hermes-agent/plugins/platforms
syahidfrd 0198713c33 fix(security): reuse auth chain when tagging unverified senders in Slack threads
Mitigates indirect prompt injection (CWE-863) in Slack thread context.
When the bot is mentioned mid-thread for the first time, _fetch_thread_context
pulls the full thread via conversations.replies and prepends every reply to
the LLM prompt. Replies from senders not on the allowlist were rendered
identically to authorised senders, letting a third party in a shared channel
inject instructions the model might act on when answering the next authorised
message.

- BasePlatformAdapter.set_authorization_check / _is_sender_authorized, registered
  by GatewayRunner._make_adapter_auth_check() with a closure over the existing
  _is_user_authorized chain (platform/global/group allowlists, allow-all flags,
  pairing store all stay the single source of truth — no env-var re-parsing).
- Tags non-bot thread messages whose sender fails the auth check with an
  [unverified] prefix; strengthens the header with soft guidance only when at
  least one unverified message is present, so setups without an allowlist see
  no behaviour change.
- Wired into all three adapter-init sites in run.py (start, reconnect watcher,
  restart) so the reconnect path is covered too.

Softened wording: adapted from the original [untrusted] tag to [unverified]
and non-accusatory header framing — the label reflects allowlist status, not
a judgment about the person. Adapter relocated to plugins/platforms/slack/
since the PR was authored.

Salvaged from #17059.
2026-06-30 18:05:43 -07:00
..
dingtalk fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
discord fix(discord): accept raw direct bot mentions and ignore bare mention-only pings 2026-06-30 16:38:31 -07:00
email fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
feishu fix(anthropic+feishu): model-gate max_tokens fallback; wire Feishu channel_prompt 2026-06-30 17:20:41 -07:00
google_chat fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
homeassistant fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
irc fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
line fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
matrix fix(gateway): stop Matrix upload fallback from leaking host path 2026-06-30 03:24:36 -07:00
mattermost fix(matrix,mattermost): invite auth check + API path traversal guard 2026-06-28 20:47:33 -07:00
ntfy fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
photon revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
raft revert(windows): roll back terminal-popup PRs #53791 #53810 #53829 (#53853) 2026-06-27 15:59:00 -07:00
simplex fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
slack fix(security): reuse auth chain when tagging unverified senders in Slack threads 2026-06-30 18:05:43 -07:00
sms fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
teams fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
telegram fix(telegram): cancel delayed deliveries on disconnect 2026-06-30 17:39:30 -07:00
wecom fix(security): cap WeCom callback body size before pre-auth XML parse (#54615) 2026-06-28 22:35:43 -07:00
whatsapp fix(profile): resolve WhatsApp media-path cache roots per-call 2026-06-30 15:30:06 -07:00