fix: broaden session ID validator to support new hermes-agent format (#212)

* fix: broaden session ID validator to support new hermes-agent format * test: add more path traversal evil IDs to session validator test Add null byte, backslash, forward slash, and dot-extension variants to the rejected session ID test to cover additional attack vectors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Nathan Esquenazi <nesquena@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 00:00:02 -07:00
parent 31281a6025
commit 9a5435176d
2 changed files with 14 additions and 3 deletions
--- a/api/models.py
+++ b/api/models.py
@@ -74,7 +74,7 @@ class Session:
    @classmethod
    def load(cls, sid):
        # Validate session ID format to prevent path traversal
-        if not sid or not all(c in '0123456789abcdef' for c in sid):
+        if not sid or not all(c in '0123456789abcdefghijklmnopqrstuvwxyz_' for c in sid):
            return None
        p = SESSION_DIR / f'{sid}.json'
        if not p.exists():