fix(patch): cherry-pick 58df1c6 to release/v0.31.0-preview.0-pr-20374 to patch version v0.31.0-preview.0 and create version 0.31.0-preview.1#20568
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request, an automated cherry-pick, enhances the Model Context Protocol (MCP) client's environment variable handling. It introduces the capability to incorporate and resolve environment variables specified within extensions' settings, ensuring that these variables are correctly passed to and utilized by MCP servers. This change improves the flexibility and integration of extensions with the core system. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds functionality to make extension settings available as environment variables for MCP server processes, including for variable expansion in server configurations. The changes are generally well-implemented and include corresponding tests. However, a critical security vulnerability was identified where extension-provided environment variables could bypass the sanitization mechanism, potentially leaking sensitive information, which violates the rule regarding sanitizing environments for variable expansion in stdio-based MCP server configurations. A specific comment and code suggestion have been provided to address this issue.
| const finalEnv: Record<string, string> = { | ||
| [GEMINI_CLI_IDENTIFICATION_ENV_VAR]: | ||
| GEMINI_CLI_IDENTIFICATION_ENV_VAR_VALUE, | ||
| ...extensionEnv, | ||
| }; |
There was a problem hiding this comment.
This initialization of finalEnv introduces a security vulnerability. By spreading extensionEnv before applying the sanitized environment, any environment variables from the extension that are supposed to be redacted by sanitizeEnvironment will persist in finalEnv. This bypasses the environment sanitization for extension-provided variables.
The sanitizedEnv already contains the correctly filtered and sanitized variables from both process.env and extensionEnv. Therefore, finalEnv should be initialized without spreading extensionEnv first.
const finalEnv: Record<string, string> = {
[GEMINI_CLI_IDENTIFICATION_ENV_VAR]:
GEMINI_CLI_IDENTIFICATION_ENV_VAR_VALUE,
};References
- Sanitize the environment used for variable expansion in stdio-based MCP server configurations to prevent extensions from bypassing environment variable redaction.
|
Size Change: +966 B (0%) Total Size: 25.7 MB ℹ️ View Unchanged
|
gemini-cli
Bot
added
the
status/need-issue
chrstnb
deleted the
hotfix/v0.31.0-preview.0/0.31.0-preview.1/preview/cherry-pick-58df1c6/pr-20374
branch
3 participants
This PR automatically cherry-picks commit 58df1c6 to patch version v0.31.0-preview.0 in the preview release to create version 0.31.0-preview.1.