fix: broaden session ID validator to support new hermes-agent format (#212)

* fix: broaden session ID validator to support new hermes-agent format * test: add more path traversal evil IDs to session validator test Add null byte, backslash, forward slash, and dot-extension variants to the rejected session ID test to cover additional attack vectors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Nathan Esquenazi <nesquena@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 00:00:02 -07:00
parent 31281a6025
commit 9a5435176d
2 changed files with 14 additions and 3 deletions
--- a/tests/test_sprint29.py
+++ b/tests/test_sprint29.py
@@ -154,8 +154,15 @@ class TestSessionIDValidation:
        result = Session.load(valid_hex)
        assert result is None  # No file, but no error

+    def test_new_format_session_id_passes_validation(self):
+        """New hermes-agent session IDs (YYYYMMDD_HHMMSS_xxxxxx) must pass validation."""
+        from api.models import Session
+        # Should pass the validator (returns None only because the file doesn't exist)
+        result = Session.load("20260406_164014_74b2d1")
+        assert result is None  # file doesn't exist, but validator passed
+
    def test_non_hex_session_id_rejected(self):
-        """A session ID with non-hex chars must be rejected."""
+        """A session ID with dangerous chars must be rejected."""
        from api.models import Session
        evil_ids = [
            "../../../etc/passwd",
@@ -163,11 +170,15 @@ class TestSessionIDValidation:
            "session; rm -rf /",
            "hello world",
            "ZZZZZZZZZZZZZZZZ",
+            "session\x00evil",
+            "..\\..\\windows\\system32",
+            "session/../../etc/passwd",
+            "valid_looking.json",
        ]
        for sid in evil_ids:
            result = Session.load(sid)
            assert result is None, \
-                f"Session.load should reject non-hex ID '{sid}', got {result}"
+                f"Session.load should reject dangerous ID '{sid}', got {result}"

    def test_empty_session_id_rejected(self):
        """An empty session ID must be rejected."""