]["setuptools"]["package-data"].get("plugins", [])
assert any(
g.endswith("plugin.yaml") or g.endswith("plugin.yml")
for g in plugins_pkg_data
), "pyproject package-data 'plugins' must ship plugin.yaml/plugin.yml (wheel)"
# Sdist channel: MANIFEST.in must recursively include the manifests so
# downstream packagers building from the sdist also get them.
manifest = (REPO_ROOT / "MANIFEST.in").read_text(encoding="utf-8")
assert "recursive-include plugins" in manifest and "plugin.yaml" in manifest, (
"MANIFEST.in must recursive-include plugins plugin.yaml/plugin.yml (sdist)"
)
# Minimum non-vulnerable Starlette: CVE-2026-48710 ("BadHost") was fixed in
# 1.0.1. Anything below that lets a malformed Host header desync
# ``request.url.path`` from the dispatched ASGI path, bypassing path-based
# authz in middleware/endpoints that gate on ``request.url``. Starlette is a
# transitive dep (fastapi in [web]; sse-starlette/mcp in [mcp]/[computer-use]/
# [dev]) so we pin it directly in every extra that exposes a server surface and
# enforce the floor in both pyproject and the committed lockfile.
_STARLETTE_CVE_FLOOR = (1, 0, 1)
def _version_tuple(spec: str) -> tuple[int, ...]:
# "1.0.1" -> (1, 0, 1); tolerant of pre/post suffixes by truncating.
head = spec.split("+", 1)[0]
parts = []
for chunk in head.split("."):
digits = "".join(ch for ch in chunk if ch.isdigit())
if not digits:
break
parts.append(int(digits))
return tuple(parts)
def test_starlette_pinned_above_cve_2026_48710_floor_in_pyproject():
"""Every extra that declares Starlette must pin a patched (>=1.0.1) version.
Regression guard for #35067 / CVE-2026-48710. A future edit that drops the
pin (re-exposing the unbounded transitive ``starlette>=0.27`` from mcp /
``>=0.40.0`` from fastapi) or pins a pre-1.0.1 version fails here instead of
shipping a Host-header auth-bypass to dashboard / MCP-HTTP users.
"""
data = tomllib.loads((REPO_ROOT / "pyproject.toml").read_text(encoding="utf-8"))
extras = data["project"]["optional-dependencies"]
found = {}
for extra, specs in extras.items():
for spec in specs:
name = spec.split("==", 1)[0].split(">", 1)[0].split("<", 1)[0].split("[", 1)[0].strip()
if name.lower() == "starlette":
assert "==" in spec, f"[{extra}] must exact-pin starlette, got {spec!r}"
ver = spec.split("==", 1)[1].split(";", 1)[0].strip()
found[extra] = ver
# The four server-surface extras must each carry the direct pin.
for extra in ("web", "mcp", "computer-use", "dev"):
assert extra in found, (
f"[{extra}] no longer pins starlette directly — CVE-2026-48710 "
f"regression risk (mcp/fastapi pull it transitively with no upper bound)"
)
for extra, ver in found.items():
assert _version_tuple(ver) >= _STARLETTE_CVE_FLOOR, (
f"[{extra}] pins starlette=={ver}, below the CVE-2026-48710 fix "
f"floor {'.'.join(map(str, _STARLETTE_CVE_FLOOR))}"
)
def test_locked_starlette_is_not_vulnerable_to_cve_2026_48710():
"""The committed uv.lock must resolve starlette to a patched version.
pyproject pins protect the declared extras, but the lockfile is what
hash-verified installs (``uv sync --locked``) actually pull. Assert the
resolved version is >= the CVE-2026-48710 fix floor so a stale-lock
regression can't ship a vulnerable Starlette to users.
"""
lock = (REPO_ROOT / "uv.lock").read_text(encoding="utf-8")
versions = []
in_starlette = False
for line in lock.splitlines():
if line.startswith("[[package]]"):
in_starlette = False
elif line.strip() == 'name = "starlette"':
in_starlette = True
elif in_starlette and line.startswith("version = "):
versions.append(line.split("=", 1)[1].strip().strip('"'))
in_starlette = False
assert versions, "starlette not found in uv.lock"
for ver in versions:
assert _version_tuple(ver) >= _STARLETTE_CVE_FLOOR, (
f"uv.lock resolves starlette=={ver}, below the CVE-2026-48710 fix "
f"floor {'.'.join(map(str, _STARLETTE_CVE_FLOOR))} — regenerate the "
f"lockfile after bumping the pin"
)
Reference in New Issue View Git Blame Copy Permalink