hermes-agent/tools
teknium1 17f07aebdc fix(security): close shell line-continuation bypass in command detection
`_normalize_command_for_detection` strips backslash-escapes before matching
DANGEROUS_PATTERNS and HARDLINE_PATTERNS, but the strip rule was
`re.sub(r'\\([^\n])', r'\1', ...)` — its `[^\n]` class deliberately skips
newlines. A backslash immediately followed by a newline is a POSIX line
continuation: the shell removes BOTH characters and joins the tokens, so
`rm -rf \<newline>/` executes as `rm -rf /`. With the dangling backslash left
in place, the structured rm/dd/mkfs patterns no longer match because a literal
`\` sits wedged between the tokens they expect to be adjacent.

The worst consequence is on the HARDLINE floor. The dangerous-command layer
still fired here only by accident (the generic `\brm\s+-[^\s]*r` "recursive
delete" rule needs no path), and that layer is bypassed by `--yolo` /
`approvals.mode=off`. The hardline blocklist — the unconditional floor reserved
for catastrophic, unrecoverable commands and meant to hold even under yolo —
anchors the root path directly after the flags, so `rm -rf \<newline>/`,
`rm -r\<newline>f /`, and `rm -rf \<newline>~` all slipped past it entirely.
A yolo session could therefore wipe the root filesystem.

The fix collapses line continuations (`\` + `\n` or `\r\n`) to nothing,
mirroring the shell, before the existing escape strip runs. This was the gap
left by 621bf3a87, which added the escape strip but only for non-newline chars.

## What does this PR do?

Closes a shell line-continuation bypass in the dangerous-command detector.
Before: `rm -rf \<newline>/` normalized to `rm -rf \<newline>/`, so the
hardline root-delete patterns did not match and the command could run under
`--yolo`. After: line continuations are collapsed first, the command
normalizes to `rm -rf /`, and the hardline floor blocks it unconditionally.

## Related Issue

N/A

## Type of Change

- [x] 🔒 Security fix

## Changes Made

- `tools/approval.py`: in `_normalize_command_for_detection`, add
  `command = re.sub(r'\\\r?\n', '', command)` ahead of the existing
  backslash-escape strip so shell line continuations (`\`+newline, LF or CRLF)
  are removed exactly as the shell would, instead of leaving a stray backslash
  that breaks the structured patterns.
- `tests/tools/test_hardline_blocklist.py`: add a parametrized
  `test_hardline_blocks_line_continuation` covering the root, in-flag, home,
  CRLF, and mkfs continuation forms, plus
  `test_line_continuation_root_wipe_cannot_bypass_hardline` asserting the
  continuation root wipe stays blocked even with `HERMES_YOLO_MODE=1`.

## How to Test

1. Reproduce: stash the `tools/approval.py` change and run
   `scripts/run_tests.sh tests/tools/test_hardline_blocklist.py` — the new
   line-continuation cases fail (`rm -rf \<newline>/` is not flagged hardline,
   and leaks past the floor under yolo).
2. Restore the change and rerun the file — all 106 tests pass.
3. Regression: `scripts/run_tests.sh tests/tools/test_approval.py` (the
   existing fullwidth/ANSI/null-byte normalization and multiline cases still
   pass).

## Checklist

### Code

- [x] I've read the Contributing Guide
- [x] My commit messages follow Conventional Commits (`fix(scope):`, `feat(scope):`, etc.)
- [x] I searched for existing PRs to make sure this isn't a duplicate
- [x] My PR contains **only** changes related to this fix/feature (no unrelated commits)
- [x] I've run `pytest tests/ -q` and all tests pass
- [x] I've added tests for my changes (required for bug fixes, strongly encouraged for features)
- [x] I've tested on my platform: macOS 15 (Darwin 25.5.0)

### Documentation & Housekeeping

- [x] I've updated relevant documentation (README, `docs/`, docstrings) — or N/A
- [x] I've updated `cli-config.yaml.example` if I added/changed config keys — or N/A
- [x] I've updated `CONTRIBUTING.md` or `AGENTS.md` if I changed architecture or workflows — or N/A
- [x] I've considered cross-platform impact (Windows, macOS) — handles both LF and CRLF line endings
- [x] I've updated tool descriptions/schemas if I changed tool behavior — or N/A

# Conflicts:
#	tools/approval.py
2026-07-01 01:38:59 -07:00
..
computer_use revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
environments fix remote sync-back credential overwrite 2026-07-01 01:00:31 -07:00
neutts_samples
__init__.py
ansi_strip.py
approval.py fix(security): close shell line-continuation bypass in command detection 2026-07-01 01:38:59 -07:00
async_delegation.py style(profile): trim verbose comments to one or two lines 2026-06-30 15:30:06 -07:00
binary_extensions.py
blueprints.py refactor(cron): rebrand Cron Recipes -> Automation Blueprints 2026-06-11 10:49:47 -07:00
browser_camofox.py fix(camofox): auto-recover from stale tab 404 on navigate 2026-06-29 01:26:24 -07:00
browser_camofox_state.py
browser_cdp_tool.py fix(deps): declare websockets as core dep + relax dev setuptools pin (salvage #45486, #44693) (#46744) 2026-06-15 12:44:44 -04:00
browser_dialog_tool.py feat: auto-launch Chromium-family browser for CDP 2026-05-19 22:34:05 -07:00
browser_supervisor.py fix(browser): close remaining CDP-URL leak paths in supervisor (review) 2026-07-01 13:43:58 +05:30
browser_tool.py test(browser): cover guard-inactive + camofox short-circuit paths; fix blank lines 2026-07-01 13:56:49 +05:30
budget_config.py fix(agent): scale tool-output budget to the model context window (#23767) 2026-06-21 17:46:38 +05:30
checkpoint_manager.py refactor(windows): unify windowless spawn form across the touched sites 2026-06-28 17:44:47 -05:00
clarify_gateway.py fix: accept typed clarify choice replies 2026-06-28 04:13:19 -07:00
clarify_tool.py fix(clarify): docstring — put options in choices[] only, never enumerate in question text 2026-06-19 07:34:02 -07:00
close_terminal_tool.py feat(desktop): live agent terminals + agent-driven tab close 2026-06-28 21:15:14 -05:00
code_execution_tool.py fix(security): harden heredoc approval, NFKC homograph fold, env-var filter 2026-06-30 02:59:46 -07:00
computer_use_tool.py feat(computer_use): cross-platform cua-driver (macOS/Windows/Linux) 2026-06-22 06:42:30 -07:00
credential_files.py fix(delegation): budget subagent summaries against parent context headroom 2026-06-30 03:07:40 -07:00
cronjob_tools.py fix(security): align cron invisible-unicode set with install-time scanner 2026-06-26 01:11:11 -07:00
debug_helpers.py feat(moa): expose MoA presets as selectable virtual models (#46081) 2026-06-25 13:52:06 -07:00
delegate_tool.py fix(delegation): route native-SDK providers through runtime resolver; fail on '(empty)' sentinel 2026-07-01 00:45:31 -07:00
discord_tool.py feat: add Discord message deletion action 2026-05-07 05:11:09 -07:00
env_passthrough.py fix(env-passthrough): fail closed when provider blocklist import fails 2026-06-28 02:05:43 -07:00
env_probe.py fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
fal_common.py refactor(image_gen): port FAL backend to plugins/image_gen/fal 2026-05-22 04:10:45 -07:00
feishu_doc_tool.py perf(cli): cut ~19s from 'hermes' cold start (skills cache + lazy Feishu + no Nous HTTP) (#22138) 2026-05-08 16:39:32 -07:00
feishu_drive_tool.py perf(cli): cut ~19s from 'hermes' cold start (skills cache + lazy Feishu + no Nous HTTP) (#22138) 2026-05-08 16:39:32 -07:00
file_operations.py fix: warn on line-oriented newline search patterns 2026-06-20 23:23:47 -07:00
file_state.py
file_tools.py fix(file): block credential paths from search results 2026-07-01 01:02:35 -07:00
fuzzy_match.py fix(fuzzy-match): preserve boundary space after whitespace-normalized match 2026-06-26 01:55:27 +05:30
homeassistant_tool.py
image_generation_tool.py krea 2026-06-25 12:38:33 -07:00
interrupt.py
kanban_tools.py fix(kanban): restrict goal_mode kanban_block to genuine external blockers 2026-06-30 14:29:42 -07:00
lazy_deps.py fix(memory): lazy-install supermemory + mem0 SDKs like honcho/hindsight 2026-06-29 00:25:36 -07:00
managed_tool_gateway.py fix(managed-gateway): keep tool availability scans off the Nous token-refresh path 2026-05-30 07:58:08 -07:00
mcp_oauth.py fix(mcp): suppress interactive OAuth stdin prompts during background discovery (#35927) 2026-06-27 04:59:23 +05:30
mcp_oauth_manager.py fix(mcp-oauth): anchor 401 handler task to prevent GC mid-flight 2026-06-30 16:56:15 -07:00
mcp_tool.py fix(mcp): preserve 'definitions' as a property name in tool schemas 2026-07-01 01:02:23 -07:00
memory_tool.py fix(memory): degrade gracefully after repeated at-capacity consolidation failures (#42405) 2026-06-30 20:01:16 +05:30
microsoft_graph_auth.py feat(msgraph): add auth and client foundation 2026-05-08 09:27:26 -07:00
microsoft_graph_client.py fix(msgraph): stream download_to_file body instead of buffering 2026-05-08 09:27:26 -07:00
neutts_synth.py
openrouter_client.py
osv_check.py fix(osv_check): honor npx --package/-p install target when parsing package arg (#40567) 2026-06-06 18:30:39 -07:00
patch_parser.py fix(lint): skip per-file shell linter when LSP will handle the file (#29054) 2026-05-20 01:46:40 -05:00
path_security.py
process_registry.py fix(desktop): tree-kill Windows terminal descendants 2026-06-30 04:23:27 -05:00
project_tools.py feat(tools): add project workspace tools 2026-06-25 16:40:27 -05:00
read_extract.py feat(read): extract notebook and office documents (#37082) 2026-06-13 14:42:51 -07:00
read_terminal_tool.py feat(desktop): resizable VS Code-themed terminal pane + palette polish (#42521) 2026-06-09 23:15:20 -05:00
registry.py refactor(registry): drop dead toolset-check helpers after per-tool availability 2026-06-30 17:47:37 +05:30
schema_sanitizer.py fix(tools): strip default from $ref nodes in tool schemas 2026-06-12 00:30:51 -05:00
send_message_tool.py fix(matrix): route text-only send_message through adapter for E2EE support 2026-07-01 00:12:11 -07:00
session_search_tool.py fix(session_search): demote cron below interactive sessions in discover ranking (#53597) 2026-06-27 04:41:22 -07:00
skill_manager_tool.py fix(skills): require review forks to read before writing skills 2026-06-30 15:49:36 -07:00
skill_provenance.py fix(curator): only mark agent-created for background-review sediment (#19621) 2026-05-04 02:42:16 -07:00
skill_usage.py fix(curator): protect external skills from background curation 2026-06-25 22:03:02 -07:00
skills_ast_audit.py refactor(skills): slim AST diagnostic to single entry point 2026-05-23 17:47:26 -07:00
skills_guard.py fix(skills-guard): stop flagging benign skill content + honor skill ignore files (#36231) 2026-06-01 01:58:48 -07:00
skills_hub.py fix(skills): publish fetchable metadata for official skills 2026-07-01 00:40:56 -07:00
skills_sync.py fix(skills): skip shadowing when external_dirs provides the skill 2026-06-27 21:07:53 -07:00
skills_tool.py fix(skills): require review forks to read before writing skills 2026-06-30 15:49:36 -07:00
slash_confirm.py fix(async): close unscheduled coroutines in all threadsafe bridges (#26584) 2026-05-15 14:00:01 -07:00
terminal_tool.py fix(terminal): require approval for host-bound Docker commands (#54483) 2026-06-29 11:35:41 +10:00
thread_context.py fix(code-exec): propagate agent-turn context into tool worker threads 2026-05-29 03:44:49 -07:00
threat_patterns.py fix: bound threat-pattern/FTS5 regex input and cover V4A Move-File edits 2026-07-01 01:05:28 -07:00
tirith_security.py fix(security): add circuit breaker for tirith crashes to prevent agent hangs (#41400) 2026-06-26 15:26:08 +05:30
todo_tool.py fix(agent): restrict todo hydration to paired assistant todo calls 2026-07-01 01:02:17 -07:00
tool_backend_helpers.py feat(tools): surface the free tool pool in entitlement + setup (#36153) 2026-06-01 06:32:48 +05:30
tool_output_limits.py fix: tool_output_limits re-reads config on every call (no caching) 2026-05-31 00:50:19 -07:00
tool_result_storage.py fix: keep persisted tool results inside their storage directory 2026-06-30 16:39:41 -07:00
tool_search.py fix(tool-search): scope bridge catalog + dispatch to the session's toolsets 2026-05-29 02:04:12 -07:00
transcription_tools.py fix(windows): hide remaining backend console-flash legs missed on main 2026-06-28 10:19:21 -05:00
tts_tool.py fix(windows): hide remaining backend console-flash legs missed on main 2026-06-28 10:19:21 -05:00
url_safety.py fix(security): close SSRF redirect-guard bypass across all httpx download hooks 2026-07-01 01:18:53 -07:00
video_generation_tool.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
vision_tools.py fix(security): close SSRF redirect-guard bypass across all httpx download hooks 2026-07-01 01:18:53 -07:00
voice_mode.py fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
web_tools.py fix(web_extract): bound stored full-text size + give concrete read_file offset 2026-06-30 00:19:49 -07:00
website_policy.py chore(web): remove web_crawl tool + provider crawl plumbing (#33824) 2026-05-28 04:52:42 -07:00
write_approval.py fix(memory,skills): repair write-approval inline prompt, gateway staging, and gateway /skills review (#43452) 2026-06-10 02:57:15 -07:00
x_search_tool.py chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
xai_http.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
xai_video_tools.py feat(xai): Imagine public-URL storage, chaining & video edit/extend 2026-06-29 21:11:58 -07:00
yuanbao_tools.py Fix unsafe gateway media path delivery 2026-05-23 01:40:35 -07:00