-
Notifications
You must be signed in to change notification settings - Fork 13k
Add ExtensionDetails dialog and support install #20845
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
13a7cbd
Add ExtensionDetails dialog
chrstnb 1f8d38e
Make extensions install work
chrstnb 99b85fa
merge
chrstnb db4594e
fix failures
chrstnb cecb1e6
Merge branch 'main' into cb/registryinstall
chrstnb f34821c
fix errors
chrstnb 76cd4be
address comments
chrstnb File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
119 changes: 119 additions & 0 deletions
119
packages/cli/src/ui/components/views/ExtensionDetails.test.tsx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| /** | ||
| * @license | ||
| * Copyright 2026 Google LLC | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| */ | ||
|
|
||
| import React from 'react'; | ||
| import { render } from '../../../test-utils/render.js'; | ||
| import { waitFor } from '../../../test-utils/async.js'; | ||
| import { describe, it, expect, vi, beforeEach } from 'vitest'; | ||
| import { ExtensionDetails } from './ExtensionDetails.js'; | ||
| import { KeypressProvider } from '../../contexts/KeypressContext.js'; | ||
| import { type RegistryExtension } from '../../../config/extensionRegistryClient.js'; | ||
|
|
||
| const mockExtension: RegistryExtension = { | ||
| id: 'ext1', | ||
| extensionName: 'Test Extension', | ||
| extensionDescription: 'A test extension description', | ||
| fullName: 'author/test-extension', | ||
| extensionVersion: '1.2.3', | ||
| rank: 1, | ||
| stars: 123, | ||
| url: 'https://github.com/author/test-extension', | ||
| repoDescription: 'Repo description', | ||
| avatarUrl: '', | ||
| lastUpdated: '2023-10-27', | ||
| hasMCP: true, | ||
| hasContext: true, | ||
| hasHooks: true, | ||
| hasSkills: true, | ||
| hasCustomCommands: true, | ||
| isGoogleOwned: true, | ||
| licenseKey: 'Apache-2.0', | ||
| }; | ||
|
|
||
| describe('ExtensionDetails', () => { | ||
| let mockOnBack: ReturnType<typeof vi.fn>; | ||
| let mockOnInstall: ReturnType<typeof vi.fn>; | ||
|
|
||
| beforeEach(() => { | ||
| mockOnBack = vi.fn(); | ||
| mockOnInstall = vi.fn(); | ||
| }); | ||
|
|
||
| const renderDetails = (isInstalled = false) => | ||
| render( | ||
| <KeypressProvider> | ||
| <ExtensionDetails | ||
| extension={mockExtension} | ||
| onBack={mockOnBack} | ||
| onInstall={mockOnInstall} | ||
| isInstalled={isInstalled} | ||
| /> | ||
| </KeypressProvider>, | ||
| ); | ||
|
|
||
| it('should render extension details correctly', async () => { | ||
| const { lastFrame } = renderDetails(); | ||
| await waitFor(() => { | ||
| expect(lastFrame()).toContain('Test Extension'); | ||
| expect(lastFrame()).toContain('v1.2.3'); | ||
| expect(lastFrame()).toContain('123'); | ||
| expect(lastFrame()).toContain('[G]'); | ||
| expect(lastFrame()).toContain('author/test-extension'); | ||
| expect(lastFrame()).toContain('A test extension description'); | ||
| expect(lastFrame()).toContain('MCP'); | ||
| expect(lastFrame()).toContain('Context file'); | ||
| expect(lastFrame()).toContain('Hooks'); | ||
| expect(lastFrame()).toContain('Skills'); | ||
| expect(lastFrame()).toContain('Commands'); | ||
| }); | ||
| }); | ||
|
|
||
| it('should show install prompt when not installed', async () => { | ||
| const { lastFrame } = renderDetails(false); | ||
| await waitFor(() => { | ||
| expect(lastFrame()).toContain('[Enter] Install'); | ||
| expect(lastFrame()).not.toContain('Already Installed'); | ||
| }); | ||
| }); | ||
|
|
||
| it('should show already installed message when installed', async () => { | ||
| const { lastFrame } = renderDetails(true); | ||
| await waitFor(() => { | ||
| expect(lastFrame()).toContain('Already Installed'); | ||
| expect(lastFrame()).not.toContain('[Enter] Install'); | ||
| }); | ||
| }); | ||
|
|
||
| it('should call onBack when Escape is pressed', async () => { | ||
| const { stdin } = renderDetails(); | ||
| await React.act(async () => { | ||
| stdin.write('\x1b'); // Escape | ||
| }); | ||
| await waitFor(() => { | ||
| expect(mockOnBack).toHaveBeenCalled(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should call onInstall when Enter is pressed and not installed', async () => { | ||
| const { stdin } = renderDetails(false); | ||
| await React.act(async () => { | ||
| stdin.write('\r'); // Enter | ||
| }); | ||
| await waitFor(() => { | ||
| expect(mockOnInstall).toHaveBeenCalled(); | ||
| }); | ||
| }); | ||
|
|
||
| it('should NOT call onInstall when Enter is pressed and already installed', async () => { | ||
| const { stdin } = renderDetails(true); | ||
| await React.act(async () => { | ||
| stdin.write('\r'); // Enter | ||
| }); | ||
| // Wait a bit to ensure it's not called | ||
| await new Promise((resolve) => setTimeout(resolve, 100)); | ||
chrstnb marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| expect(mockOnInstall).not.toHaveBeenCalled(); | ||
| }); | ||
| }); | ||
174 changes: 174 additions & 0 deletions
174
packages/cli/src/ui/components/views/ExtensionDetails.tsx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,174 @@ | ||
| /** | ||
| * @license | ||
| * Copyright 2026 Google LLC | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| */ | ||
|
|
||
| import type React from 'react'; | ||
| import { Box, Text } from 'ink'; | ||
| import type { RegistryExtension } from '../../../config/extensionRegistryClient.js'; | ||
| import { useKeypress } from '../../hooks/useKeypress.js'; | ||
| import { keyMatchers, Command } from '../../keyMatchers.js'; | ||
| import { theme } from '../../semantic-colors.js'; | ||
|
|
||
| export interface ExtensionDetailsProps { | ||
| extension: RegistryExtension; | ||
| onBack: () => void; | ||
| onInstall: () => void; | ||
| isInstalled: boolean; | ||
| } | ||
|
|
||
| export function ExtensionDetails({ | ||
| extension, | ||
| onBack, | ||
| onInstall, | ||
| isInstalled, | ||
| }: ExtensionDetailsProps): React.JSX.Element { | ||
| useKeypress( | ||
| (key) => { | ||
| if (keyMatchers[Command.ESCAPE](key)) { | ||
| onBack(); | ||
| return true; | ||
| } | ||
| if (keyMatchers[Command.RETURN](key) && !isInstalled) { | ||
| onInstall(); | ||
| return true; | ||
| } | ||
| return false; | ||
| }, | ||
| { isActive: true, priority: true }, | ||
| ); | ||
|
|
||
| return ( | ||
| <Box | ||
| flexDirection="column" | ||
| paddingX={1} | ||
| paddingY={0} | ||
| height="100%" | ||
| borderStyle="round" | ||
| borderColor={theme.border.default} | ||
| > | ||
| {/* Header Row */} | ||
| <Box flexDirection="row" justifyContent="space-between" marginBottom={1}> | ||
| <Box> | ||
| <Text color={theme.text.secondary}> | ||
| {'>'} Extensions {'>'}{' '} | ||
| </Text> | ||
| <Text color={theme.text.primary} bold> | ||
| {extension.extensionName} | ||
| </Text> | ||
| </Box> | ||
| <Box flexDirection="row"> | ||
| <Text color={theme.text.secondary}> | ||
| {extension.extensionVersion ? `v${extension.extensionVersion}` : ''}{' '} | ||
| |{' '} | ||
| </Text> | ||
| <Text color={theme.status.warning}>⭐ </Text> | ||
| <Text color={theme.text.secondary}> | ||
| {String(extension.stars || 0)} |{' '} | ||
| </Text> | ||
| {extension.isGoogleOwned && ( | ||
| <Text color={theme.text.primary}>[G] </Text> | ||
| )} | ||
| <Text color={theme.text.primary}>{extension.fullName}</Text> | ||
| </Box> | ||
| </Box> | ||
|
|
||
| {/* Description */} | ||
| <Box marginBottom={1}> | ||
| <Text color={theme.text.primary}> | ||
| {extension.extensionDescription || extension.repoDescription} | ||
| </Text> | ||
| </Box> | ||
|
|
||
| {/* Features List */} | ||
| <Box flexDirection="row" marginBottom={1}> | ||
| {extension.hasMCP && ( | ||
| <Box marginRight={1}> | ||
| <Text color={theme.text.primary}>MCP </Text> | ||
| <Text color={theme.text.secondary}>|</Text> | ||
| </Box> | ||
| )} | ||
| {extension.hasContext && ( | ||
| <Box marginRight={1}> | ||
| <Text color={theme.status.error}>Context file </Text> | ||
| <Text color={theme.text.secondary}>|</Text> | ||
| </Box> | ||
| )} | ||
| {extension.hasHooks && ( | ||
| <Box marginRight={1}> | ||
| <Text color={theme.status.warning}>Hooks </Text> | ||
| <Text color={theme.text.secondary}>|</Text> | ||
| </Box> | ||
| )} | ||
| {extension.hasSkills && ( | ||
| <Box marginRight={1}> | ||
| <Text color={theme.status.success}>Skills </Text> | ||
| <Text color={theme.text.secondary}>|</Text> | ||
| </Box> | ||
| )} | ||
| {extension.hasCustomCommands && ( | ||
| <Box marginRight={1}> | ||
| <Text color={theme.text.primary}>Commands</Text> | ||
| </Box> | ||
| )} | ||
| </Box> | ||
|
|
||
| {/* Details about MCP / Context */} | ||
| {extension.hasMCP && ( | ||
| <Box flexDirection="column" marginBottom={1}> | ||
| <Text color={theme.text.primary}> | ||
| This extension will run the following MCP servers: | ||
| </Text> | ||
| <Box marginLeft={2}> | ||
| <Text color={theme.text.primary}> | ||
| * {extension.extensionName} (local) | ||
| </Text> | ||
| </Box> | ||
| </Box> | ||
| )} | ||
|
|
||
| {extension.hasContext && ( | ||
| <Box flexDirection="column" marginBottom={1}> | ||
| <Text color={theme.text.primary}> | ||
| This extension will append info to your gemini.md context using | ||
| gemini.md | ||
| </Text> | ||
| </Box> | ||
| )} | ||
|
|
||
| {/* Spacer to push warning to bottom */} | ||
| <Box flexGrow={1} /> | ||
|
|
||
| {/* Warning Box */} | ||
| {!isInstalled && ( | ||
| <Box | ||
| flexDirection="column" | ||
| borderStyle="round" | ||
| borderColor={theme.status.warning} | ||
| paddingX={1} | ||
| paddingY={0} | ||
| > | ||
| <Text color={theme.text.primary}> | ||
| The extension you are about to install may have been created by a | ||
| third-party developer and sourced{'\n'} | ||
| from a public repository. Google does not vet, endorse, or guarantee | ||
| the functionality or security{'\n'} | ||
| of extensions. Please carefully inspect any extension and its source | ||
| code before installing to{'\n'} | ||
| understand the permissions it requires and the actions it may | ||
| perform. | ||
| </Text> | ||
| <Box marginTop={1}> | ||
| <Text color={theme.text.primary}>[{'Enter'}] Install</Text> | ||
| </Box> | ||
| </Box> | ||
| )} | ||
| {isInstalled && ( | ||
| <Box flexDirection="row" marginTop={1} justifyContent="center"> | ||
| <Text color={theme.status.success}>Already Installed</Text> | ||
| </Box> | ||
| )} | ||
| </Box> | ||
| ); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
installActionfunction, which is now called when an extension is selected in the gallery, contains a flawed validation logic that could lead to command injection.In
installAction(lines 478-489), the code checks for disallowed characters ([;&|'" ]) only if the input is NOT a valid URL. However, a valid URL can still contain these characters (e.g., in the pathname) and remain a valid URL according to thenew URL()constructor. For example,https://example.com/repo.git;touch/tmp/pwnedis a valid URL but could lead to command execution if passed to a shell command in downstream functions likecloneFromGit.While the registry is currently a trusted source, this flaw also affects the
/extensions install <source>command which takes arbitrary user input. An attacker could trick a user into installing an extension from a malicious URL, leading to remote code execution.