fix(core): prevent path traversal in custome command file injection

[ompatel-aiml]

Summary

Fixes a path traversal vulnerability in the custom command processor. It ensures that file injection via the @{...} syntax is strictly confined to the defined workspace boundaries, preventing unauthorized access to other local files.

Details

• Validation Logic: Updated readPathFromWorkspace in packages/core to validate every resolved path (absolute or relative) against workspace.isPathWithinWorkspace() before attempting any file system operations.
• Defense in Depth: Integrated re-validation for every individual file discovered during recursive directory expansion. This ensures that symlinks or traversal sequences discovered during a recursive crawl are also blocked if they point outside the workspace.
• Path Resolution: The fix utilizes realpath resolution to ensure that attackers cannot bypass boundaries using nested symlink chains.

Related Issues

N/A

How to Validate

1. Reproduction Test: Run the new regression test suite which specifically attempts to traverse out of a temporary workspace:
   npm test -w @google/gemini-cli-core -- src/utils/pathReader.test.ts
2. Manual Verification:
   • Create a file at /tmp/secret.txt.
   • In a separate workspace directory, create a custom command that tries to read it: @{../../../../tmp/secret.txt}.
   • Run the command; it should now return a "Path not found in workspace" error instead of the file content.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a security vulnerability related to path traversal in the custom command processor. By enforcing workspace boundary checks during path resolution and file discovery, the changes prevent unauthorized access to local files outside the intended workspace, significantly hardening the file injection mechanism.

Highlights

• Path Traversal Mitigation: Implemented strict validation using workspace.isPathWithinWorkspace() to ensure all resolved file paths remain within defined workspace boundaries.
• Defense in Depth: Added recursive re-validation for files discovered during directory expansion to prevent access via symlinks or traversal sequences.
• Regression Testing: Added a new test case in pathReader.test.ts to verify that relative path traversal attempts are correctly blocked.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +375 B (0%)

Total Size: 33.8 MB

Filename	Size	Change
./bundle/chunk-6X2YHQ47.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-B5NOV2LR.js	0 B	-16.5 MB (removed)	🏆
./bundle/chunk-HPLASX37.js	0 B	-19.5 kB (removed)	🏆
./bundle/chunk-J7GG7VRZ.js	0 B	-2.78 MB (removed)	🏆
./bundle/chunk-J7QY2W3F.js	0 B	-12.5 kB (removed)	🏆
./bundle/chunk-RNE7OO7E.js	0 B	-659 kB (removed)	🏆
./bundle/chunk-SJATWTYV.js	0 B	-3.77 kB (removed)	🏆
./bundle/chunk-YTFCZZ43.js	0 B	-3.43 kB (removed)	🏆
./bundle/core-J7DPX7VY.js	0 B	-49.2 kB (removed)	🏆
./bundle/devtoolsService-3GBNNQ5S.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-RTAGXC3T.js	0 B	-585 kB (removed)	🏆
./bundle/interactiveCli-XH5SR2OR.js	0 B	-1.3 MB (removed)	🏆
./bundle/liteRtServerManager-VBY4XRRI.js	0 B	-2.08 kB (removed)	🏆
./bundle/oauth2-provider-ZD3NUCYT.js	0 B	-9.12 kB (removed)	🏆
./bundle/chunk-5UGX6CML.js	12.5 kB	+12.5 kB (new file)	🆕
./bundle/chunk-A3ND2I2S.js	16.5 MB	+16.5 MB (new file)	🆕
./bundle/chunk-DSZFZ5B3.js	3.77 kB	+3.77 kB (new file)	🆕
./bundle/chunk-H4UTJFPG.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-IBCH4QDG.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-RAJF7WCZ.js	19.5 kB	+19.5 kB (new file)	🆕
./bundle/chunk-VIPNOBDQ.js	659 kB	+659 kB (new file)	🆕
./bundle/chunk-YNOVYLTY.js	2.78 MB	+2.78 MB (new file)	🆕
./bundle/core-JKYGZQCP.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/devtoolsService-ISOAB244.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-3T3VV7T3.js	585 kB	+585 kB (new file)	🆕
./bundle/interactiveCli-CFOWYMKY.js	1.3 MB	+1.3 MB (new file)	🆕
./bundle/liteRtServerManager-2CIGXM3V.js	2.08 kB	+2.08 kB (new file)	🆕
./bundle/oauth2-provider-T4O2MEZW.js	9.12 kB	+9.12 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-CTHYVDCX.js	39.8 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/cleanup-SGQML4IY.js	0 B	-902 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-JYLQM7LS.js	373 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	5.07 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-TXOVET7R.js	0 B	-622 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-XCF5ZPUQ.js	902 B	+902 B (new file)	🆕
./bundle/start-BDCF47ZZ.js	622 B	+622 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request enhances security in readPathFromWorkspace by implementing checks to prevent path traversal outside the workspace, supported by a new test case for relative paths. While the security improvements are valuable, the reviewer pointed out a significant performance risk in the "defense in depth" check within the file processing loop. Specifically, calling isPathWithinWorkspace for every file entry triggers repeated I/O-bound realpath resolutions, which could degrade performance in large directories; optimizing this by checking for symbolic links or using more efficient validation is recommended.

[gemini-code-assist]

While this check is important for security (defense in depth), calling isPathWithinWorkspace for every file in a directory expansion can lead to significant performance degradation. isPathWithinWorkspace performs a realpath resolution which involves I/O. For directories with a large number of files, this will result in thousands of synchronous-like I/O operations. Consider optimizing this by checking if the file is a symbolic link first, or by using a more efficient path validation that doesn't require full resolution for every entry if the parent directory has already been validated and the entry is not a symlink.