security: implement deceptive URL detection and disclosure in tool confirmations

[ehedlund]

Summary

This PR implements security protections against deceptive URLs (e.g., homograph attacks) in tool confirmations.

Details

• Detection Utility: Added urlSecurityUtils.ts providing isDeceptiveUrl, getDeceptiveUrlDetails, and toUnicodeUrl using robust WHATWG URL parsing.
• Deceptive URL Warning: Integrated a persistent, high-visibility warning block in ToolConfirmationMessage.tsx that reveals the Punycode (actual) identity of suspicious URLs.

Related Issues

https://github.com/google-gemini/maintainers-gemini-cli/issues/1206

How to Validate

1. Unit Tests: npm test -w @google/gemini-cli -- src/ui/utils/urlSecurityUtils.test.ts
2. Integration Tests: npm test -w @google/gemini-cli -- src/ui/components/messages/ToolConfirmationMessage.test.tsx
3. Manual Verification:
   • Trigger a tool confirmation containing a deceptive URL (e.g., using a Cyrillic 'e').
   • Verify the prominent warning block appears with "Original" and "Actual Host (Punycode)" fields.

[gemini-code-assist]

Summary of Changes

Hello @ehedlund, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces robust security measures to detect and warn users about deceptive URLs, specifically targeting homograph attacks, within tool confirmation messages. It enhances user safety by clearly disclosing the actual Punycode identity of suspicious URLs and ensuring warnings are prominently displayed.

Highlights

• Deceptive URL Detection: Implemented urlSecurityUtils.ts with functions like isDeceptiveUrl and getDeceptiveUrlDetails to identify URLs that might be part of homograph attacks.
• Prominent Security Warnings: Integrated a highly visible warning block into ToolConfirmationMessage.tsx that reveals both the original (Unicode) and actual (Punycode) forms of deceptive URLs.
• Unicode URL Display: Updated the display of URLs in confirmation messages to show their Unicode representation for better user context, while the warning mechanism handles security disclosure.
• Dynamic Layout Adjustment: Added calculateWrappedHeight to ensure that security warnings are always fully visible and correctly sized within the terminal's confirmation dialog.
• Standardized Terminology: Standardized on "Deceptive URL" terminology and removed emojis to improve terminal rendering consistency and clarity.

Changelog

• packages/cli/src/ui/components/messages/ToolConfirmationMessage.test.tsx
  • Added new test cases to verify the display of warning messages for deceptive URLs in both 'info' and 'exec' type confirmations, including aggregation of multiple deceptive URLs.
• packages/cli/src/ui/components/messages/ToolConfirmationMessage.tsx
  • Imported new URL security utilities and getPlainTextLength.
  • Introduced calculateWrappedHeight for dynamic layout of wrapped text.
  • Added logic to detect and display deceptive URL warnings based on confirmationDetails.
  • Updated the availableBodyContentHeight calculation to account for the new warning message height.
  • Modified the return type of the main useMemo hook to include securityWarnings.
  • Updated URL rendering in 'info' type confirmations to use toUnicodeUrl for Unicode-first display.
  • Rendered securityWarnings conditionally within the component's main Box.
• packages/cli/src/ui/utils/urlSecurityUtils.test.ts
  • Added comprehensive unit tests for toUnicodeUrl, isDeceptiveUrl, and getDeceptiveUrlDetails to ensure correct functionality of URL security checks.
• packages/cli/src/ui/utils/urlSecurityUtils.ts
  • Created a new utility file containing functions and an interface for URL security.
  • Defined DeceptiveUrlDetails interface to structure warning information.
  • Implemented containsDeceptiveMarkers to check hostnames for non-ASCII or Punycode indicators.
  • Developed toUnicodeUrl to convert Punycode URLs to their Unicode representation, manually reconstructing the URL.
  • Created getDeceptiveUrlDetails to extract detailed information for potentially deceptive URLs.
  • Implemented isDeceptiveUrl to provide a boolean check for deceptive URL characteristics.

Activity

• No human activity (comments, reviews, etc.) has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request introduces important security features for detecting deceptive URLs (homograph attacks). However, two high-severity vulnerabilities were identified: a UI spoofing/markdown injection vulnerability in the URL reconstruction logic that could allow an attacker to manipulate the security warning message, and a case-sensitive regex bypass that allows deceptive URLs to go undetected if they use uppercase protocol schemes (e.g., HTTPS://). Both issues should be addressed to ensure the effectiveness of the homograph protection.

[gemini-cli]

Hi there! Thank you for your contribution to Gemini CLI.

To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md.

This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding Fixes #123 or Related to #123), it will be automatically reopened.

How to link an issue:
Add a keyword followed by the issue number (e.g., Fixes #123) in the description of your pull request. For more details on supported keywords and how linking works, please refer to the GitHub Documentation on linking pull requests to issues.

Thank you for your understanding and for being a part of our community!