Sabo/webui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[security] fix(sessions): validate session_id before deleting session files (#412)

Browse Source 
* fix(sessions): validate session_id before deleting files

* fix: remove premature session index invalidation before validation check

* docs: v0.50.32 release — version badge and CHANGELOG

---------

Co-authored-by: hinotoi-agent <paperlantern.agent@gmail.com>
Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
This commit is contained in:
nesquena-hermes
2026-04-13 23:10:46 -07:00
committed by GitHub
parent 539501ed2b
commit 3cc5839bf3
4 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@@ -1,5 +1,14 @@
# Hermes Web UI -- Changelog # Hermes Web UI -- Changelog
## [v0.50.32] fix(sessions): validate session_id before deleting session files [SECURITY] (#409)
`/api/session/delete` accepted arbitrary `session_id` values from the request body and built the delete path directly as `SESSION_DIR / f"{sid}.json"`. Because pathlib discards the prefix when `sid` is an absolute path, an attacker could supply `/tmp/victim` and cause the server to unlink `victim.json` outside the session store. Traversal-style values (`../../etc/target`) were also accepted. CVSS 8.1 High (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
- `api/routes.py`: validate `session_id` against `[0-9a-z_]+` allowlist (covers `uuid4().hex[:12]` WebUI IDs and `YYYYMMDD_HHMMSS_hex` CLI IDs) before path construction; resolve candidate path and enforce `path.relative_to(SESSION_DIR)` containment before unlinking; only invalidate session index on successful deletion path, not on rejected requests
- `tests/test_sprint3.py`: 2 new regression tests — absolute-path payload rejected and file preserved, traversal payload rejected and file preserved
- Original PR by @Hinotoi-agent (cherry-picked; branch was 4 commits behind master)
- 1041 tests total (up from 1039)
## [v0.50.31] fix: delegate all live model fetching to agent's provider_model_ids() ## [v0.50.31] fix: delegate all live model fetching to agent's provider_model_ids()
`_handle_live_models()` in `api/routes.py` previously maintained its own per-provider fetch logic and returned `not_supported` for Anthropic, Google, and Gemini. Now it delegates entirely to the agent's `hermes_cli.models.provider_model_ids()` — the single authoritative resolver — and `_fetchLiveModels()` in `ui.js` no longer skips any provider. `_handle_live_models()` in `api/routes.py` previously maintained its own per-provider fetch logic and returned `not_supported` for Anthropic, Google, and Gemini. Now it delegates entirely to the agent's `hermes_cli.models.provider_model_ids()` — the single authoritative resolver — and `_fetchLiveModels()` in `ui.js` no longer skips any provider.

8
api/routes.py
View File

@@ -724,10 +724,16 @@ def handle_post(handler, parsed) -> bool:
sid = body.get("session_id", "") sid = body.get("session_id", "")
if not sid: if not sid:
return bad(handler, "session_id is required") return bad(handler, "session_id is required")
if not all(c in '0123456789abcdefghijklmnopqrstuvwxyz_' for c in sid):
return bad(handler, "Invalid session_id", 400)
# Delete from WebUI session store # Delete from WebUI session store
with LOCK: with LOCK:
SESSIONS.pop(sid, None) SESSIONS.pop(sid, None)
p = SESSION_DIR / f"{sid}.json" try:
p = (SESSION_DIR / f"{sid}.json").resolve()
p.relative_to(SESSION_DIR.resolve())
except Exception:
return bad(handler, "Invalid session_id", 400)
try: try:
p.unlink(missing_ok=True) p.unlink(missing_ok=True)
except Exception: except Exception:

2
static/index.html
View File

@@ -535,7 +535,7 @@
<div class="settings-section-title">System</div> <div class="settings-section-title">System</div>
<div class="settings-section-meta">Instance version and access controls.</div> <div class="settings-section-meta">Instance version and access controls.</div>
</div> </div>
<span class="settings-version-badge">v0.50.31</span> <span class="settings-version-badge">v0.50.32</span>
</div> </div>
<div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px"> <div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px">
<label for="settingsPassword" data-i18n="settings_label_password">Access Password</label> <label for="settingsPassword" data-i18n="settings_label_password">Access Password</label>

18
tests/test_sprint3.py
View File

@@ -114,6 +114,24 @@ def test_session_delete_requires_session_id():
result, status = post("/api/session/delete", {}) result, status = post("/api/session/delete", {})
assert status == 400 assert status == 400
def test_session_delete_rejects_absolute_path_payload(tmp_path):
victim = tmp_path / "victim.json"
victim.write_text("TOPSECRET", encoding="utf-8")
result, status = post("/api/session/delete", {"session_id": str(victim.with_suffix(""))})
assert status == 400
assert victim.exists(), "absolute-path payload must not delete arbitrary files"
def test_session_delete_rejects_traversal_payload(tmp_path):
victim = tmp_path / "outside.json"
victim.write_text("TOPSECRET", encoding="utf-8")
traversal = f"../../../../{victim.with_suffix('').as_posix().lstrip('/')}"
result, status = post("/api/session/delete", {"session_id": traversal})
assert status == 400
assert victim.exists(), "traversal payload must not delete arbitrary files"
def test_chat_start_requires_session_id(): def test_chat_start_requires_session_id():
result, status = post("/api/chat/start", {"message": "hello"}) result, status = post("/api/chat/start", {"message": "hello"})
assert status == 400 assert status == 400