fix(core): centralize path validation to prevent crashes from malformed prompts

[cocosheng-g]

Objective

Consolidate path validation and resolution into a centralized, safe bottleneck to prevent system crashes (like ENAMETOOLONG) and improve the intelligence of @-command file attachments.

The Problem

When the Gemini model outputs logs or stack traces, the CLI's parser sometimes misinterprets these large text blocks as file paths (e.g., @FAIL tests/auth.test.ts ... [5000+ characters]).

1. Stability: Handing these massive strings to the OS filesystem APIs causes unhandled errors that crash the CLI.
2. UX Friction: Valuable files mentioned inside those logs are missed because the CLI tries to resolve the entire log fragment as one path.
3. Redundancy: Path resolution logic was duplicated across acpSession.ts and atCommandProcessor.ts, leading to inconsistent behavior and redundant disk hits.

The Solution

1. Centralized Validation & Resolution Bottleneck

• Created PathValidator in @google/gemini-cli-core to identify "malformed" paths (e.g., strings with newlines, control characters, or known log markers like AssertionError:).
• Hardened Config.validatePathAccess to use this validator. All core tools (Grep, ReadFile, LS, etc.) are now automatically protected from malformed model output.
• Moved the core @-command resolution logic into a shared resolveAtCommandPath utility in @google/gemini-cli-core. This centralizes filesystem operations and ensures consistent validation across different UI hooks.

2. Smart Path Recovery (Signal from Noise)

• Implemented a "Best-Effort Path Extractor" in the resolution utility.
• If a fragment looks like a log but contains a real file path (e.g., (src/utils/math.ts:123)), the CLI will now automatically "dig out" and attach that file. This is a huge win for debugging test failures.

3. Optimized & Robust Resolution

• Refactored resolution to return a structured result (resolved, unauthorized, invalid, not_found), eliminating redundant fs.stat and path.resolve calls.
• Hardened filesystem error handling using isNodeError to specifically identify ENOENT vs other critical access errors.
• Fixed multi-workspace resolution bugs by consistently passing absolutePath to internal tools.

4. Modern Path Support & Security

• Refined heuristics to support Next.js dynamic routes ([id]), Windows file copies ((Copy)), and user home directories with apostrophes.
• Hardened extraction against path traversal (..) and null byte injection by relying on the central bottleneck rather than naive string stripping.

Verification Results

Automated Tests (109 Passed)

• Core Unit: Exhaustive coverage for PathValidator and resolveAtCommandPath (Unicode, ellipses, nested wrappers, error handling, etc.).
• Core Integration: Verified Config.validatePathAccess protection across tool suites (merged into config.test.ts).
• CLI Unit: Verified optimized resolution and recovery logic integration in atCommandProcessor.

Manual Verification (13/13 Passed)

Verified real-world scenarios mimicking Vitest, Jest, and raw shell output, ensuring:

• Malformed junk is safely skipped.
• Buried paths are correctly recovered and attached.
• Modern routing and special characters remain fully accessible.

Related Issues

Fixes #25972

How to Validate

1. Path Validator & Utility: npm test -w @google/gemini-cli-core -- src/utils/path-validator.test.ts src/utils/atCommandUtils.test.ts
2. Config Integration: npm test -w @google/gemini-cli-core -- src/config/config.test.ts
3. CLI Processor: npm test -w @google/gemini-cli -- src/ui/hooks/atCommandProcessor.test.ts
4. Manual Check: Pipe a large log file into the CLI and verify it handles @FAIL markers gracefully without crashing.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses potential system crashes caused by the CLI attempting to process misinterpreted prompt fragments as file paths. By implementing a centralized validation layer, the system can now gracefully reject invalid or malformed path strings before they trigger filesystem errors, significantly improving the stability of core tools and CLI command processing.

Highlights

• New PathValidator Utility: Introduced a robust PathValidator utility to perform pre-flight checks on file paths, identifying and rejecting malformed strings, log fragments, and excessively long paths before they reach system-level calls.
• Tool Integration: Integrated the PathValidator into core tools including GrepTool, RipGrepTool, ReadFileTool, WriteFileTool, and LSTool to ensure safe path handling during tool execution.
• CLI Command Resolution: Added path validation to CLI at-command resolution logic in acpSession.ts and atCommandProcessor.ts to prevent crashes when processing user prompts.
• Comprehensive Testing: Added exhaustive unit tests for the PathValidator to cover various edge cases, including log markers, stack trace fragments, and invalid character sequences.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🛑 Action Required: Evaluation Approval

Steering changes have been detected in this PR. To prevent regressions, a maintainer must approve the evaluation run before this PR can be merged.

Maintainers:

1. Go to the Workflow Run Summary.
2. Click the yellow 'Review deployments' button.
3. Select the 'eval-gate' environment and click 'Approve'.

Once approved, the evaluation results will be posted here automatically.

[gemini-code-assist]

Code Review

This pull request introduces a validatePath utility to sanitize file paths and prevent system-level errors or security vulnerabilities arising from untrusted model output. The validation logic is integrated across several core tools and CLI components. Reviewers suggested extending this validation to resolved paths within tool parameter validation methods for better consistency and security. Furthermore, a potential issue was identified where the new validator might incorrectly reject valid glob patterns used in the ReadManyFilesTool.

[github-actions]

Size Change: +6.34 kB (+0.02%)

Total Size: 33.9 MB

Filename	Size	Change
./bundle/chunk-4U3GCXIT.js	0 B	-2.79 MB (removed)	🏆
./bundle/chunk-BTRSUU6Q.js	0 B	-16.4 MB (removed)	🏆
./bundle/chunk-CRNNK5NM.js	0 B	-659 kB (removed)	🏆
./bundle/chunk-NDTA5LQ7.js	0 B	-19.5 kB (removed)	🏆
./bundle/chunk-T57SOHIP.js	0 B	-12.5 kB (removed)	🏆
./bundle/chunk-Y7AAP7UI.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-YDW5ZD2C.js	0 B	-3.77 kB (removed)	🏆
./bundle/chunk-YGFPWRHM.js	0 B	-3.43 kB (removed)	🏆
./bundle/core-U5XK7UVN.js	0 B	-49.4 kB (removed)	🏆
./bundle/devtoolsService-RWVEHQNW.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-WEUBQWVF.js	0 B	-588 kB (removed)	🏆
./bundle/interactiveCli-3SWH2PJ4.js	0 B	-1.3 MB (removed)	🏆
./bundle/liteRtServerManager-KLMDG4B7.js	0 B	-2.08 kB (removed)	🏆
./bundle/oauth2-provider-PFRMS5GB.js	0 B	-9.12 kB (removed)	🏆
./bundle/chunk-2HK6NX3B.js	12.5 kB	+12.5 kB (new file)	🆕
./bundle/chunk-2K7YZZS7.js	2.79 MB	+2.79 MB (new file)	🆕
./bundle/chunk-3Z4QJPIZ.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-CCOIOWF2.js	3.77 kB	+3.77 kB (new file)	🆕
./bundle/chunk-FE5KY7YW.js	19.5 kB	+19.5 kB (new file)	🆕
./bundle/chunk-PVTYDTGS.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-TQAEPCTJ.js	659 kB	+659 kB (new file)	🆕
./bundle/chunk-UBXVIIWK.js	16.4 MB	+16.4 MB (new file)	🆕
./bundle/core-ZVXKFC6G.js	49.5 kB	+49.5 kB (new file)	🆕
./bundle/devtoolsService-LDJYY5KI.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-7M4KK4TI.js	589 kB	+589 kB (new file)	🆕
./bundle/interactiveCli-ARFZNUQZ.js	1.3 MB	+1.3 MB (new file)	🆕
./bundle/liteRtServerManager-JXBISAX5.js	2.08 kB	+2.08 kB (new file)	🆕
./bundle/oauth2-provider-JQ5O3674.js	9.12 kB	+9.12 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-6HI7VNOG.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-TUDYL3X4.js	40.3 kB	0 B
./bundle/cleanup-5VU5MIWF.js	0 B	-902 B (removed)	🏆
./bundle/devtools-V7NE4CQA.js	696 kB	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	5.07 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/https-proxy-agent-AVGR4LHR.js	490 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-LG4OHBW7.js	233 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-WMF7DK6Y.js	0 B	-622 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/worker/worker-entry.js	361 kB	0 B
./bundle/cleanup-5POL55XJ.js	902 B	+902 B (new file)	🆕
./bundle/start-QNDRRTUP.js	622 B	+622 B (new file)	🆕

_{compressed-size-action}

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution system for @-commands to prevent system-level crashes and handle misinterpreted log fragments. Key additions include a PathValidator utility in the core package and a resolveAtCommandPath helper in the CLI. Feedback from the reviewer highlights opportunities to reduce redundant operations in acpSession.ts and atCommandProcessor.ts where path resolution and validation are re-executed after the initial utility call fails. Improving the return type of the resolution helper and simplifying the fallback logic for glob searches would enhance code efficiency and clarity.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution system for @-commands to prevent system-level issues caused by malformed paths or misinterpreted log fragments. Key changes include the addition of a PathValidator utility in packages/core and a resolveAtCommandPath utility in packages/cli, along with corresponding refactors in the session and UI layers. Review feedback identifies critical issues with the new validation heuristics, noting that the checks for log markers, brackets, and apostrophes are overly broad and will cause false positives for valid project files like Next.js dynamic routes. Additionally, the subpath detection logic in the resolution utility needs to be more robust to correctly identify directory boundaries.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a robust path validation utility to prevent system-level errors caused by untrusted model output. It adds a new path-validator module in packages/core to check for invalid characters, log fragments, and excessive path lengths. The Config class and resolveAtCommandPath utility have been updated to integrate this validation, ensuring that all paths are sanitized before use. Additionally, the PR includes comprehensive unit tests for the new validator and updates existing test mocks to support the new path resolution logic.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution mechanism for @-commands. It adds a new validatePath utility in packages/core to detect invalid characters, log fragments, and excessive lengths. A new resolveAtCommandPath utility in packages/cli consolidates path resolution logic across the RPC dispatcher and UI hooks, ensuring consistent workspace boundary checks and improved error handling. The changes also include comprehensive unit and integration tests for these new utilities. I have no feedback to provide as there were no review comments.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution framework to prevent system-level crashes and improve security. It adds a PathValidator in packages/core to detect excessively long paths, log fragments, and invalid characters, and refactors @-command resolution in packages/cli to use a new resolveAtCommandPath utility. This utility improves consistency across multi-workspace directories and permission prompts. Feedback suggests ensuring that the absolutePath is stored when files are found via glob search to avoid incorrect resolution in multi-workspace setups.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution mechanism for @-commands to prevent system-level crashes caused by malformed paths or misinterpreted log fragments. A new validatePath utility in packages/core enforces limits on path length and checks for invalid characters and common log markers. The resolveAtCommandPath utility in packages/cli refactors path resolution logic to support multiple workspace directories and consistent authorization checks across acpSession and atCommandProcessor. Comprehensive unit and integration tests have been added to verify these improvements. I have no feedback to provide.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a centralized path validation and resolution framework to handle @-commands more safely, specifically targeting crashes caused by misinterpreting log fragments as file paths. It introduces a validatePath utility in packages/core for pre-flight checks on path length and content, and a resolveAtCommandPath utility in packages/cli that includes logic to extract paths from noisy strings. The Session and atCommandProcessor classes have been updated to use these new utilities. Feedback was provided to improve the robustness of the path extraction logic in atCommandUtils.ts, specifically regarding the handling of nested wrapper characters and the sanitization of extracted paths against traversal and null byte injection.

_{Note: Security Review did not run due to the size of the PR.}

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution system for @-commands. It adds a PathValidator utility to check for invalid characters, log markers, and excessive lengths, alongside a resolveAtCommandPath utility that handles resolution across multiple workspace directories and performs best-effort extraction for paths found in log fragments. Existing resolution logic in acpSession.ts and atCommandProcessor.ts has been refactored to utilize these new utilities. Feedback was provided regarding the manual sanitization of path traversal and null bytes in atCommandUtils.ts, suggesting a shift toward relying on centralized validation logic to prevent potential bypasses and avoid corrupting legitimate filenames.

[cocosheng-g]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a centralized path validation and resolution system for @-commands to prevent crashes and improve robustness when handling untrusted model output. It adds a PathValidator in the core package to detect invalid characters, excessive lengths, and misinterpreted log fragments, while a new atCommandUtils utility in the CLI package handles path extraction from noisy strings and resolution across multiple workspace directories. Existing components like Session and atCommandProcessor have been refactored to utilize these utilities. Feedback was provided to enhance the path extraction logic by updating a regex to strip multiple trailing punctuation characters, such as ellipses, which improves the recovery rate of paths from log fragments.

_{Note: Security Review did not run due to the size of the PR.}

[cocosheng-g]

/gemini review

[devr0306]

From /review-frontend

Code Review

This pull request effectively addresses the system-crashing issues caused by malformed @-command inputs by introducing a centralized, robust validation layer (PathValidator) and a smart path extraction utility. The test coverage is excellent, and the improvements to path resolution logic will significantly enhance the developer experience when dealing with log fragments.

However, there are a couple of architectural and error-handling improvements that need to be addressed to align with the project's strict development rules:

1. Architectural Package Boundaries (Action Required)

The newly introduced utility, packages/cli/src/utils/atCommandUtils.ts, contains filesystem operations (e.g., fs.stat).
According to the Architectural Audit guidelines:

"Non-UI logic (e.g., model orchestration, tool implementation, git/filesystem operations) MUST reside in packages/core. packages/cli should ONLY contain UI/Ink components, command-line argument parsing, and user interaction logic."

Because atCommandUtils.ts relies only on Node built-ins and core definitions (like Config and validatePath), please move this file to packages/core/src/utils/ and export it from packages/core/src/index.ts.

2. Filesystem Error Handling

In the previous implementation of atCommandProcessor.ts, errors from fs.stat were inspected using isNodeError to check specifically for ENOENT, and unexpected errors were logged as warnings.

The new resolveAtCommandPath utility catches all errors silently:

    try {
      const stats = await fs.stat(pathName);
      // ...
    } catch {
      return { status: 'not_found' };
    }

To align with the Core Guidelines:

"Handle filesystem errors gracefully using isNodeError from packages/core/src/utils/errors.ts."

Please restore the explicit error checking. If the error is an ENOENT, returning not_found is correct. For other unexpected errors (like EACCES), it should log a warning or a debug message to prevent debugging nightmares when files exist but are inaccessible for reasons other than path authorization.

Overall, a solid and much-needed feature. Once these two points are addressed, it should be ready to go!