hermes-agent/gateway/platforms
syahidfrd 0198713c33 fix(security): reuse auth chain when tagging unverified senders in Slack threads
Mitigates indirect prompt injection (CWE-863) in Slack thread context.
When the bot is mentioned mid-thread for the first time, _fetch_thread_context
pulls the full thread via conversations.replies and prepends every reply to
the LLM prompt. Replies from senders not on the allowlist were rendered
identically to authorised senders, letting a third party in a shared channel
inject instructions the model might act on when answering the next authorised
message.

- BasePlatformAdapter.set_authorization_check / _is_sender_authorized, registered
  by GatewayRunner._make_adapter_auth_check() with a closure over the existing
  _is_user_authorized chain (platform/global/group allowlists, allow-all flags,
  pairing store all stay the single source of truth — no env-var re-parsing).
- Tags non-bot thread messages whose sender fails the auth check with an
  [unverified] prefix; strengthens the header with soft guidance only when at
  least one unverified message is present, so setups without an allowlist see
  no behaviour change.
- Wired into all three adapter-init sites in run.py (start, reconnect watcher,
  restart) so the reconnect path is covered too.

Softened wording: adapted from the original [untrusted] tag to [unverified]
and non-accusatory header framing — the label reflects allowlist status, not
a judgment about the person. Adapter relocated to plugins/platforms/slack/
since the PR was authored.

Salvaged from #17059.
2026-06-30 18:05:43 -07:00
..
qqbot fix(qqbot): stop 100% CPU spin when WebSocket is closed but not None (#31193, #31771) (#40574) 2026-06-06 18:44:44 -07:00
__init__.py perf(gateway): defer QQAdapter and YuanbaoAdapter imports via PEP 562 (#22790) 2026-05-09 13:17:48 -07:00
_http_client_limits.py fix(gateway): tighten httpx keepalive and close whatsapp typing-response leak (#18451) 2026-05-02 02:23:37 -07:00
ADDING_A_PLATFORM.md feat(whatsapp): add WhatsApp Business Cloud API adapter 2026-05-23 01:07:01 -04:00
api_server.py fix(security): wire session-id sanitizer into artifact paths + API boundary 2026-06-29 04:25:45 -07:00
base.py fix(security): reuse auth chain when tagging unverified senders in Slack threads 2026-06-30 18:05:43 -07:00
bluebubbles.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
helpers.py refactor: extract shared GFM table→bullet helpers into helpers.py 2026-06-27 03:57:24 +05:30
msgraph_webhook.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
signal.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
signal_format.py fix(signal): share markdown formatting across send paths 2026-06-20 13:47:14 +05:30
signal_rate_limit.py feat(gateway/signal): add support for multiple images sending 2026-04-30 04:28:08 -07:00
webhook.py fix(gateway): sanitize agent error messages, validate webhook gh args 2026-06-28 18:53:26 -07:00
weixin.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
whatsapp_cloud.py fix(whatsapp_cloud): resolve reply-to text so the agent sees reply context (#52957) 2026-06-26 01:05:05 -07:00
whatsapp_common.py fix(whatsapp): resolve phone↔LID aliases in adapter DM/group allowlist (#53588) 2026-06-27 04:17:12 -07:00
yuanbao.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
yuanbao_media.py fix(security): SSRF guard yuanbao media download_url (#54470) 2026-06-28 15:29:59 -07:00
yuanbao_proto.py feat(Yuanbao): support wechat forward msg (#43508) 2026-06-12 02:06:47 -07:00
yuanbao_sticker.py yuanbao platform (#16298) 2026-04-26 18:50:49 -07:00