chore: import upstream snapshot with attribution
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,73 @@
|
||||
"""Regression test: the cua-driver CLI-fallback transport must sanitize the
|
||||
subprocess environment like every other cua-driver spawn site.
|
||||
|
||||
``_CuaDriverSession._call_tool_via_cli()`` (the EAGAIN/silent-empty MCP
|
||||
fallback) invoked ``subprocess.run`` with no ``env=`` at all, so the
|
||||
third-party ``cua-driver`` binary inherited the full, unsanitized parent
|
||||
environment — including provider API keys and other Hermes-managed
|
||||
secrets that ``_lifecycle_coro``'s primary MCP spawn already strips via
|
||||
``_sanitize_subprocess_env(cua_driver_child_env())``.
|
||||
"""
|
||||
|
||||
import json
|
||||
from unittest.mock import MagicMock
|
||||
|
||||
from tools.computer_use.cua_backend import _CuaDriverSession
|
||||
|
||||
|
||||
def _make_session() -> _CuaDriverSession:
|
||||
# _call_tool_via_cli() doesn't touch any instance state (bridge/session/
|
||||
# capabilities); bypass __init__ so the test doesn't need a real
|
||||
# _AsyncBridge.
|
||||
return object.__new__(_CuaDriverSession)
|
||||
|
||||
|
||||
def _fake_completed_process(stdout: str) -> MagicMock:
|
||||
proc = MagicMock()
|
||||
proc.stdout = stdout
|
||||
proc.stderr = ""
|
||||
proc.returncode = 0
|
||||
return proc
|
||||
|
||||
|
||||
def test_cli_fallback_strips_provider_secret_from_subprocess_env(monkeypatch):
|
||||
monkeypatch.setenv("ANTHROPIC_API_KEY", "sk-super-secret-should-not-leak")
|
||||
monkeypatch.setenv("PATH", "/usr/bin:/bin")
|
||||
|
||||
captured = {}
|
||||
|
||||
def fake_run(cmd, **kwargs):
|
||||
captured["env"] = kwargs.get("env")
|
||||
return _fake_completed_process(json.dumps({"tree_markdown": "root"}))
|
||||
|
||||
monkeypatch.setattr("subprocess.run", fake_run)
|
||||
|
||||
session = _make_session()
|
||||
result = session._call_tool_via_cli("list_windows", {}, timeout=5.0)
|
||||
|
||||
assert result["isError"] is False
|
||||
assert captured["env"] is not None, "subprocess.run must receive an explicit env="
|
||||
assert "ANTHROPIC_API_KEY" not in captured["env"]
|
||||
# Sanitization filters secrets, not everything — an ordinary var survives.
|
||||
assert captured["env"].get("PATH") == "/usr/bin:/bin"
|
||||
|
||||
|
||||
def test_cli_fallback_applies_telemetry_policy(monkeypatch):
|
||||
"""The env should also go through cua_driver_child_env(), like every
|
||||
other cua-driver spawn site, not just _sanitize_subprocess_env alone."""
|
||||
monkeypatch.delenv("HERMES_CUA_TELEMETRY", raising=False)
|
||||
captured = {}
|
||||
|
||||
def fake_run(cmd, **kwargs):
|
||||
captured["env"] = kwargs.get("env")
|
||||
return _fake_completed_process(json.dumps({"tree_markdown": "root"}))
|
||||
|
||||
monkeypatch.setattr("subprocess.run", fake_run)
|
||||
|
||||
session = _make_session()
|
||||
session._call_tool_via_cli("list_windows", {}, timeout=5.0)
|
||||
|
||||
# cua_driver_child_env() injects this when telemetry is disabled
|
||||
# (the default) — confirms the fallback goes through the same helper
|
||||
# the sanctioned spawn site uses, not an ad hoc env dict.
|
||||
assert captured["env"].get("CUA_DRIVER_RS_TELEMETRY_ENABLED") == "0"
|
||||
Reference in New Issue
Block a user