feat(core): add resolveWorkspaceRelativePath and getExtensionSetting utilities

[mahimashanware]

Summary

Phase 2 of the dynamic extension plan directory resolution implementation. This PR introduces essential utility functions for secure path resolution and extension-specific configuration retrieval.

Details

• Path Security: Adds resolveWorkspaceRelativePath to packages/core/src/config/storage.ts. This utility ensures that relative paths provided by extensions are strictly resolved within the workspace root, preventing path traversal vulnerabilities.
• Config Retrieval: Adds getExtensionSetting to packages/core/src/config/config.ts. This allows the agent to fetch configuration values (like plan.directory) contributed by extensions while falling back to user globals or system defaults if the extension is not active or hasn't provided a value.

Related Issues

Depends on Phase 1 (PR #25382).

How to Validate

Run unit tests for storage and config utilities:

npm test -w @google/gemini-cli-core -- src/config/storage.test.ts src/config/config.test.ts

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • Linux
    • npm run

Related to #24572.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements the second phase of the dynamic extension directory resolution plan. It focuses on hardening the core infrastructure by providing robust utilities for secure file system path resolution and centralized configuration access for extensions. These changes ensure that extension operations remain isolated within the designated workspace boundaries while improving the developer experience for configuration management.

Highlights

• Secure Path Resolution: Introduced resolveWorkspaceRelativePath to ensure all extension-provided paths are strictly contained within the workspace root, mitigating potential path traversal vulnerabilities.
• Configuration Retrieval: Added getExtensionSetting to allow for safe and flexible retrieval of extension-specific configuration values.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new getExtensionSetting method to the Config class for retrieving extension-specific settings and adds a resolveWorkspaceRelativePath utility to the Storage class. The latter provides secure path resolution relative to the project root, including support for tilde expansion and validation against path traversal. Existing logic for getPlansDir was refactored to use this new utility, and corresponding unit tests were added or updated. I have no feedback to provide.

[gemini-code-assist]

Code Review

This pull request introduces a new getExtensionSetting method to the Config class for retrieving extension-specific settings and a resolveWorkspaceRelativePath utility in the Storage class to securely handle path resolution with tilde expansion and traversal protection. Feedback suggests refining getExtensionSetting to improve type safety by removing the generic cast, adding a check for extension activation, and returning a raw string. Additionally, for resolveWorkspaceRelativePath, it is recommended to remove the try-catch fallback to normalizePath to ensure that all paths are strictly validated using resolveToRealPath, thereby preventing potential symlink-based path traversal vulnerabilities.

[mahimashanware]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a new getExtensionSetting method to the Config class for retrieving extension-specific settings and adds a secure resolveWorkspaceRelativePath utility to the Storage class. The latter includes tilde expansion and strict path validation to prevent workspace escape vulnerabilities. Corresponding unit tests have been added to verify these new functionalities and ensure robust error handling for invalid paths. I have no feedback to provide.

[gemini-code-assist]

Code Review

This pull request introduces getExtensionSetting to the Config class and a secure resolveWorkspaceRelativePath method to the Storage class, which includes tilde expansion and path traversal protection. Corresponding unit tests were added and existing tests updated. Feedback suggests refactoring getExtensionSetting to use a unique extension ID instead of a name to ensure more reliable lookups.

[gemini-cli]

Hi there! Thank you for your interest in contributing to Gemini CLI.

To ensure we maintain high code quality and focus on our prioritized roadmap, we have updated our contribution policy (see Discussion #17383).

We only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'. All other community pull requests are subject to closure after 14 days if they do not align with our current focus areas. For this reason, we strongly recommend that contributors only submit pull requests against issues explicitly labeled as 'help-wanted'.

This pull request is being closed as it has been open for 14 days without a 'help wanted' designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding and for being part of our community!