Skip to content

fix(security): remove hermes root from code execution sandbox PYTHONPATH#8050

Open
tomqiaozc wants to merge 1 commit into
NousResearch:mainfrom
tomqiaozc:fix/8028-pythonpath-sandbox-escape
Open

fix(security): remove hermes root from code execution sandbox PYTHONPATH#8050
tomqiaozc wants to merge 1 commit into
NousResearch:mainfrom
tomqiaozc:fix/8028-pythonpath-sandbox-escape

Conversation

@tomqiaozc

@tomqiaozc tomqiaozc commented Apr 12, 2026

Copy link
Copy Markdown

Summary

  • The code execution sandbox had the hermes project root on PYTHONPATH, allowing LLM-generated scripts to import hermes_cli.auth and steal credentials
  • Removed hermes root from PYTHONPATH and from _SAFE_ENV_PREFIXES
  • Explicitly pops PYTHONPATH from child environment
  • The sandbox still works because the generated hermes_tools.py stub is in the subprocess cwd

Test plan

  • 9 new tests verifying sandbox PYTHONPATH isolation
  • All 71 code_execution tests pass (1 pre-existing stub drift failure unrelated)

Fixes #8028

🤖 Generated with Claude Code

@claude
fix(security): remove hermes root from code execution sandbox PYTHONPATH
fbfef82 
The sandbox subprocess had the hermes project root on PYTHONPATH,
allowing LLM-generated scripts to import internal modules like
hermes_cli.auth and agent.credential_pool to steal credentials.

Fixes NousResearch#8028

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@alt-glitch alt-glitch added type/security Security vulnerability or hardening P0 Critical — data loss, security, crash loop tool/code-exec execute_code sandbox labels Apr 28, 2026
@alt-glitch

alt-glitch commented Apr 28, 2026

Copy link
Copy Markdown
Collaborator

Related to #7071 and #7136 — same PYTHONPATH injection root cause in code_execution_tool sandbox. This PR directly fixes #8028.

@alt-glitch alt-glitch mentioned this pull request May 9, 2026
Closed
@egilewski

egilewski commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Recommendation: needs rework before merge.

Checked against current upstream/main acce1a2452f8b85343db1b057c1d98717c421522 and PR head fbfef82dd775874b14db27d2f459c4d1cbeef56c.

  • gh pr view 8050 --json mergeStateStatus,mergeable reports DIRTY / CONFLICTING.
  • Applying the PR patch to current main with git apply --check fails at tools/code_execution_tool.py; git apply --3way --check reports a conflict in the same file.
  • The linked issue Security: PYTHONPATH injection in code_execution_tool sandbox allows credential theft #8028 is now closed as by-design, and current main has an explicit TestExecuteCode::test_repo_root_modules_are_importable invariant. After rebasing, this still needs maintainer confirmation that removing repo-root imports from execute_code is intended.
  • CodeRabbit on the uncommitted PR diff against acce1a2452f8b85343db1b057c1d98717c421522 returned no findings.

Signed: GPT-5.5-xhigh in Codex

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

P0 Critical — data loss, security, crash loop tool/code-exec execute_code sandbox type/security Security vulnerability or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: PYTHONPATH injection in code_execution_tool sandbox allows credential theft

3 participants

@tomqiaozc @alt-glitch @egilewski