feat: global add command

[laggu]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @laggu, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a dedicated global add command, refactoring the previous add command to clarify its purpose of adding files to the global git-volume directory. This change improves the command-line interface by making the global nature of the operation explicit, enhancing user understanding and preventing potential confusion with other add operations.

Highlights

• Command Refactoring: The existing add command has been refactored and renamed to global add to explicitly indicate its global scope within the git-volume tool.
• Internal Function Renaming: The internal Add function in internal/gitvolume was renamed to GlobalAdd to align with the new command structure and clarify its global operation.
• New Unit Tests: Comprehensive unit tests for the new GlobalAdd functionality have been introduced to ensure its correctness and robustness.
• Integration Test Updates: Existing integration tests were updated to reflect the new global add command usage, ensuring end-to-end functionality.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• cmd/add.go -> cmd/global_add.go
  • Renamed the command file from add.go to global_add.go.
  • Updated command examples to use git volume global add.
  • Modified the command registration to attach addCmd to globalCmd instead of rootCmd.
  • Changed the internal function call from gv.Add to gv.GlobalAdd.
• internal/gitvolume/add.go
  • Updated comments for AddOptions to reflect GlobalAdd operation.
  • Renamed the Add method to GlobalAdd.
• internal/gitvolume/add_test.go
  • Added a new test file containing TestGlobalAdd with various test cases for single file, multiple files, force option, rename (--as), subdirectory (--path), and error handling.
• test/integration.sh
  • Updated the integration test script to use "$GV_BIN" global add global_source.txt instead of "$GV_BIN" add global_source.txt.
  • Adjusted log messages and success/failure messages to reflect the global add command.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new global add command, renaming the existing add command and updating its functionality to operate on a global git-volume directory. While the changes are well-implemented, a critical security vulnerability exists: the path validation in GlobalAdd is incomplete, failing to prevent symlink-based path traversal when the destination path is a symlink pointing outside the global directory. This could lead to unintended file overwrites in sensitive system locations, and strengthening the path verification logic to include the final destination component is recommended. Additionally, consider improving naming consistency and adherence to the Go style guide.

[laggu]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new global add command by refactoring the existing add command into a subcommand of global, aiming to improve the CLI's structure and clarity. However, a critical security vulnerability exists in the new symlink validation logic designed to prevent path traversal. The current implementation is incomplete, only validating the parent directory and using a weak prefix check, which could still allow arbitrary file overwrites via pre-existing symlinks. Additionally, this new symlink validation logic is redundant with existing checks, and a minor improvement for robustness is noted in a newly added test file.

[laggu]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively refactors the add command into global add, improving the command structure. However, a security audit revealed that the path validation for the --as flag is insufficient, potentially allowing users to overwrite the global storage directory. Furthermore, the global storage directory is created with overly permissive permissions (0755), which could expose sensitive data on multi-user systems. It is crucial to strengthen path validation and restrict directory permissions to 0700. On the code quality front, while the implementation is generally good and the new GlobalAdd unit test file is a positive addition, there are some style guide violations in the error handling within the new test file that need to be addressed for improved robustness.

[gemini-code-assist]

The GlobalAdd function (formerly Add) has two security-related issues that should be addressed:

1. Insecure Path Validation: The function performs insufficient validation on the As and Path options. While it checks for the literal string .., it does not prevent the use of . as a path. An attacker could trick a user into running a command like git volume global add mydir --as . --force, which would result in the destination path being the global storage directory itself (~/.git-volume). Depending on the implementation of copyDir, this could lead to the unintended deletion or corruption of the entire global storage. It is recommended to use the validatePath function (defined in context.go) which correctly blocks . and .. components.

2. Insecure Directory Permissions: The function creates the global storage directory with 0755 permissions (line 42). Since this directory is intended to store sensitive information such as environment variables and secrets, it should be restricted to the owner only (0700) to prevent unauthorized access on multi-user systems.

[gemini-code-assist]

The error returned by os.ReadFile is being ignored. This can lead to panics or unexpected test failures if reading the file fails for reasons other than non-existence (e.g., permissions).

content, err := os.ReadFile(destPath)
require.NoError(t, err)
assert.Equal(t, "content1", string(content))

References

1. Rule feat: global list command #16 of the repository style guide requires all errors to be checked explicitly and not ignored using the blank identifier (_). ^(link)

[gemini-code-assist]

The error returned by os.ReadFile is being ignored. Please handle the error to make the test more robust and prevent potential panics.

content, err := os.ReadFile(destPath)
require.NoError(t, err)
assert.Equal(t, "content1", string(content))

References

1. Rule feat: global list command #16 of the repository style guide requires all errors to be checked explicitly and not ignored using the blank identifier (_). ^(link)

[gemini-code-assist]

The error returned by os.ReadFile is being ignored. Explicitly checking this error will prevent potential panics and make the test more reliable.

content, err := os.ReadFile(destPath)
require.NoError(t, err)
assert.Equal(t, "content2", string(content))

References

1. Rule feat: global list command #16 of the repository style guide requires all errors to be checked explicitly and not ignored using the blank identifier (_). ^(link)