gooneyryan/hermes-webui
1
0
Fork 0
mirror of https://github.com/nesquena/hermes-webui.git synced 2026-06-07 01:12:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

stage-batch36: tighten #3064 MEDIA: token gate to non-user-role messages

Browse Source 
Per Opus advisor on stage-batch36: skip role='user' messages in
_session_media_token_allows_image_path so a user-injected MEDIA: token
cannot mint an allow-list entry for the user's own request. Preserves
the original use case (assistant/tool emitted artifacts outside the
active workspace) while making the implicit threat model explicit.

Defense-in-depth — the single-user WebUI scope means same-origin user
input already had the same effective access, but multi-user / shared
WebUI deployments would benefit from the restriction.
This commit is contained in:
nesquena-hermes
2026-05-28 18:20:25 +00:00
parent 371f77c9b9
commit 0a2dabc730
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/routes.py
+7
View File
@@ -7619,6 +7619,13 @@ def _session_media_token_allows_image_path(sid: str, target: Path, image_mimes:
for message in getattr(session, "messages", []) or []:
if not isinstance(message, dict):
continue
# Only honor MEDIA: tokens that the assistant/tool emitted. User-authored
# content cannot mint allow-list entries even if it contains a MEDIA:
# token — keeps the implicit threat model (assistant-emitted artifacts
# only) explicit.
role = str(message.get("role") or "").strip().lower()
if role == "user":
continue
text = _message_content_text(message.get("content"))
if "MEDIA:" not in text:
continue