hermes-bsd/tests
win4r aedf6c7964 security(approval): close 4 pattern gaps found by source-grounded audit
Four gaps in DANGEROUS_PATTERNS found by running 10 targeted tests that
each mapped to a specific pattern in approval.py and checked whether the
documented defense actually held.

1. **Heredoc script injection** — `python3 << 'EOF'` bypasses the
   existing `-e`/`-c` flag pattern. Adds pattern for interpreter + `<<`
   covering python{2,3}, perl, ruby, node.

2. **PID expansion self-termination** — `kill -9 $(pgrep hermes)` is
   opaque to the existing `pkill|killall` + name pattern because command
   substitution is not expanded at detection time. Adds structural
   patterns matching `kill` + `$(pgrep` and backtick variants.

3. **Git destructive operations** — `git reset --hard`, `push --force`,
   `push -f`, `clean -f*`, and `branch -D` were entirely absent.
   Note: `branch -d` also triggers because IGNORECASE is global —
   acceptable since -d is still a delete, just a safe one, and the
   prompt is only a confirmation, not a hard block.

4. **chmod +x then execute** — two-step social engineering where a
   script containing dangerous commands is first written to disk (not
   checked by write_file), then made executable and run as `./script`.
   Pattern catches `chmod +x ... [;&|]+ ./` combos. Does not solve the
   deeper architectural issue (write_file not checking content) — that
   is called out in the PR description as a known limitation.

Tests: 23 new cases across 4 test classes, all in test_approval.py:
  - TestHeredocScriptExecution (7 cases, incl. regressions for -c)
  - TestPgrepKillExpansion (5 cases, incl. safe kill PID negative)
  - TestGitDestructiveOps (8 cases, incl. safe git status/push negatives)
  - TestChmodExecuteCombo (3 cases, incl. safe chmod-only negative)

Full suite: 146 passed, 0 failed.
2026-04-10 05:19:21 -07:00
..
acp fix(acp): declare session load and resume capabilities in initialize response (#6985) 2026-04-10 03:45:36 -07:00
agent fix(auxiliary): skip anthropic in fallback chain when not explicitly configured 2026-04-10 05:19:21 -07:00
cli fix: clean up stale test references to removed attributes 2026-04-10 03:44:43 -07:00
cron feat(cron): support Discord thread_id in deliver targets 2026-04-10 03:20:05 -07:00
e2e test(e2e): remove section separator comments 2026-04-01 15:23:52 -07:00
environments/benchmarks fix(security): consolidated security hardening — SSRF, timing attack, tar traversal, credential leakage (#5944) 2026-04-07 17:28:37 -07:00
fakes
gateway fix: make safe_url_for_log public, add SSRF redirect guards to base.py cache helpers 2026-04-10 05:04:28 -07:00
hermes_cli fix(auth): make 'auth remove' for claude_code prevent re-seeding 2026-04-10 05:19:21 -07:00
honcho_plugin fix(honcho): migration guard for observation mode default change 2026-04-05 12:34:11 -07:00
integration
plugins feat(hindsight): feature parity, setup wizard, and config improvements 2026-04-08 23:54:15 -07:00
run_agent fix: update 6 test files broken by dead code removal 2026-04-10 03:44:43 -07:00
skills fix: update tests for gws migration 2026-04-09 14:28:35 -07:00
tools security(approval): close 4 pattern gaps found by source-grounded audit 2026-04-10 05:19:21 -07:00
__init__.py
conftest.py fix(tests): fix several failing/flaky tests on main (#6777) 2026-04-09 13:17:06 -07:00
run_interrupt_test.py
test_batch_runner_checkpoint.py
test_cli_skin_integration.py fix: CLI/UX batch — ChatConsole errors, curses scroll, skin-aware banner, git state banner (#5974) 2026-04-07 17:59:42 -07:00
test_ctx_halving_fix.py fix(compaction): don't halve context_length on output-cap-too-large errors 2026-04-09 11:27:41 -07:00
test_evidence_store.py
test_hermes_logging.py feat(nix): shared-state permission model for interactive CLI users (#6796) 2026-04-10 03:48:42 +05:30
test_hermes_state.py fix(state): orphan children instead of cascade-deleting in prune/delete (#6513) 2026-04-09 02:41:56 -07:00
test_honcho_client_config.py feat(memory): pluggable memory provider interface with profile isolation, review fixes, and honcho CLI restoration (#4623) 2026-04-02 15:33:51 -07:00
test_mcp_serve.py
test_minisweagent_path.py
test_model_picker_scroll.py fix: CLI/UX batch — ChatConsole errors, curses scroll, skin-aware banner, git state banner (#5974) 2026-04-07 17:59:42 -07:00
test_model_tools.py Add request-scoped plugin lifecycle hooks 2026-04-05 23:31:29 -07:00
test_model_tools_async_bridge.py
test_ollama_num_ctx.py fix: provider/model resolution — salvage 4 PRs + MiniMax aux URL fix (#5983) 2026-04-07 22:23:28 -07:00
test_packaging_metadata.py
test_project_metadata.py fix: exclude matrix from [all] extras — python-olm is upstream-broken (#4615) 2026-04-02 09:21:37 -07:00
test_retry_utils.py feat(agent): add jittered retry backoff 2026-04-08 00:41:36 -07:00
test_sql_injection.py
test_timezone.py fix: remove 115 verified dead code symbols across 46 production files 2026-04-10 03:44:43 -07:00
test_toolset_distributions.py
test_toolsets.py
test_trajectory_compressor.py
test_trajectory_compressor_async.py
test_utils_truthy_values.py