Fix unsafe gateway MEDIA path delivery

[egilewski]

Hi, very interested in your project, but haven't had a chance to try it yet. I saw your tweet and decided to try Codex with GPT-5.5-xhigh on the first P0 issue without an attached PR. As I'm not familiar with the codebase at all I've just looked at tests to see if no revard was hacked, and the only suspicious thing I see is in tests/cron/test_scheduler.py after line 2203. Please tell me if you'll find this at least somewhat valuable, happy to follow up or do the same for other issues as well.

Fixes #29150.

Summary

This blocks arbitrary local file delivery from model-emitted MEDIA: tags and auto-detected local file paths in gateway media extraction.

The fix adds a shared validator for native media delivery paths. It only allows existing regular files under Hermes-managed media cache roots, legacy cache roots, or explicit operator-configured roots from HERMES_MEDIA_ALLOW_DIRS. It resolves symlinks before containment checks so a symlink inside an allowed cache cannot point at an arbitrary host file.

Changed

• Added shared media path validation helpers in gateway/platforms/base.py.
• Applied the validation before attachment delivery in gateway response handling, post-stream media delivery, background task delivery, kanban artifact delivery, cron delivery, Weixin delivery, send_message, and Yuanbao media sends.
• Updated the send_message tool schema text so agents are told MEDIA: paths must be under Hermes media caches or explicit allowlisted roots.
• Added regression coverage for allowed cache files, arbitrary outside files, symlink escapes, operator allowlists, streaming delivery, cron delivery, and send_message filtering.

Validation

• HOME=/tmp/hermes-test-home scripts/run_tests.sh tests/gateway/test_platform_base.py tests/gateway/test_tts_media_routing.py tests/tools/test_send_message_tool.py tests/cron/test_scheduler.py passed: 229 tests.
• .venv/bin/python -m ruff check cron/scheduler.py gateway/platforms/base.py gateway/platforms/weixin.py gateway/run.py tools/send_message_tool.py tools/yuanbao_tools.py tests/cron/test_scheduler.py tests/gateway/test_platform_base.py tests/gateway/test_tts_media_routing.py tests/tools/test_send_message_tool.py passed.
• git diff --check passed.
• .venv/bin/python -m py_compile gateway/platforms/base.py gateway/run.py gateway/platforms/weixin.py cron/scheduler.py tools/send_message_tool.py tools/yuanbao_tools.py tests/gateway/test_platform_base.py tests/gateway/test_tts_media_routing.py tests/tools/test_send_message_tool.py tests/cron/test_scheduler.py passed.

Notes

I initially ran the affected files without overriding HOME; the cron file hit environment failures because the sandbox could not create /home/mac/.hermes. Re-running with HOME=/tmp/hermes-test-home isolated the tests and passed.

[alt-glitch]

Competing fix for #29150 (GHSA-jmf9-9729-7pp8). Other open PRs addressing the same vulnerability: #16547, #4686, #10026, #12850, #6084, #26424.

This PR has the most comprehensive coverage — validates at every delivery site, handles symlink escapes, and includes operator-configurable allowlist via HERMES_MEDIA_ALLOW_DIRS.

[egilewski]

Oh, the issue actually did have PRs for it, just none of them were marked as such. Well, if this one has the most comprehensive coverage then maybe it wasn't not in vain.