memosr 931624feda fix(security): guard cron script against path traversal and redact output ...

Relative script paths resolved against HERMES_HOME/scripts/ were not
validated to stay within that directory. Paths like '../../etc/passwd'
could escape and be executed as Python.

Fix: resolve the path and verify it stays within scripts_dir using
Path.relative_to(). Also apply redact_sensitive_text() to script stdout
before LLM injection — same pattern as execute_code sandbox output.

Cherry-picked from PR #5093 by memosr (fixes 1 and 3; absolute path
restriction dropped as too restrictive for the feature's design intent).

2026-04-04 17:01:11 -07:00

..

__init__.py

docs: clarify gateway service scopes (#1378)

2026-03-14 21:17:41 -07:00

jobs.py

feat(cron): add script field for pre-run data collection (#5082)

2026-04-04 10:43:39 -07:00

scheduler.py

fix(security): guard cron script against path traversal and redact output

2026-04-04 17:01:11 -07:00