fix(core): correct bash @P prompt transformation detection

[pyrytakala]

Summary

Fixes a security bug in hasPromptCommandTransform function that prevented detection of dangerous bash @P prompt transformation operators. The function was incorrectly checking operatorNode?.type === '@' instead of operatorNode?.text === '@', causing it to never match since tree-sitter node types are grammar rule names (e.g., "operator"), not literal characters.

Details

The bug allowed commands like echo ${var@P} to bypass security validation. The bash @P operator can execute arbitrary code through prompt expansion, making this a security vulnerability.

Related Issues

How to Validate

1. Run the existing tests:

   cd packages/core
   npm test -- src/utils/shell-utils.test.ts -t "prompt transformation"

   Expected: All 4 prompt transformation tests pass

2. Test manually - the command echo ${foo@P} should now be blocked (returns allowed: false). Script below.

#!/bin/bash
# test-prompt-fix.sh

cd /path/to/gemini-cli

echo "Building project..."
npm run build > /dev/null 2>&1

echo ""
echo "Testing @P detection fix..."
echo ""

node -e "
const { isCommandAllowed, initializeShellParsers } = require('./packages/core/dist/src/utils/shell-utils.js');
const config = {
  getCoreTools: () => [],
  getExcludeTools: () => new Set([]),
  getAllowedTools: () => []
};

(async () => {
  await initializeShellParsers();
  
  const testCases = [
    { cmd: 'echo \${foo@P}', shouldBlock: true, name: 'Simple @P' },
    { cmd: 'echo \"\${var@P}\"', shouldBlock: true, name: 'Quoted @P' },
    { cmd: 'echo hello', shouldBlock: false, name: 'Normal command' },
    { cmd: 'echo \${foo}', shouldBlock: false, name: 'Normal expansion' },
  ];
  
  let passed = 0;
  let failed = 0;
  
  for (const test of testCases) {
    const result = isCommandAllowed(test.cmd, config);
    const correct = (test.shouldBlock && !result.allowed) || (!test.shouldBlock && result.allowed);
    
    if (correct) {
      console.log('✅', test.name, '-', test.cmd);
      passed++;
    } else {
      console.log('❌', test.name, '-', test.cmd);
      console.log('   Expected:', test.shouldBlock ? 'BLOCKED' : 'ALLOWED');
      console.log('   Got:', result.allowed ? 'ALLOWED' : 'BLOCKED');
      failed++;
    }
  }
  
  console.log('');
  console.log('Results:', passed, 'passed,', failed, 'failed');
  process.exit(failed > 0 ? 1 : 0);
})();
"

Pre-Merge Checklist

• Updated relevant documentation and README (if needed) - N/A, no user-facing changes
• Added/updated tests (if needed) - Existing tests now pass correctly
• Noted breaking changes (if any) - None
• Validated on required platforms/methods:
  • MacOS
  • Windows
  • Linux - Tests pass on Linux

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello @pyrytakala, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical security vulnerability by fixing a subtle bug in the hasPromptCommandTransform function. The original implementation failed to correctly identify the bash @P prompt transformation operator, which could be exploited to execute arbitrary code. The fix ensures that this dangerous operator is now properly detected, significantly enhancing the security validation of shell commands.

Highlights

• Security Fix: Addresses a security vulnerability related to bash @P prompt transformations that could allow arbitrary code execution.
• Bug Correction: Corrected a logic error in the hasPromptCommandTransform function where it incorrectly checked operatorNode?.type === '@' instead of operatorNode?.text === '@' to detect the @ operator.
• Vulnerability Impact: The previous bug allowed commands like echo ${var@P} to bypass security validation, as the @P operator can execute arbitrary code through prompt expansion.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a critical security vulnerability in the bash prompt transformation detection logic. The fix correctly changes the check from operatorNode?.type to operatorNode?.text to properly identify the @P operator. This change is accurate and effectively mitigates the described command injection vulnerability. The pull request is well-documented, and the change is simple and correct.