feat(core): enhance shell command validation and add core tools allowlist#25720
Merged
feat(core): enhance shell command validation and add core tools allowlist#25720
Conversation
…list - Implements recursive validation for shell command substitutions ($(...), `...`) and subshells. - Adds support for settings.tools.core to allow explicit, strict allowlisting of core tools. - Refactors PolicyEngine.check to handle shell wrappers (e.g., bash -c) and complex chained commands. - Introduces comprehensive regression tests for shell safety, pipes, and redirection. - Updates shell-utils to better identify and extract shell structure details using Tree-sitter.
|
Size Change: +2.53 kB (+0.01%) Total Size: 33.7 MB
ℹ️ View Unchanged
|
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly strengthens the security posture of the shell command validation system. By enabling recursive parsing and validation of nested shell structures, the engine can now detect and restrict potentially dangerous commands that were previously bypassed. Additionally, the introduction of a dedicated core tools allowlist provides users with finer-grained control over essential tool execution, improving both security and usability. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
gemini-cli
Bot
added
the
status/need-issue
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a core tools allowlist feature and significantly enhances shell command safety validation within the policy engine. Key changes include refactoring the policy configuration to support a new tools.core setting, implementing recursive validation for shell wrappers and command substitutions, and adding comprehensive regression tests for various shell constructs like pipes and redirections. Feedback was provided regarding the default decision for the core tools allowlist; currently, it defaults to DENY, but per project guidelines, it should default to ALLOW until a formal approval mechanism is integrated to avoid being overly restrictive.
Comment on lines
+513
to
+518
| rules.push({ | ||
| toolName: '*', | ||
| decision: PolicyDecision.DENY, | ||
| priority: CORE_TOOLS_FLAG_PRIORITY - 0.01, | ||
| source: 'Settings (Core Tools Allowlist Enforcement)', | ||
| }); |
Contributor
There was a problem hiding this comment.
The implementation currently defaults to a DENY decision when tools.core is configured. Based on the repository rules, the default policy decision for tool calls should be ALLOW until an approval mechanism is in place, as a DENY default is considered too restrictive. Please update the decision to ALLOW and ensure the priority is correctly set to avoid unintentionally overriding other policies.
Suggested change
| rules.push({ | |
| toolName: '*', | |
| decision: PolicyDecision.DENY, | |
| priority: CORE_TOOLS_FLAG_PRIORITY - 0.01, | |
| source: 'Settings (Core Tools Allowlist Enforcement)', | |
| }); | |
| rules.push({ | |
| toolName: '*', | |
| decision: PolicyDecision.ALLOW, | |
| priority: USER_POLICY_TIER + 0.05, | |
| source: 'Settings (Core Tools Allowlist Enforcement)', | |
| }); |
References
- The default policy decision for tool calls should be ALLOW until a mechanism for wiring up approvals is integrated, as a DENY default would be too restrictive without an approval flow.
Contributor
There was a problem hiding this comment.
This comment seems to be ignoring the secure by default methodology being implemented when core tools are restricted. I don't think that this is a valid concern from the bot's part, but if you think this is correct, feel free to address the above comment.
DavidAPierce
approved these changes
Apr 21, 2026
Contributor
DavidAPierce
left a comment
DavidAPierce
left a comment
There was a problem hiding this comment.
LGTM. I also ran it through my CLI review process locally, and it had some nice things to say, so here they are:
Summary
The changes successfully address complex shell nesting scenarios, including command substitutions and shell wrappers (e.g., bash -c). The implementation leverages the Tree-sitter parser for precise command decomposition
and applies a recursive checking strategy that is both secure and efficient.
Findings
Improvements & Robustness
- Recursive Validation Depth: I verified that the recursive logic correctly handles nested wrappers and substitutions (e.g., bash -c "echo $(ls)"). Even when outer parsers cannot see inside single-quoted strings, the
stripShellWrapper logic triggers a secondary parse on the inner command, ensuring no hidden commands bypass the policy engine. - Tree-sitter Integration: Transitioning to parseCommandDetails (using Tree-sitter) provides much higher fidelity than simple regex or string splitting, correctly identifying subshells and substitutions as distinct
components. - Core Tools Allowlist: The new settings.tools.core configuration provides a powerful way for users to enforce a "Least Privilege" model for shell access.
Discussion Points
- Global Impact of tools.core: When settings.tools.core is defined, the engine adds a global DENY rule (toolName: '*') at priority CORE_TOOLS_FLAG_PRIORITY - 0.01.
- Observation: This priority (e.g., 4.24) is higher than the default priorities for MCP servers (4.1 and 4.2). Consequently, enabling a core tools allowlist will effectively block all MCP tools unless they are also
explicitly allowlisted. - Recommendation: This "Strict Mode" behavior is highly secure but should be explicitly documented to ensure users understand that tools.core is a global allowlist enforcement mechanism, not just a restriction on
core tools.
- Observation: This priority (e.g., 4.24) is higher than the default priorities for MCP servers (4.1 and 4.2). Consequently, enabling a core tools allowlist will effectively block all MCP tools unless they are also
Nitpicks
- REDIRECTION_NAMES naming: Adding command substitution and subshell to REDIRECTION_NAMES in shell-utils.ts is effective for the current logic (which skips these nodes in certain loops), but the name REDIRECTION_NAMES
is now slightly technically inaccurate as it includes non-redirection shell constructs. A rename to something like SKIPPABLE_STRUCTURAL_NODES might be clearer in the future, but this is a minor point.
Conclusion
Status: Approved
The implementation is technically sound, well-tested, and provides a significant security improvement. The recursive stripping and parsing strategy is particularly impressive for its thoroughness.
kschaab
approved these changes
Apr 23, 2026
…ools' into galzahavi/fix/coretools
…ls confirmation setting
SandyTao520
approved these changes
Apr 23, 2026
|
✅ 57 tests passed successfully on gemini-3-flash-preview. 🧠 Model Steering GuidanceThis PR modifies files that affect the model's behavior (prompts, tools, or instructions).
This is an automated guidance message triggered by steering logic signatures. |
…ice with default read write permissions.
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
spencer426
pushed a commit
that referenced
this pull request
Apr 23, 2026
…list (#25720) Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: Keith Schaab <keithsc@google.com> Co-authored-by: Keith Schaab <keith.schaab@gmail.com> Co-authored-by: Emily Hedlund <ehedlund@google.com>
seheepeak
pushed a commit
to seheepeak/gemini-cli
that referenced
this pull request
Apr 24, 2026
…list (google-gemini#25720) Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: Keith Schaab <keithsc@google.com> Co-authored-by: Keith Schaab <keith.schaab@gmail.com> Co-authored-by: Emily Hedlund <ehedlund@google.com>
chenwangnec
pushed a commit
to chenwangnec/gemini-cli
that referenced
this pull request
Apr 25, 2026
…list (google-gemini#25720) Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: Keith Schaab <keithsc@google.com> Co-authored-by: Keith Schaab <keith.schaab@gmail.com> Co-authored-by: Emily Hedlund <ehedlund@google.com>
7 tasks
seheepeak
pushed a commit
to seheepeak/gemini-cli
that referenced
this pull request
Apr 30, 2026
…list (google-gemini#25720) Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: Keith Schaab <keithsc@google.com> Co-authored-by: Keith Schaab <keith.schaab@gmail.com> Co-authored-by: Emily Hedlund <ehedlund@google.com>
ik-gemini-bot
added a commit
to spigell/gemini-cli
that referenced
this pull request
May 3, 2026
* refactor(plan): simplify policy priorities and consolidate read-only rules (google-gemini#24849) * feat(test-utils): add memory usage integration test harness (google-gemini#24876) * feat(memory): add /memory inbox command for reviewing extracted skills (google-gemini#24544) * chore(release): bump version to 0.39.0-nightly.20260408.e77b22e63 (google-gemini#24939) * fix(core): ensure robust sandbox cleanup in all process execution paths (google-gemini#24763) Co-authored-by: Spencer <spencertang@google.com> * chore: update ink version to 6.6.8 (google-gemini#24934) * Changelog for v0.38.0-preview.0 (google-gemini#24938) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> Co-authored-by: g-samroberts <samroberts@google.com> * chore: ignore conductor directory (google-gemini#22128) Co-authored-by: Coco Sheng <cocosheng@google.com> * Changelog for v0.37.0 (google-gemini#24940) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> Co-authored-by: Sam Roberts <158088236+g-samroberts@users.noreply.github.com> * feat(plan): require user confirmation for activate_skill in Plan Mode (google-gemini#24946) * feat(test-utils): add CPU performance integration test harness (google-gemini#24951) * fix(core): resolve windows symlink bypass and stabilize sandbox integration tests (google-gemini#24834) * test(sdk): add unit tests for GeminiCliSession (google-gemini#21897) * fix(cli): restore file path display in edit and write tool confirmations (google-gemini#24974) * fix(cli-ui): enable Ctrl+Backspace for word deletion in Windows Terminal (google-gemini#21447) * fix(core): dynamic session ID injection to resolve resume bugs (google-gemini#24972) * Update ink version to 6.6.9 (google-gemini#24980) * feat(core): refine shell tool description display logic (google-gemini#24903) * Generalize evals infra to support more types of evals, organization and queuing of named suites (google-gemini#24941) * fix(cli): optimize startup with lightweight parent process (google-gemini#24667) * refactor(sandbox): use centralized sandbox paths in macOS Seatbelt implementation (google-gemini#24984) * feat(cli): refine tool output formatting for compact mode (google-gemini#24677) * fix(sdk): skip broken sendStream tests to unblock nightly (google-gemini#25000) * refactor(core): use centralized path resolution for Linux sandbox (google-gemini#24985) * Support ctrl+shift+g (google-gemini#25035) * feat(core): refactor subagent tool to unified invoke_subagent tool (google-gemini#24489) * fix(core): add explicit git identity env vars to prevent sandbox checkpointing error (google-gemini#19775) Co-authored-by: David Pierce <davidapierce@google.com> * fix: respect hideContextPercentage when FooterConfigDialog is closed without changes (google-gemini#24773) Co-authored-by: Coco Sheng <cocosheng@google.com> * fix(cli): suppress unhandled AbortError logs during request cancellation (google-gemini#22621) * Automated documentation audit (google-gemini#24567) * feat(cli): implement useAgentStream hook (google-gemini#24292) Co-authored-by: Adam Weidman <adamfweidman@gmail.com> Co-authored-by: Adam Weidman <adamfweidman@google.com> * refactor(core): remove legacy subagent wrapping tools (google-gemini#25053) * refactor(plan) Clean default plan toml (google-gemini#25037) * fix(core): honor retryDelay in RetryInfo for 503 errors (google-gemini#25057) * fix(core): remediate subagent memory leaks using AbortSignal in MessageBus (google-gemini#25048) * feat(cli): wire up useAgentStream in AppContainer (google-gemini#24297) Co-authored-by: Adam Weidman <adamfweidman@gmail.com> Co-authored-by: Adam Weidman <adamfweidman@google.com> * feat(core): migrate chat recording to JSONL streaming (google-gemini#23749) * fix(core): clear 5-minute timeouts in oauth flow to prevent memory leaks (google-gemini#24968) * fix(sandbox): centralize async git worktree resolution and enforce read-only security (google-gemini#25040) * feat(test): add high-volume shell test and refine perf harness (google-gemini#24983) * fix(core): silently handle EPERM when listing dir structure (google-gemini#25066) * Changelog for v0.37.1 (google-gemini#25055) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> * fix: decode Uint8Array and multi-byte UTF-8 in API error messages (google-gemini#23341) Co-authored-by: Coco Sheng <cocosheng@google.com> * Automated documentation audit results (google-gemini#22755) * debugging(ui): add optional debugRainbow setting (google-gemini#25088) * fix: resolve lifecycle memory leaks by cleaning up listeners and root closures (google-gemini#25049) * docs(cli): updates f12 description to be more precise (google-gemini#15816) * fix(cli): mark /settings as unsafe to run concurrently (google-gemini#25061) * fix(core): remove buffer slice to prevent OOM on large output streams (google-gemini#25094) * feat(core): persist subagent agentId in tool call records (google-gemini#25092) * chore(core): increase codebase investigator turn limits to 50 (google-gemini#25125) * refactor(core): consolidate execute() arguments into ExecuteOptions (google-gemini#25101) * feat(core): add Strategic Re-evaluation guidance to system prompt (google-gemini#25062) * fix(core): preserve shell execution config fields on update (google-gemini#25113) * docs: add vi shortcuts and clarify MCP sandbox setup (google-gemini#21679) Co-authored-by: Jenna Inouye <jinouye@google.com> * fix(cli): pass session id to interactive shell executions (google-gemini#25114) * fix(cli): resolve text sanitization data loss due to C1 control characters (google-gemini#22624) * feat(core): add large memory regression test (google-gemini#25059) * fix(core): resolve PTY exhaustion and orphan MCP subprocess leaks (google-gemini#25079) * chore: switch from keytar to @github/keytar (google-gemini#25143) * chore(deps): update vulnerable dependencies via npm audit fix (google-gemini#25140) * perf(sandbox): optimize Windows sandbox initialization via native ACL application (google-gemini#25077) * fix: improve audio MIME normalization and validation in file reads (google-gemini#21636) Co-authored-by: Coco Sheng <cocosheng@google.com> * docs: Update docs-audit to include changes in PR body (google-gemini#25153) * docs: correct documentation for enforced authentication type (google-gemini#25142) * fix(cli): exclude update_topic from confirmation queue count (google-gemini#24945) * Memory fix for trace's streamWrapper. (google-gemini#25089) * fix(core): fix quota footer for non-auto models and improve display (google-gemini#25121) * docs(contributing): clarify self-assignment policy for issues (google-gemini#23087) * feat(core): add skill patching support with /memory inbox integration (google-gemini#25148) * Stop suppressing thoughts and text in model response (google-gemini#25073) * fix(release): prefix git hash in nightly versions to prevent semver normalization (google-gemini#25304) * feat(cli): extract QuotaContext and resolve infinite render loop (google-gemini#24959) * refactor(core): extract and centralize sandbox path utilities (google-gemini#25305) Co-authored-by: David Pierce <davidapierce@google.com> * feat(ui): added enhancements to scroll momentum (google-gemini#24447) * fix(core): replace custom binary detection with isbinaryfile to correctly handle UTF-8 (U+FFFD) (google-gemini#25297) * feat(agent): implement tool-controlled display protocol (Steps 2-3) (google-gemini#25134) * Stop showing scrollbar unless we are in terminalBuffer mode (google-gemini#25320) * fix(core): expose GEMINI_PLANS_DIR to hook environment (google-gemini#25296) Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * feat: support auth block in MCP servers config in agents (google-gemini#24770) * feat(core): implement silent fallback for Plan Mode model routing (google-gemini#25317) * fix: correct redirect count increment in fetchJson (google-gemini#24896) Co-authored-by: Tommaso Sciortino <sciortino@gmail.com> * fix(core): prevent secondary crash in ModelRouterService finally block (google-gemini#25333) * feat(core): introduce decoupled ContextManager and Sidecar architecture (google-gemini#24752) * docs(core): update generalist agent documentation (google-gemini#25325) * chore(mcp): check MCP error code over brittle string match (google-gemini#25381) * test(core): improve sandbox integration test coverage and fix OS-specific failures (google-gemini#25307) Co-authored-by: David Pierce <davidapierce@google.com> * feat(plan): update plan mode prompt to allow showing plan content (google-gemini#25058) * fix(core): use debug level for keychain fallback logging (google-gemini#25398) * feat(test): add a performance test in asian language (google-gemini#25392) * feat(cli): enable mouse clicking for cursor positioning in AskUser multi-line answers (google-gemini#24630) * fix(core): detect kmscon terminal as supporting true color (google-gemini#25282) Co-authored-by: Adib234 <30782825+Adib234@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * ci: add agent session drift check workflow (google-gemini#25389) * use macos-latest-large runner where applicable. (google-gemini#25413) * Changelog for v0.37.2 (google-gemini#25336) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> * chore(release): bump version to 0.40.0-nightly.20260414.g5b1f7375a (google-gemini#25420) * Fix(core): retry additional OpenSSL 3.x SSL errors during streaming (google-gemini#16075) (google-gemini#25187) * fix(core): prevent YOLO mode from being downgraded (google-gemini#25341) * feat: bundle ripgrep binaries into SEA for offline support (google-gemini#25342) * Changelog for v0.39.0-preview.0 (google-gemini#25417) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> Co-authored-by: Sam Roberts <158088236+g-samroberts@users.noreply.github.com> * feat(test): add large conversation scenario for performance test (google-gemini#25331) * improve(core): require recurrence evidence before extracting skills (google-gemini#25147) * test(evals): add subagent delegation evaluation tests (google-gemini#24619) * feat: add github colorblind themes (google-gemini#15504) Co-authored-by: Coco Sheng <cocosheng@google.com> * fix(core): honor GOOGLE_GEMINI_BASE_URL and GOOGLE_VERTEX_BASE_URL (google-gemini#25357) * fix(cli): clean up slash command IDE listeners (google-gemini#24397) Co-authored-by: Tommaso Sciortino <sciortino@gmail.com> * Changelog for v0.38.0 (google-gemini#25470) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> * fix(evals): update eval tests for invoke_agent telemetry and project-scoped memory (google-gemini#25502) * Changelog for v0.38.1 (google-gemini#25476) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> Co-authored-by: Sam Roberts <158088236+g-samroberts@users.noreply.github.com> * feat(core): integrate skill-creator into skill extraction agent (google-gemini#25421) * feat(cli): provide default post-submit prompt for skill command (google-gemini#25327) * feat(core): add tools to list and read MCP resources (google-gemini#25395) * fix(evals): add typecheck coverage for evals, integration-tests, and memory-tests (google-gemini#25480) * Use OSC 777 for terminal notifications (google-gemini#25300) * fix(extensions): fix bundling for examples (google-gemini#25542) * fix(cli): reset plan session state on /clear (google-gemini#25515) * feat(core): add .mdx support to get-internal-docs tool (google-gemini#25090) * docs(policy): mention that workspace policies are broken (google-gemini#24367) Co-authored-by: Nicolas Ouellet-Payeur <nicolaso@chromium.org> * fix(core): allow explicit write permissions to override governance file protections in sandboxes (google-gemini#25338) * feat(sandbox): resolve custom seatbelt profiles from $HOME/.gemini first (google-gemini#25427) Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> * Reduce blank lines. (google-gemini#25563) * fix(ui): revert preview theme on dialog unmount (google-gemini#22542) Co-authored-by: Jack Wotherspoon <jackwoth@google.com> * fix(core): fix ShellExecutionConfig spread and add ProjectRegistry save backoff (google-gemini#25382) * feat(core): Disable topic updates for subagents (google-gemini#25567) * feat(core): enable topic update narration by default and promote to general (google-gemini#25586) Co-authored-by: JAYADITYA <96861162+JayadityaGit@users.noreply.github.com> Co-authored-by: Jack Wotherspoon <jackwoth@google.com> * docs: migrate installation and authentication to mdx with tabbed layouts (google-gemini#25155) * feat(config): split memoryManager flag into autoMemory (google-gemini#25601) * fix(core): allow Cloud Shell users to use PRO_MODEL_NO_ACCESS experiment (google-gemini#25702) * fix(cli): round slow render latency to avoid opentelemetry float warning (google-gemini#25709) * docs(tracker): introduce experimental task tracker feature (google-gemini#24556) * docs(cli): fix inconsistent system.md casing in system prompt docs (google-gemini#25414) Co-authored-by: cynthialong0-0 <82900738+cynthialong0-0@users.noreply.github.com> * feat(cli): add streamlined `gemini gemma` local model setup (google-gemini#25498) Co-authored-by: Abhijit Balaji <abhijitbalaji@google.com> Co-authored-by: Samee Zahid <sameez@google.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Changelog for v0.38.2 (google-gemini#25593) Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> * Fix: Disallow overriding IDE stdio via workspace .env (RCE) (google-gemini#25022) Co-authored-by: Tommaso Sciortino <sciortino@gmail.com> * feat(test): refactor the memory usage test to use metrics from CLI process instead of test runner (google-gemini#25708) * feat(vertex): add settings for Vertex AI request routing (google-gemini#25513) * Fix/allow for session persistence (google-gemini#25176) * fix(core): resolve nested plan directory duplication and relative path policies (google-gemini#25138) * feat: detect new files in @ recommendations with watcher based updates (google-gemini#25256) * Allow dots on GEMINI_API_KEY (google-gemini#25497) * feat(telemetry): add flag for enabling traces specifically (google-gemini#25343) * fix(cli): use newline in shell command wrapping to avoid breaking heredocs (google-gemini#25537) * fix(cli): ensure theme dialog labels are rendered for all themes (google-gemini#24599) Co-authored-by: cynthialong0-0 <82900738+cynthialong0-0@users.noreply.github.com> * fix(core): disable detached mode in Bun to prevent immediate SIGHUP of child processes (google-gemini#22620) * feat: add /new as alias for /clear and refine command description (google-gemini#17865) * fix(cli): start auto memory in ACP sessions (google-gemini#25626) * fix(core): remove duplicate initialize call on agents refreshed (google-gemini#25670) * test(e2e): default integration tests to Flash Preview (google-gemini#25753) * refactor(memory): replace MemoryManagerAgent with prompt-driven memory editing across four tiers (google-gemini#25716) * fix(cli): fix "/clear (new)" command (google-gemini#25801) * fix(core): use dynamic CLI version for IDE client instead of hardcoded '1.0.0' (google-gemini#24414) Co-authored-by: cynthialong0-0 <82900738+cynthialong0-0@users.noreply.github.com> * fix(core): handle line endings in ignore file parsing (google-gemini#23895) Co-authored-by: cynthialong0-0 <82900738+cynthialong0-0@users.noreply.github.com> * Fix/command injection shell (google-gemini#24170) Co-authored-by: David Pierce <davidapierce@google.com> * fix(ui): removed background color for input (google-gemini#25339) * fix(devtools): reduce memory usage and defer connection (google-gemini#24496) * fix(core): support jsonl session logs in memory and summary services (google-gemini#25816) * fix(release): exclude ripgrep binaries from npm tarballs (google-gemini#25841) * chore(release): v0.40.0-preview.2 * feat(cli): secure .env loading and enforce workspace trust in headless mode (google-gemini#25814) Co-authored-by: galz10 <galzahavi@google.com> Co-authored-by: davidapierce <davidapierce@google.com> * feat(core): enhance shell command validation and add core tools allowlist (google-gemini#25720) Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: Keith Schaab <keithsc@google.com> Co-authored-by: Keith Schaab <keith.schaab@gmail.com> Co-authored-by: Emily Hedlund <ehedlund@google.com> * update FatalUntrustedWorkspaceError message to include doc link (google-gemini#25874) * chore(release): v0.40.0-preview.3 * fix(patch): cherry-pick 048bf6e to release/v0.40.0-preview.3-pr-25941 to patch version v0.40.0-preview.3 and create version 0.40.0-preview.4 (google-gemini#25942) Co-authored-by: Tommaso Sciortino <sciortino@gmail.com> * chore(release): v0.40.0-preview.4 * fix(patch): cherry-pick 54b7586 to release/v0.40.0-preview.4-pr-26066 [CONFLICTS] (google-gemini#26124) Co-authored-by: David Pierce <davidapierce@google.com> * chore(release): v0.40.0-preview.5 * chore(release): v0.40.0 * Remove temporary commit message file from tracking This cleans the repository after the upstream merge and ignores the helper file so future local commits do not pollute branch diffs. * Add optional image build trigger to fork resync skill Document the final workflow trigger step for cases where a new container image is required, including the exact workflow name and inputs, and warn against passing the branch name as the version. * Clarify fork bump behavior in resync skill Document that the fork should be bumped from upstream without applying fork patches back onto the upstream release branch, keeping fork-specific changes isolated to the fork resync workflow. --------- Co-authored-by: ruomeng <ruomeng@google.com> Co-authored-by: Sri Pasumarthi <111310667+sripasg@users.noreply.github.com> Co-authored-by: Sandy Tao <sandytao520@icloud.com> Co-authored-by: gemini-cli-robot <gemini-cli-robot@google.com> Co-authored-by: Emily Hedlund <ehedlund@google.com> Co-authored-by: Spencer <spencertang@google.com> Co-authored-by: Jacob Richman <jacob314@gmail.com> Co-authored-by: gemini-cli-robot <224641728+gemini-cli-robot@users.noreply.github.com> Co-authored-by: g-samroberts <samroberts@google.com> Co-authored-by: JAYADITYA <96861162+JayadityaGit@users.noreply.github.com> Co-authored-by: Coco Sheng <cocosheng@google.com> Co-authored-by: Sam Roberts <158088236+g-samroberts@users.noreply.github.com> Co-authored-by: Adamya Singh <adamyasingh54@gmail.com> Co-authored-by: Jarrod Whelan <150866123+jwhelangoog@users.noreply.github.com> Co-authored-by: dogukanozen <dogukannozen@hotmail.com> Co-authored-by: Tommaso Sciortino <sciortino@gmail.com> Co-authored-by: Christian Gunderman <gundermanc@google.com> Co-authored-by: Sehoon Shon <sshon@google.com> Co-authored-by: Abhi <43648792+abhipatel12@users.noreply.github.com> Co-authored-by: MD. MOHIBUR RAHMAN <35300157+mrpmohiburrahman@users.noreply.github.com> Co-authored-by: David Pierce <davidapierce@google.com> Co-authored-by: chernistry <73943355+chernistry@users.noreply.github.com> Co-authored-by: euxaristia <25621994+euxaristia@users.noreply.github.com> Co-authored-by: Michael Bleigh <mbleigh@mbleigh.com> Co-authored-by: Adam Weidman <adamfweidman@gmail.com> Co-authored-by: Adam Weidman <adamfweidman@google.com> Co-authored-by: Yuna Seol <yunaseol@gmail.com> Co-authored-by: June <kimjune01@gmail.com> Co-authored-by: Aishanee Shah <aishaneeshah@google.com> Co-authored-by: Jason Matthew Suhari <jasonmatthewsuhari@gmail.com> Co-authored-by: Christopher Thomas <cobekgn@gmail.com> Co-authored-by: Jenna Inouye <jinouye@google.com> Co-authored-by: cynthialong0-0 <82900738+cynthialong0-0@users.noreply.github.com> Co-authored-by: M Junaid Shaukat <154750865+junaiddshaukat@users.noreply.github.com> Co-authored-by: Abhijit Balaji <abhijitbalaji@google.com> Co-authored-by: Mark Griffith <anthraxmilkshake@hotmail.com> Co-authored-by: Jack Wotherspoon <jackwoth@google.com> Co-authored-by: Jesse Rosenstock <jesse.rosenstock@gmail.com> Co-authored-by: Adib234 <30782825+Adib234@users.noreply.github.com> Co-authored-by: Dev Randalpura <devrandalpura@google.com> Co-authored-by: Anjaligarhwal <anjaligarhwal1610@gmail.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Tanmay Vartak <9002434+TanmayVartak@users.noreply.github.com> Co-authored-by: Jerop Kipruto <jerop@google.com> Co-authored-by: Kevin Zhao <kevin8093@126.com> Co-authored-by: joshualitt <joshualitt@google.com> Co-authored-by: Clay <claygeo6@gmail.com> Co-authored-by: Adam Weidman <65992621+adamfweidman@users.noreply.github.com> Co-authored-by: Rob Clevenger <rcleveng@users.noreply.github.com> Co-authored-by: Gal Zahavi <38544478+galz10@users.noreply.github.com> Co-authored-by: anj-s <32556631+anj-s@users.noreply.github.com> Co-authored-by: Z1xus <40185941+Z1xus@users.noreply.github.com> Co-authored-by: jackyliuxx <jackyliuxx@gmail.com> Co-authored-by: Nicolas Ouellet-Payeur <nicolaso@google.com> Co-authored-by: Nicolas Ouellet-Payeur <nicolaso@chromium.org> Co-authored-by: Matt Van Horn <mvanhorn@users.noreply.github.com> Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Co-authored-by: Mahima Shanware <mahima.shanware@gmail.com> Co-authored-by: Timo <36011879+Bodlux@users.noreply.github.com> Co-authored-by: Samee Zahid <sameescouser24@gmail.com> Co-authored-by: Samee Zahid <sameez@google.com> Co-authored-by: Mundur <150439604+M0nd0R@users.noreply.github.com> Co-authored-by: Gordon Hui <125633533+gordonhwc@users.noreply.github.com> Co-authored-by: Muhammad Ahsan Farooq <ahsanfarooq210@gmail.com> Co-authored-by: PRAS Samin <103464543+prassamin@users.noreply.github.com> Co-authored-by: Danyel Cabello <danyel.nerv@gmail.com> Co-authored-by: Vedant Mahajan <vedant.04.mahajan@gmail.com> Co-authored-by: mini2s <143020328+mini2s@users.noreply.github.com> Co-authored-by: Kishan Patel <132991737+thekishandev@users.noreply.github.com> Co-authored-by: xoma-zver <maxidiplomat@gmail.com> Co-authored-by: Horizon_Architect_07 <famousrajbhatt@gmail.com> Co-authored-by: galz10 <galzahavi@google.com> Co-authored-by: Keith Schaab <keithsc@google.com> Co-authored-by: Keith Schaab <keith.schaab@gmail.com> Co-authored-by: codex-bot <spigelly+gh-bot@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the policy engine's shell command validation by implementing recursive checking for sub-commands, substitutions, and subshells. It also introduces a
tools.coresetting to allow users to explicitly allowlist specific core tools with high precision.Details
PolicyEnginenow utilizesparseCommandDetailsfromshell-utilsto identify all nested parts of a shell command (substitutions, subshells, piped commands). Each part is checked against the policy rules.settings.tools.coresupport. This allows defining an explicit list of allowed core tool invocations (e.g.,run_shell_command(ls)).stripShellWrapperto handle commands executed viabash -cand similar wrappers recursively.Related Issues
N/A
How to Validate
Run the new regression test suites:
npm test packages/core/src/policy/core-tools-mapping.test.tsnpm test packages/core/src/policy/shell-safety-regression.test.tsnpm test packages/core/src/policy/shell-substitution.test.tsPre-Merge Checklist