Sabo/webui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #135 from nesquena/fix/pr-131-bot-name

Browse Source 
fix: harden bot_name feature from PR #131 — crash guard, XSS, tests
This commit is contained in:
Nathan Esquenazi
2026-04-06 08:13:49 -07:00
committed by GitHub
parent e1c2e7e3d6 71dd691ed0
commit 4407c3097b
10 changed files with 185 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.env.example
View File

@@ -26,3 +26,6 @@
# Path to your Hermes config.yaml (for toolsets and model config)
# HERMES_CONFIG_PATH=~/.hermes/config.yaml
# Display name for the assistant in the UI (default: Hermes)
# HERMES_WEBUI_BOT_NAME=Hermes

1
api/config.py
View File

@@ -680,6 +680,7 @@ _SETTINGS_DEFAULTS = {
'sync_to_insights': False, # mirror WebUI token usage to state.db for /insights
'check_for_updates': True, # check if webui/agent repos are behind upstream
'theme': 'dark', # active UI theme name (no enum gate -- allows custom themes)
'bot_name': os.getenv('HERMES_WEBUI_BOT_NAME', 'Hermes'), # display name for the assistant
'password_hash': None, # SHA-256 hash; None = auth disabled
}

13
api/routes.py
View File

@@ -2,6 +2,7 @@
Hermes Web UI -- Route handlers for GET and POST endpoints.
Extracted from server.py (Sprint 11) so server.py is a thin shell.
"""
import html as _html
import json
import os
import queue
@@ -56,7 +57,7 @@ except ImportError:
# ── Login page (self-contained, no external deps) ────────────────────────────
_LOGIN_PAGE_HTML = '''<!doctype html>
<html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
<title>Hermes — Sign in</title>
<title>{{BOT_NAME}} — Sign in</title>
<style>
*{box-sizing:border-box;margin:0;padding:0}
body{background:#1a1a2e;color:#e8e8f0;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",system-ui,sans-serif;
@@ -79,8 +80,8 @@ button:hover{background:rgba(124,185,255,.25)}
.err{color:#e94560;font-size:12px;margin-top:10px;display:none}
</style></head><body>
<div class="card">
<div class="logo">H</div>
<h1>Hermes</h1>
<div class="logo">{{BOT_NAME_INITIAL}}</div>
<h1>{{BOT_NAME}}</h1>
<p class="sub">Enter your password to continue</p>
<form onsubmit="doLogin(event);return false">
<input type="password" id="pw" placeholder="Password" autofocus
@@ -116,7 +117,9 @@ def handle_get(handler, parsed) -> bool:
content_type='text/html; charset=utf-8')
if parsed.path == '/login':
return t(handler, _LOGIN_PAGE_HTML, content_type='text/html; charset=utf-8')
_bn = _html.escape(load_settings().get('bot_name') or 'Hermes')
_page = _LOGIN_PAGE_HTML.replace('{{BOT_NAME}}', _bn).replace('{{BOT_NAME_INITIAL}}', _bn[0].upper())
return t(handler, _page, content_type='text/html; charset=utf-8')
if parsed.path == '/api/auth/status':
from api.auth import is_auth_enabled, parse_cookie, verify_session
@@ -523,6 +526,8 @@ def handle_post(handler, parsed) -> bool:
# ── Settings (POST) ──
if parsed.path == '/api/settings':
if 'bot_name' in body:
body['bot_name'] = (str(body['bot_name']) or '').strip() or 'Hermes'
saved = save_settings(body)
saved.pop('password_hash', None) # never expose hash to client
return j(handler, saved)

15
static/boot.js
View File

@@ -306,10 +306,23 @@ document.querySelectorAll('.suggestion').forEach(btn=>{
};
})();
function applyBotName(){
const name=window._botName||'Hermes';
document.title=name;
const sidebarH1=document.querySelector('.sidebar-header h1');
if(sidebarH1) sidebarH1.textContent=name;
const logo=document.querySelector('.sidebar-header .logo');
if(logo) logo.textContent=name.charAt(0).toUpperCase();
const topbarTitle=$('topbarTitle');
if(topbarTitle && (!S.session)) topbarTitle.textContent=name;
const msg=$('msg');
if(msg) msg.placeholder='Message '+name+'\u2026';
}
(async()=>{
// Load send key preference
let _bootSettings={};
try{const s=await api('/api/settings');_bootSettings=s;window._sendKey=s.send_key||'enter';window._showTokenUsage=!!s.show_token_usage;window._showCliSessions=!!s.show_cli_sessions;const _theme=s.theme||'dark';document.documentElement.dataset.theme=_theme;localStorage.setItem('hermes-theme',_theme);}catch(e){window._sendKey='enter';window._showTokenUsage=false;window._showCliSessions=false;_bootSettings={check_for_updates:false};}
try{const s=await api('/api/settings');_bootSettings=s;window._sendKey=s.send_key||'enter';window._showTokenUsage=!!s.show_token_usage;window._showCliSessions=!!s.show_cli_sessions;window._botName=s.bot_name||'Hermes';const _theme=s.theme||'dark';document.documentElement.dataset.theme=_theme;localStorage.setItem('hermes-theme',_theme);applyBotName();}catch(e){window._sendKey='enter';window._showTokenUsage=false;window._showCliSessions=false;window._botName='Hermes';_bootSettings={check_for_updates:false};}
// Non-blocking update check (fire-and-forget, once per tab session)
// ?test_updates=1 in URL forces banner display for testing (bypasses sessionStorage guards)
const _testUpdates=new URLSearchParams(location.search).get('test_updates')==='1';

5
static/index.html
View File

@@ -372,6 +372,11 @@
</label>
<div style="font-size:11px;color:var(--muted);margin-top:4px">Show a banner when newer versions of the WebUI or Agent are available. Runs a background git fetch periodically.</div>
</div>
<div class="settings-field">
<label for="settingsBotName">Assistant Name</label>
<div style="font-size:11px;color:var(--muted);margin-bottom:6px">Display name for the assistant throughout the UI. Defaults to Hermes.</div>
<input type="text" id="settingsBotName" placeholder="Hermes" maxlength="64" style="width:100%;padding:8px;background:var(--code-bg);color:var(--text);border:1px solid var(--border2);border-radius:6px;font-size:13px">
</div>
<div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px">
<label for="settingsPassword">Access Password</label>
<div style="font-size:11px;color:var(--muted);margin-bottom:6px">Enter a new password to set or change it. Leave blank to keep current setting.</div>

5
static/messages.js
View File

@@ -93,8 +93,9 @@ async function send(){
assistantRow=document.createElement('div');assistantRow.className='msg-row';
assistantBody=document.createElement('div');assistantBody.className='msg-body';
const role=document.createElement('div');role.className='msg-role assistant';
const icon=document.createElement('div');icon.className='role-icon assistant';icon.textContent='H';
const lbl=document.createElement('span');lbl.style.fontSize='12px';lbl.textContent='Hermes';
const _bn=window._botName||'Hermes';
const icon=document.createElement('div');icon.className='role-icon assistant';icon.textContent=_bn.charAt(0).toUpperCase();
const lbl=document.createElement('span');lbl.style.fontSize='12px';lbl.textContent=_bn;
role.appendChild(icon);role.appendChild(lbl);
assistantRow.appendChild(role);assistantRow.appendChild(assistantBody);
$('msgInner').appendChild(assistantRow);

7
static/panels.js
View File

@@ -1009,6 +1009,9 @@ async function loadSettingsPanel(){
if(syncCb){syncCb.checked=!!settings.sync_to_insights;syncCb.addEventListener('change',_markSettingsDirty,{once:false});}
const updateCb=$('settingsCheckUpdates');
if(updateCb){updateCb.checked=settings.check_for_updates!==false;updateCb.addEventListener('change',_markSettingsDirty,{once:false});}
// Bot name
const botNameField=$('settingsBotName');
if(botNameField){botNameField.value=settings.bot_name||'Hermes';botNameField.addEventListener('input',_markSettingsDirty,{once:false});}
// Password field: always blank (we don't send hash back)
const pwField=$('settingsPassword');
if(pwField){pwField.value='';pwField.addEventListener('input',_markSettingsDirty,{once:false});}
@@ -1042,6 +1045,8 @@ async function saveSettings(andClose){
body.show_cli_sessions=showCliSessions;
body.sync_to_insights=!!($('settingsSyncInsights')||{}).checked;
body.check_for_updates=!!($('settingsCheckUpdates')||{}).checked;
const botName=(($('settingsBotName')||{}).value||'').trim();
body.bot_name=botName||'Hermes';
// Password: only act if the field has content; blank = leave auth unchanged
if(pw && pw.trim()){
try{
@@ -1060,6 +1065,8 @@ async function saveSettings(andClose){
window._sendKey=sendKey||'enter';
window._showTokenUsage=showTokenUsage;
window._showCliSessions=showCliSessions;
window._botName=body.bot_name;
if(typeof applyBotName==='function') applyBotName();
_settingsDirty=false; _settingsThemeOnOpen=theme;
const bar=$('settingsUnsavedBar'); if(bar) bar.style.display='none';
renderMessages();

4
static/sessions.js
View File

@@ -45,7 +45,7 @@ async function loadSession(sid){
if(tc&&tc.name) appendLiveToolCard(tc);
}
syncTopbar();await loadDir('.');renderMessages();appendThinking();
setBusy(true);setStatus('Hermes is thinking\u2026');
setBusy(true);setStatus((window._botName||'Hermes')+' is thinking\u2026');
startApprovalPolling(sid);
}else{
MSG_QUEUE.length=0;updateQueueBadge(); // clear queue for the viewed session
@@ -429,7 +429,7 @@ async function deleteSession(sid){
if(remaining.sessions&&remaining.sessions.length){
await loadSession(remaining.sessions[0].session_id);
}else{
$('topbarTitle').textContent='Hermes';
$('topbarTitle').textContent=window._botName||'Hermes';
$('topbarMeta').textContent='Start a new conversation';
$('msgInner').innerHTML='';
$('emptyState').style.display='';

9
static/ui.js
View File

@@ -237,7 +237,7 @@ function setStatus(t){
txt.textContent=t;
bar.style.display='';
// Show dismiss X only for static/error messages, not transient busy ones
const transient = t.endsWith('…') || t === 'Hermes is thinking';
const transient = t.endsWith('…') || t === (window._botName||'Hermes')+' is thinking\u2026';
if(dismiss)dismiss.style.display=(!transient && !S.busy)?'inline':'none';
}
}
@@ -402,7 +402,7 @@ async function checkInflightOnBoot(sid) {
function syncTopbar(){
if(!S.session){
document.title='Hermes';
document.title=window._botName||'Hermes';
// Show default workspace name even without a session
const sidebarName=$('sidebarWsName');
if(sidebarName && sidebarName.textContent==='Workspace'){
@@ -412,7 +412,7 @@ function syncTopbar(){
}
const sessionTitle=S.session.title||'Untitled';
$('topbarTitle').textContent=sessionTitle;
document.title=sessionTitle+' \u2014 Hermes';
document.title=sessionTitle+' \u2014 '+(window._botName||'Hermes');
const vis=S.messages.filter(m=>m&&m.role&&m.role!=='tool');
$('topbarMeta').textContent=`${vis.length} messages`;
// If a profile switch just happened, apply its model rather than the session's stale value.
@@ -505,7 +505,8 @@ function renderMessages(){
const retryBtn = isLastAssistant ? `<button class="msg-action-btn" title="Regenerate response" onclick="regenerateResponse(this)">&#8635;</button>` : '';
const tsVal=m._ts||m.timestamp;
const tsTitle=tsVal?new Date(tsVal*1000).toLocaleString():'';
row.innerHTML=`<div class="msg-role ${m.role}" ${tsTitle?`title="${esc(tsTitle)}"`:''}><div class="role-icon ${m.role}">${isUser?'Y':'H'}</div><span style="font-size:12px">${isUser?'You':'Hermes'}</span>${tsTitle?`<span class="msg-time">${new Date(tsVal*1000).toLocaleTimeString([],{hour:'2-digit',minute:'2-digit'})}</span>`:''}<span class="msg-actions">${editBtn}<button class="msg-copy-btn msg-action-btn" title="Copy" onclick="copyMsg(this)">&#128203;</button>${retryBtn}</span></div>${filesHtml}<div class="msg-body">${bodyHtml}</div>`;
const _bn=window._botName||'Hermes';
row.innerHTML=`<div class="msg-role ${m.role}" ${tsTitle?`title="${esc(tsTitle)}"`:''}><div class="role-icon ${m.role}">${isUser?'Y':esc(_bn.charAt(0).toUpperCase())}</div><span style="font-size:12px">${isUser?'You':esc(_bn)}</span>${tsTitle?`<span class="msg-time">${new Date(tsVal*1000).toLocaleTimeString([],{hour:'2-digit',minute:'2-digit'})}</span>`:''}<span class="msg-actions">${editBtn}<button class="msg-copy-btn msg-action-btn" title="Copy" onclick="copyMsg(this)">&#128203;</button>${retryBtn}</span></div>${filesHtml}<div class="msg-body">${bodyHtml}</div>`;
row.dataset.rawText = String(content).trim();
inner.appendChild(row);
}

136
tests/test_sprint27.py Normal file
View File

@@ -0,0 +1,136 @@
"""
Sprint 27 Tests: configurable assistant display name (bot_name).
Tests cover settings API round-trip, empty/missing input defaults,
login page rendering, and server-side sanitization.
"""
import json
import urllib.error
import urllib.request
BASE = "http://127.0.0.1:8788"
def get(path):
with urllib.request.urlopen(BASE + path, timeout=10) as r:
return json.loads(r.read()), r.status
def get_raw(path):
with urllib.request.urlopen(BASE + path, timeout=10) as r:
return r.read().decode(), r.status
def post(path, body=None):
data = json.dumps(body or {}).encode()
req = urllib.request.Request(BASE + path, data=data,
headers={"Content-Type": "application/json"})
try:
with urllib.request.urlopen(req, timeout=10) as r:
return json.loads(r.read()), r.status
except urllib.error.HTTPError as e:
return json.loads(e.read()), e.code
# ── Default value ─────────────────────────────────────────────────────────
def test_settings_default_bot_name():
"""GET /api/settings should return bot_name defaulting to 'Hermes'."""
d, status = get("/api/settings")
assert status == 200
assert "bot_name" in d
assert d["bot_name"] == "Hermes"
# ── Round-trip ────────────────────────────────────────────────────────────
def test_settings_set_bot_name():
"""POST /api/settings with bot_name should persist and round-trip."""
try:
d, status = post("/api/settings", {"bot_name": "TestBot"})
assert status == 200
assert d.get("bot_name") == "TestBot"
d2, _ = get("/api/settings")
assert d2.get("bot_name") == "TestBot"
finally:
post("/api/settings", {"bot_name": "Hermes"})
def test_settings_bot_name_special_chars():
"""bot_name with safe special characters should persist correctly."""
try:
d, status = post("/api/settings", {"bot_name": "My Assistant 2.0"})
assert status == 200
d2, _ = get("/api/settings")
assert d2.get("bot_name") == "My Assistant 2.0"
finally:
post("/api/settings", {"bot_name": "Hermes"})
# ── Server-side sanitization ──────────────────────────────────────────────
def test_settings_empty_bot_name_defaults_to_hermes():
"""Posting an empty bot_name should default to 'Hermes' server-side."""
try:
d, status = post("/api/settings", {"bot_name": ""})
assert status == 200
assert d.get("bot_name") == "Hermes"
d2, _ = get("/api/settings")
assert d2.get("bot_name") == "Hermes"
finally:
post("/api/settings", {"bot_name": "Hermes"})
def test_settings_whitespace_bot_name_defaults_to_hermes():
"""Posting a whitespace-only bot_name should default to 'Hermes'."""
try:
d, status = post("/api/settings", {"bot_name": " "})
assert status == 200
assert d.get("bot_name") == "Hermes"
finally:
post("/api/settings", {"bot_name": "Hermes"})
# ── Login page rendering ──────────────────────────────────────────────────
def test_login_page_shows_default_bot_name():
"""GET /login should contain 'Hermes' in title and h1 when default."""
html, status = get_raw("/login")
assert status == 200
assert "<title>Hermes" in html
assert "<h1>Hermes</h1>" in html
def test_login_page_shows_custom_bot_name():
"""GET /login should reflect the configured bot_name."""
try:
post("/api/settings", {"bot_name": "Aria"})
html, status = get_raw("/login")
assert status == 200
assert "<title>Aria" in html
assert "<h1>Aria</h1>" in html
finally:
post("/api/settings", {"bot_name": "Hermes"})
def test_login_page_empty_name_does_not_crash():
"""Login page must not 500 even if somehow bot_name is empty in settings."""
# Force an empty value by patching settings file directly — skipped here
# because the server-side guard in POST /api/settings prevents storing empty.
# Instead, verify that /login returns 200 reliably.
html, status = get_raw("/login")
assert status == 200
assert "Sign in" in html
def test_login_page_xss_escaped():
"""bot_name with HTML special chars should be escaped in the login page."""
try:
post("/api/settings", {"bot_name": "<script>alert(1)</script>"})
html, status = get_raw("/login")
assert status == 200
# Raw tag must not appear unescaped
assert "<script>alert(1)</script>" not in html
# Escaped form should appear
assert "&lt;script&gt;" in html
finally:
post("/api/settings", {"bot_name": "Hermes"})