hermes-agent-features/tests/tools
fr33d3m0n 976d8e27ad fix(approval): catch sudo with stdin/askpass/shell privilege flags
Adds the only #17873 category not covered by the in-flight PRs #17962
(briandevans, reverse shell + download-execute) and #7993 (SHL0MS,
credential reads + curl/wget exfiltration): sudo invocations that an
LLM-driven agent can drive without TTY interaction.

The agent has no TTY, so the sudo forms that succeed without human
involvement are those reading the password from stdin (`-S` / `--stdin`)
or via an askpass helper (`-A` / `--askpass`). The shell-launch (`-s`)
and list-privileges (`-a`) flags are also gated since they are
privilege-relevant invocations the agent can chain after acquiring the
password (e.g. read SUDO_PASSWORD from .env -> sudo -S -s -> root shell).
Plain `sudo cmd` (no flag) is TTY-bound and excluded.

Two patterns:

  1. Direct flag: `\bsudo\b[^;|&\n]*?\s+(?:-s\b|--stdin\b|-a\b|--askpass\b)`
     The lazy `[^;|&\n]*?` consumes flag-arguments without spanning
     command separators, so `sudo -u root -S whoami` matches (a textbook
     offensive form that a strict `(?:\s+-[^\s]+)*` "leading flags only"
     pattern would have missed because `root` is a flag-value not a flag).

  2. Combined short flags: `\bsudo\b[^;|&\n]*?\s+-[a-z]*[sa][a-z]*\b`
     Catches packed forms like `sudo -nS id` where multiple flags share
     a single `-X` token.

`_normalize_command_for_detection` lowercases input before pattern
matching (tools/approval.py:340), so case variants of S/s and A/a
collapse — both letter-pairs are gated since each is a privilege-
relevant invocation.

Tests: 21 new cases in TestDetectSudoStdin (12 positive covering all
flag-order permutations including herestring source and printf-piped
forms; 9 negative including TTY-bound `sudo whoami`, interactive
`sudo -i`, env-var reference `$SUDO_USER`, doc lookup `man sudo`,
package install, and the `pseudosudo` word-boundary edge case).

Empirical coverage: 11/11 attacks matched, 0/10 false positives.

Refs: #17873 category 4. Adjacent: #17962 (reverse shell + download-
execute), #7993 (credential reads + curl/wget exfiltration).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 06:56:30 -07:00
..
__init__.py
test_accretion_caps.py
test_ansi_strip.py
test_approval_heartbeat.py
test_approval_plugin_hooks.py
test_approval.py fix(approval): catch sudo with stdin/askpass/shell privilege flags 2026-05-11 06:56:30 -07:00
test_base_environment.py
test_browser_camofox_persistence.py
test_browser_camofox_state.py
test_browser_camofox.py
test_browser_cdp_override.py
test_browser_cdp_tool.py
test_browser_chromium_check.py
test_browser_cleanup.py
test_browser_cloud_fallback.py
test_browser_cloud_provider_cache.py
test_browser_console.py
test_browser_content_none_guard.py
test_browser_eval_supervisor_path.py
test_browser_hardening.py
test_browser_homebrew_paths.py
test_browser_hybrid_routing.py
test_browser_lightpanda.py
test_browser_orphan_reaper.py
test_browser_secret_exfil.py
test_browser_ssrf_local.py
test_browser_supervisor_healthcheck.py
test_browser_supervisor.py
test_budget_config.py
test_checkpoint_manager.py
test_clarify_tool.py
test_clipboard.py
test_code_execution_modes.py
test_code_execution_windows_env.py
test_code_execution.py
test_command_guards.py
test_computer_use.py
test_config_null_guard.py
test_credential_files.py
test_credential_pool_env_fallback.py
test_cron_approval_mode.py
test_cron_prompt_injection.py
test_cronjob_tools.py
test_daytona_environment.py
test_debug_helpers.py
test_delegate_composite_toolsets.py
test_delegate_subagent_timeout_diagnostic.py
test_delegate_toolset_scope.py
test_delegate.py
test_discord_tool.py
test_docker_environment.py
test_docker_find.py
test_dockerfile_node_modules_perms.py
test_dockerfile_pid1_reaping.py
test_env_passthrough.py
test_feishu_tools.py
test_file_operations_edge_cases.py
test_file_operations.py
test_file_ops_cwd_tracking.py
test_file_read_guards.py
test_file_staleness.py
test_file_state_registry.py
test_file_sync_back.py
test_file_sync_perf.py
test_file_sync.py
test_file_tools_container_config.py
test_file_tools_live.py
test_file_tools.py
test_file_write_safety.py
test_force_dangerous_override.py
test_fuzzy_match.py
test_hardline_blocklist.py fix(terminal): block sudo -S password guessing when SUDO_PASSWORD is not set 2026-05-11 06:56:30 -07:00
test_heartbeat_stale_thresholds.py
test_hidden_dir_filter.py
test_homeassistant_tool.py
test_image_generation_env.py
test_image_generation_plugin_dispatch.py
test_image_generation.py
test_init_session_cwd_respect.py
test_interrupt.py
test_kanban_tools.py fix(tools): clarify kanban_complete phantom-card retry guidance 2026-05-10 16:14:43 -07:00
test_llm_content_none_guard.py
test_local_background_child_hang.py
test_local_env_blocklist.py
test_local_env_cwd_recovery.py
test_local_interrupt_cleanup.py
test_local_shell_init.py
test_local_tempdir.py
test_managed_browserbase_and_modal.py
test_managed_media_gateways.py
test_managed_modal_environment.py
test_managed_server_tool_support.py
test_managed_tool_gateway.py
test_mcp_cancelled_error_propagation.py
test_mcp_circuit_breaker.py
test_mcp_dynamic_discovery.py
test_mcp_empty_error_message.py
test_mcp_image_content.py
test_mcp_oauth_bidirectional.py
test_mcp_oauth_cold_load_expiry.py
test_mcp_oauth_integration.py
test_mcp_oauth_manager.py
test_mcp_oauth_metadata.py
test_mcp_oauth.py
test_mcp_probe.py
test_mcp_reconnect_signal.py
test_mcp_sse_transport.py
test_mcp_stability.py
test_mcp_structured_content.py
test_mcp_tool_401_handling.py
test_mcp_tool_issue_948.py
test_mcp_tool_session_expired.py
test_mcp_tool.py
test_mcp_utility_capability_gating.py
test_memory_tool_import_fallback.py
test_memory_tool_schema.py
test_memory_tool.py
test_microsoft_graph_auth.py
test_microsoft_graph_client.py
test_mixture_of_agents_tool.py
test_modal_bulk_upload.py
test_modal_sandbox_fixes.py
test_modal_snapshot_isolation.py
test_notify_on_complete.py
test_osv_check.py
test_parse_env_var.py
test_patch_parser.py
test_process_registry.py
test_read_loop_detection.py
test_registry.py
test_resolve_path.py
test_rl_training_tool.py
test_schema_sanitizer.py
test_search_hidden_dirs.py
test_send_message_missing_platforms.py
test_send_message_tool.py chore: remove unused sentinel in test_send_message_tool 2026-05-11 06:44:58 -07:00
test_session_search.py
test_shared_container_task_id.py
test_signal_media.py
test_singularity_preflight.py
test_skill_env_passthrough.py
test_skill_improvements.py
test_skill_manager_tool.py
test_skill_provenance.py
test_skill_size_limits.py
test_skill_usage.py
test_skill_view_path_check.py
test_skill_view_traversal.py
test_skills_guard.py
test_skills_hub_clawhub.py
test_skills_hub.py
test_skills_sync.py
test_skills_tool.py
test_slash_confirm.py
test_spotify_client.py
test_ssh_bulk_upload.py
test_ssh_environment.py
test_symlink_prefix_confusion.py
test_sync_back_backends.py
test_terminal_compound_background.py
test_terminal_config_env_sync.py
test_terminal_exit_semantics.py
test_terminal_foreground_timeout_cap.py
test_terminal_none_command_guard.py
test_terminal_output_transform_hook.py
test_terminal_requirements.py
test_terminal_task_cwd.py
test_terminal_timeout_output.py
test_terminal_tool_pty_fallback.py
test_terminal_tool_requirements.py
test_terminal_tool.py
test_threaded_process_handle.py
test_tirith_security.py
test_todo_tool.py
test_tool_backend_helpers.py
test_tool_call_parsers.py
test_tool_output_limits.py
test_tool_result_storage.py
test_transcription_dotenv_fallback.py
test_transcription_tools.py
test_transcription.py
test_tts_command_providers.py
test_tts_dotenv_fallback.py
test_tts_gemini.py
test_tts_kittentts.py
test_tts_max_text_length.py
test_tts_mistral.py
test_tts_piper.py
test_tts_speed.py
test_url_safety.py
test_vercel_sandbox_environment.py
test_video_analyze.py
test_vision_native_fast_path.py
test_vision_tools.py
test_voice_cli_integration.py
test_voice_mode.py
test_watch_patterns.py
test_web_providers_brave_free.py
test_web_providers_ddgs.py
test_web_providers_searxng.py
test_web_providers.py
test_web_tools_config.py
test_web_tools_tavily.py
test_website_policy.py
test_windows_compat.py
test_windows_native_support.py
test_write_deny.py
test_yolo_mode.py
test_zombie_process_cleanup.py