fix(security): validate media file paths to prevent arbitrary file read [HIGH]#4686
Closed
Joshua-Medvinsky wants to merge 1 commit into
Closed
fix(security): validate media file paths to prevent arbitrary file read [HIGH]#4686Joshua-Medvinsky wants to merge 1 commit into
Joshua-Medvinsky wants to merge 1 commit into
Conversation
…ad [HIGH] Previously, `extract_media()` parsed MEDIA:<path> tags from LLM responses and passed extracted paths directly to platform send methods without any validation. A prompt injection attack could cause the LLM to emit MEDIA:/etc/passwd or similar, exfiltrating any file readable by the process. Add `_is_safe_media_path()` which resolves the path and verifies it resides within ~/.hermes/media_cache before allowing delivery. Paths outside the cache directory are silently dropped. Reported-by: FailSafe Security Researcher Co-Authored-By: Joshua Medvinsky <joshua-medvinsky@users.noreply.github.com>
Author
Collaborator
1 similar comment
Collaborator
Cyrene963
pushed a commit
to Cyrene963/hermes-agent
that referenced
this pull request
May 7, 2026
The static method _is_safe_media_path() was called without the BasePlatformAdapter class prefix inside another @staticmethod (extract_media). This caused NameError when the CLI's send_message tool tried to send files via MEDIA: tags, breaking file delivery from CLI sessions. Gateway file sending worked because it uses send_document() directly, bypassing extract_media(). Fix: _is_safe_media_path(path) → BasePlatformAdapter._is_safe_media_path(path) Introduced by PR NousResearch#4686 (security: validate media file paths) where the conflict resolution dropped the class prefix.
2 tasks
This was referenced May 20, 2026
Contributor
|
Superseded by PR #30432 (merged 41d2c75, credit @egilewski). The merged fix covers all MEDIA delivery sites (not just |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Finding: Arbitrary File Read via LLM Media Tag Injection
Severity: HIGH
Reported by: FailSafe Security Researcher
Component:
gateway/platforms/base.py—extract_media()Description
extract_media()parsesMEDIA:<path>tags from LLM response text and passes extracted paths directly to platform send methods (send_image_file,send_voice,send_video,send_document) without validating that the path resides within an allowed directory. The regex includes a\S+catch-all that accepts any non-whitespace path, including absolute paths like/etc/passwd.An indirect prompt injection (via poisoned web content, malicious document, or injected tool output) can cause the LLM to emit a
MEDIA:tag referencing a sensitive file. The file is read and sent to the chat with no validation.Fix
Add
_is_safe_media_path()which resolves the path and verifies it resides within~/.hermes/media_cachebefore allowing delivery. Paths outside the cache directory are silently dropped.Test plan
MEDIA:/etc/passwdis rejected (path outside cache)MEDIA:../../etc/shadowis rejected (traversal)