security: harden dangerous command detection and add file tool path guards#3872
Merged
security: harden dangerous command detection and add file tool path guards#3872
Conversation
…uards Closes gaps that allowed an agent to expose Docker's Remote API to the internet by writing to /etc/docker/daemon.json. Terminal tool (approval.py): - chmod: now catches 666 and symbolic modes (o+w, a+w), not just 777 - cp/mv/install: detected when targeting /etc/ - sed -i/--in-place: detected when targeting /etc/ File tools (file_tools.py): - write_file and patch now refuse to write to sensitive system paths (/etc/, /boot/, /usr/lib/systemd/, docker.sock) - Directs users to the terminal tool (which has approval prompts) for system file modifications
itsXactlY
pushed a commit
to itsXactlY/hermes-agent
that referenced
this pull request
Mar 30, 2026
…uards (NousResearch#3872) Closes gaps that allowed an agent to expose Docker's Remote API to the internet by writing to /etc/docker/daemon.json. Terminal tool (approval.py): - chmod: now catches 666 and symbolic modes (o+w, a+w), not just 777 - cp/mv/install: detected when targeting /etc/ - sed -i/--in-place: detected when targeting /etc/ File tools (file_tools.py): - write_file and patch now refuse to write to sensitive system paths (/etc/, /boot/, /usr/lib/systemd/, docker.sock) - Directs users to the terminal tool (which has approval prompts) for system file modifications
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens dangerous command detection and adds file tool path guards. Closes gaps found in a security report where an agent exposed Docker's Remote API to the internet by writing
tcp://0.0.0.0:2375to/etc/docker/daemon.json.What was vulnerable
chmod 666 /var/run/docker.sockchmod o+rw /var/run/docker.sockchmod a+w <any file>sudo cp daemon.json /etc/docker/daemon.jsonsudo mv /tmp/daemon.json /etc/docker/sudo sed -i 's/.../.../' /etc/docker/daemon.jsonsudo install -m 644 file /etc/docker/write_file(path="/etc/docker/daemon.json", ...)patch(path="/etc/docker/daemon.json", ...)Already caught (no change needed):
> /etc/...,tee /etc/...,cat > /etc/...,chmod 777Changes
tools/approval.py:
chmodpattern widened: now catches666,o+w,o+rw,a+w,a+rw(symbolic and numeric)cp/mv/installtargeting/etc/,sed -i/--in-placetargeting/etc/tools/file_tools.py:
write_fileandpatchtools now check paths against sensitive prefixes (/etc/,/boot/,/usr/lib/systemd/) and exact paths (/run/docker.sock,/var/run/docker.sock) before writingTests