Hermes CLI Path Traversal Vulnerability: Malicious Archives Could Overwrite System Files

A critical path traversal vulnerability in the Hermes CLI tool has been patched, closing a security gap that could have allowed attackers to overwrite critical system files or inject malicious executables. The flaw, a classic 'zip slip' vulnerability, existed in the profile archive extraction functions used by the `hermes profile import` and `hermes claw migrate` commands. A maliciously crafted `.tar.gz` archive could exploit this to write files outside the intended destination directory, potentially targeting locations like `/etc/cron.d/` or the user's `~/.hermes/` configuration folder.

The attack vector was straightforward. If a user ran the import or migrate command with a received archive, an attacker could embed archive members with paths like `../../etc/cron.d/evil` or `~/.hermes/config.yaml`. During extraction, these paths would be resolved relative to the system root or the user's home directory, not the intended temporary extraction directory. This could lead to the overwriting of system configuration files, the injection of scheduled tasks, or the compromise of the Hermes application's own configuration.

The fix implements a new defense layer at extraction-time. While an existing normalization function was preserved, the primary mitigation now explicitly validates each extracted file's final resolved path against the intended safe destination directory. Any path attempting to escape this directory is blocked, preventing the traversal attack. This patch is a critical security update for any user or automated system that processes external Hermes profile archives, as the previous behavior posed a direct risk of system compromise through file injection.