mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-11 10:10:36 +00:00
63bb2f9884
Pre-release dual-gate (Codex + Opus) on #3219 surfaced that /api/media serves files under the allowlisted Hermes home, including settings.json / state.db / auth.json / config.yaml. #3219 makes this materially worse: pre-#3219 a bare file:// URL in agent output rendered as inert text, but #3219 turns it into an auto-loading <img src=/api/media?path=...> that fetches on render. Rather than weaken #3219, harden the boundary at the route: hard-deny known secret/config filenames and the WebUI state subdirs (sessions/memories/profiles + STATE_DIR) before the allow/serve decision, covering every entry path (bare file://, markdown anchors, MEDIA: tokens, session-token grants). Adds a live-server regression test. Closes #3234. Co-authored-by: AJV20 <24819659+AJV20@users.noreply.github.com>