feat: allow custom docker-compatible sandbox commands (nerdctl, etc.)

[AkihiroSuda]

Summary

Allows users to specify Docker-compatible CLIs

Details

The GEMINI_SANDBOX environment variable can be now set to an arbitrary Docker-compatible CLI,
e.g.,

• nerdctl: contaiNERD CTL (Docker-compatible CLI for containerd): https://github.com/containerd/nerdctl
• nerdctl.lima: nerdctl wrapped in Lima VM: https://github.com/lima-vm/lima/blob/master/cmd/nerdctl.lima
• finch: Amazon's distribution of nerdctl + Lima: https://runfinch.com

Related Issues

Fixes #14484

How to Validate

brew install lima
limactl start --mount-writable --rosetta

Note

--rosetta is needed on ARM Mac, as there is still no native ARM support in
us-docker.pkg.dev/gemini-code-dev/gemini-cli/sandbox:X.Y.Z:

• Consumer: Build and publish multi-arch Docker images #3717

npm install

export GEMINI_SANDBOX_IMAGE=us-docker.pkg.dev/gemini-code-dev/gemini-cli/sandbox:0.19.0
export GEMINI_SANDBOX=nerdctl.lima
./bundle/gemini.js

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• (Not applicable) Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
    • nerdctl.lima (new)
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello @AkihiroSuda, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the sandboxing feature by allowing users to define and utilize any Docker-compatible command-line interface for container operations. This change broadens the compatibility of the system with various container runtimes beyond the default Docker and Podman, offering greater flexibility and choice for developers. The update involves modifications to the configuration schema, validation logic, and user documentation to support this new capability.

Highlights

• Custom Sandbox Commands: The system now supports specifying custom Docker-compatible command-line interfaces (CLIs) for sandboxing, such as nerdctl, nerdctl.lima, or finch, via the GEMINI_SANDBOX environment variable.
• Configuration Flexibility: The SandboxConfig interface has been updated to allow any string as a valid sandbox command, removing the previous restriction to a predefined list of docker, podman, or sandbox-exec.
• Simplified Validation Logic: The internal logic for determining the sandbox command has been streamlined, now primarily checking for the existence of the specified command on the system rather than validating against a hardcoded list.
• Documentation Update: The docs/cli/sandbox.md file has been updated to reflect the new capability, guiding users on how to leverage custom Docker-compatible CLIs for sandboxing.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enables the use of custom Docker-compatible CLIs for sandboxing by allowing the GEMINI_SANDBOX environment variable to be set to an arbitrary command. While this adds flexibility, I've identified a critical security vulnerability and a high-severity bug in the implementation.

The main issue is a command injection vulnerability created by removing the whitelist for sandbox commands. This allows arbitrary code execution if the GEMINI_SANDBOX environment variable is manipulated, for instance, through a malicious project's .env file. Additionally, the sandbox command from the environment variable is converted to lowercase, which will cause it to fail on case-sensitive systems if the command contains uppercase letters.

I've provided specific comments and suggestions in the code to address these issues.

[AkihiroSuda]

The main issue is a command injection vulnerability created by removing the whitelist for sandbox commands. This allows arbitrary code execution if the GEMINI_SANDBOX environment variable is manipulated, for instance, through a malicious project's .env file.

Disagree.
If an attacker could manipulate the env vars, they could already just inject malicious $PATH, $LD_PRELOAD_LIBRARY, etc. So it is not a new attack vector.

[gemini-cli]

Hi there! Thank you for your contribution to Gemini CLI. We really appreciate the time and effort you've put into this pull request.

To keep our backlog manageable and ensure we're focusing on current priorities, we are closing pull requests that haven't seen maintainer activity for 30 days. Currently, the team is prioritizing work associated with 🔒 maintainer only or help wanted issues.

If you believe this change is still critical, please feel free to comment with updated details. Otherwise, we encourage contributors to focus on open issues labeled as help wanted. Thank you for your understanding!

[AkihiroSuda]

haven't seen maintainer activity for 30 days

Just 4 days ago @sehoon38 requested a review though?

[AkihiroSuda]

Another thought is that the built-in sandboxing feature was already meant to be extensible to any command that supports a docker/podman-compatible command line interface for building (<sandbox> build ...) and running (<sandbox> run ...) sandboxes. For example we thought https://github.com/apple/container should be relatively easy to support this way. Could this work for Lima VM or some of the other ideas you had above? Easiest way to explore this would probably be to use a pre-built sandbox and just try to get gemini to "hop into" it, which basically means it invokes <sandbox> run ... to run itself inside sandbox and then exits. From there it should not be too hard to get the building to work also.

Originally posted by @olcan in #3216

---

@olcan Could you take a look at this PR? Any chance to get this PR reopened?

[AkihiroSuda]

@sehoon38 @olcan Any chance to reopen this PR? 🙏