fix(tool): evaluate grep permissions on requested path#1227
Conversation
|
Warning Review limit reached
More reviews will be available in 2 minutes and 35 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the grep tool to use the requested alias path rather than the resolved path when checking external_directory permissions, and adds a corresponding test case. The reviewer suggests simplifying this implementation by replacing the permissionPath string option with a boolean flag checkRequestedPath. This change would allow reusing the already computed and normalized path, eliminating duplicated path resolution logic, and avoiding unnecessary path normalization when classifying permission rule patterns.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Addressed the Gemini implementation-shape suggestion in f89677f: |
Summary
Fix grep external-directory permission evaluation so an allowed requested alias or symlink path is honored while grep still searches the resolved real path.
Why
A grep path can be a user-approved alias that resolves outside the project. Before this change, grep resolved the path before asking for
external_directory, so permission rules written for the requested alias could still prompt or deny based on the real path.Related Issue
Ports the behavior from upstream anomalyco/opencode#26958. There is no local PawWork issue for this narrow upstream-value PR.
Human Review Status
Pending
Review Focus
Please check the permission boundary: only grep opts into requested-path permission patterns, while the default shared helper behavior for shell/read/write remains realpath-based.
Risk Notes
Permissions/path behavior changed for grep. No visible UI changed, so the UI check is not applicable. No docs, release notes, dependencies, credentials, deletion behavior, generated content, or local file changes are included. I considered macOS and Windows path impact; the regression test covers POSIX symlink behavior and the implementation uses the existing Windows path normalizer for the new optional permission path.
How To Verify
Screenshots or Recordings
Not applicable; no visible UI changed.
Checklist
bug,enhancement,task,documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.app,ui,platform,harness,ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.P0,P1,P2,P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.Pending,Approved by @<reviewer>, orNot required: <reason>(default isPending; "not required" is restricted to bot-authored low-risk PRs).dev, and my PR title and commit messages use Conventional Commits in English.