fix(cli): allow restricted .env loading in untrusted sandboxed folders#17806
fix(cli): allow restricted .env loading in untrusted sandboxed folders#17806
Conversation
Bypass folder trust check in `loadEnvironment` if sandboxing is enabled, either via settings or CLI flags (-s, --sandbox). This prevents authentication crashes in untrusted folders while maintaining security through a whitelist of essential auth-related variables: - GEMINI_API_KEY - GOOGLE_API_KEY - GOOGLE_CLOUD_PROJECT - GOOGLE_CLOUD_LOCATION All other environment variables from untrusted folders remain blocked. Verified with new regression tests in settings.test.ts.
Summary of ChangesHello @galz10, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical issue where the CLI would fail to load essential authentication keys from Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Size Change: +839 B (0%) Total Size: 23.7 MB ℹ️ View Unchanged
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to resolve a critical usability issue by allowing the CLI to load whitelisted authentication-related environment variables from .env files in untrusted directories when sandboxing is active. However, the current implementation introduces significant security flaws, including a bypass of the workspace trust check due to naive argument sniffing and a potential command injection vulnerability from unsanitized environment variables loaded from untrusted sources. These vulnerabilities could enable an attacker to execute arbitrary commands if a user runs the CLI in a malicious directory. Specifically, the high-severity issue with sandbox flag detection from process.argv before full argument parsing needs to be addressed to prevent a bypass of the folder trust security feature.
Enhance security when loading essential authentication variables from untrusted workspaces by: - Adding `sanitizeEnvVar` to strip potential shell injection characters from environment variables. - Applying sanitization in `loadEnvironment` and `setUpCloudShellEnvironment` when a workspace is untrusted but sandboxed. - Refining sandbox flag detection to ignore `-s` or `--sandbox` if they appear as positional arguments after `--`. - Adding comprehensive regression tests for environment sanitization, sandbox detection, and Cloud Shell security. Also includes minor documentation formatting and linting fixes.
gemini-cli
bot
added
the
status/need-issue
galz10
added
🔒 maintainer only
- Remove redundant nullish coalescing operators in loadEnvironment. - Add documentation for early process.argv sniffing limitations. - Replace brittle 'as Settings' casts with createMockSettings helper across multiple test files. - Consolidate and export createMockSettings from test utilities for consistent mock generation. - Fix unused imports and type errors in test files. - Resolve circular dependencies in test utilities. - Fix flakiness in FolderTrustDialog tests and increase integration test timeouts.
gemini-cli
bot
added
the
status/need-issue
|
/patch preview |
|
✅ Patch workflow(s) dispatched successfully! 📋 Details:
🔗 Track Progress: |
|
🚀 Patch PR Created! 📋 Patch Details:
📝 Next Steps:
🔗 Track Progress: |
|
🚀 Patch Release Started! 📋 Release Details:
⏳ Status: The patch release is now running. You'll receive another update when it completes. 🔗 Track Progress: |
|
❌ Patch Release Failed! 📋 Details:
🔍 Next Steps:
🔗 Troubleshooting: |
|
✅ Patch Release Complete! 📦 Release Details:
🎉 Status: Your patch has been successfully released and published to npm! 📝 What's Available:
🔗 Links: |
3 participants
Summary
Fixes a "chicken and egg" paradox where the CLI crashes due to missing authentication keys in untrusted folders, even when the user is explicitly requesting a secure sandbox environment.
Details
loadEnvironmentwould return early for untrusted folders before the sandbox was even entered, preventing.envfiles from loading theGEMINI_API_KEY.loadEnvironmentinpackages/cli/src/config/settings.tsto recognize when sandboxing is active (by checking bothsettingsand rawprocess.argvflags).AUTH_ENV_VAR_WHITELISTto ensure that only specifically required authentication keys are loaded in this mode. All other potentially malicious variables in the untrusted.envare still filtered out.Related Issues
Fixes the reported crash:
Error authenticating: Error: When using Gemini API, you must specify the GEMINI_API_KEY environment variable.when running with-sin an untrusted folder.How to Validate
.envfile withGEMINI_API_KEY=your_keyandMALICIOUS_VAR=oops.npm start -- -s "echo \$GEMINI_API_KEY && echo \$MALICIOUS_VAR".GEMINI_API_KEYis printed,MALICIOUS_VARis empty/undefined, and the app starts successfully.npm test -w @google/gemini-cli -- src/config/settings.test.ts.Pre-Merge Checklist