security(file-safety): also write-deny <root>/.env when running under a profile (#15981)#29687
Merged
Conversation
… a profile (#15981) build_write_denied_paths() resolved the protected ``.env`` via get_hermes_home(), which is profile-aware. When a profile is active HERMES_HOME points at ``<root>/profiles/<name>`` and ``hermes_home / ".env"`` expands to the *profile* env file only — the global ``<root>/.env`` is left off the deny list and a write_file call against it succeeds. Since the top-level .env supplies credentials inherited by every profile, this is a P0 credential-exfiltration / overwrite path. Add a parallel ``_hermes_root_path()`` helper that returns the Hermes root (via the existing ``get_default_hermes_root()`` constant) and include ``<root>/.env`` in the deny list alongside ``<active_profile>/.env``. Both paths now refuse write_file/patch regardless of profile state. The active HERMES_HOME .env entry is preserved so the protection in non-profile mode is unchanged. A regression test exercises the profile-active scenario by pointing HERMES_HOME at ``<tmp>/profiles/coder`` and asserting that ``<tmp>/.env`` is denied. Fixes #15981
Contributor
🔎 Lint report:
|
Closed
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Salvage of #17044 onto current main, preserving @0xsir0000's authorship.
Note on scope
Per SECURITY.md, the agent's terminal tool can already overwrite
<root>/.envdirectly — so this is not in the project's security scope and does not close a real attack surface. We're landing it anyway as defense-in-depth / footgun reduction forwrite_file/patch, matching the existing protection for the profile-level.env.Fix
build_write_denied_paths()resolved the protected.envviaget_hermes_home(), which is profile-aware. Under a profile,HERMES_HOMEpoints at<root>/profiles/<name>and only the profile.envgot added to the deny list — the global<root>/.env(whose creds every profile inherits) was left writable bywrite_file/patch.Adds a parallel
_hermes_root_path()helper using the existinghermes_constants.get_default_hermes_root()and includes<root>/.envin the deny list alongside the active profile's.env. Non-profile-mode behavior is unchanged.Validation
tests/tools/test_write_deny.py+tests/tools/test_file_write_safety.pyHERMES_HOME=<tmp>/profiles/coder:write_file(<tmp>/.env)→ denied,write_file(<tmp>/profiles/coder/.env)→ denied,write_file(<tmp>/notes.txt)→ succeeds. Original credential preserved.get_default_hermes_root()handles Docker / custom layouts (returnsHERMES_HOMEwhen it's outside~/.hermes).Closes #15981.
Closes #17044.
Infographic