From 91512b821074cd481864565322b1fec74f30434c Mon Sep 17 00:00:00 2001 From: sprmn24 Date: Mon, 27 Apr 2026 00:47:43 +0300 Subject: [PATCH] fix(whatsapp_identity): guard against path traversal and silent mapping errors expand_whatsapp_aliases() interpolated untrusted identifiers directly into filenames (lid-mapping-{current}.json) without validation. An identifier containing ../ or / could escape the session directory. Also replaced bare except Exception: continue with targeted (OSError, json.JSONDecodeError) and a debug log so mapping corruption is diagnosable instead of silently skipped. Fixes: - Reject identifiers with unsafe characters via re.match guard - Replace broad exception swallow with specific catch + debug log --- gateway/whatsapp_identity.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/gateway/whatsapp_identity.py b/gateway/whatsapp_identity.py index b0792daf7..0b065ae69 100644 --- a/gateway/whatsapp_identity.py +++ b/gateway/whatsapp_identity.py @@ -31,8 +31,12 @@ Hermes' own session keys. from __future__ import annotations import json +import logging +import re from typing import Set +logger = logging.getLogger(__name__) + from hermes_constants import get_hermes_home @@ -81,6 +85,8 @@ def expand_whatsapp_aliases(identifier: str) -> Set[str]: current = queue.pop(0) if not current or current in resolved: continue + if not re.match(r'^[\w@.+-]+$', current): + continue resolved.add(current) for suffix in ("", "_reverse"): @@ -91,7 +97,8 @@ def expand_whatsapp_aliases(identifier: str) -> Set[str]: mapped = normalize_whatsapp_identifier( json.loads(mapping_path.read_text(encoding="utf-8")) ) - except Exception: + except (OSError, json.JSONDecodeError) as exc: + logger.debug("whatsapp_identity: failed to read %s: %s", mapping_path, exc) continue if mapped and mapped not in resolved: queue.append(mapped)