fix(patch): cherry-pick 7ec477d to release/v0.33.0-preview.3-pr-21305 to patch version v0.33.0-preview.3 and create version 0.33.0-preview.4

[gemini-cli-robot]

This PR automatically cherry-picks commit 7ec477d to patch version v0.33.0-preview.3 in the preview release to create version 0.33.0-preview.4.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates support for a new AI API Gateway authentication type, enabling more flexible and customizable connections to AI services. It extends the existing authentication mechanisms to include gateway-specific configurations, ensuring that users can route their requests through a designated gateway with custom headers and a base URL. This enhancement provides greater control and adaptability for diverse deployment scenarios.

Highlights

• New Authentication Method: Introduced a new AuthType.GATEWAY authentication method, allowing users to configure a custom AI API Gateway with a base URL and custom headers.
• Gateway Configuration: The GeminiAgent now supports configuring gateway-specific details like baseUrl and customHeaders during authentication, with schema validation for the gateway payload.
• API Updates: The refreshAuth method in the Config service and the createContentGeneratorConfig function were updated to accommodate the new baseUrl and customHeaders parameters for gateway authentication.
• Testing: Added new unit tests to verify the correct behavior of the GATEWAY authentication method, including successful authentication and error handling for malformed gateway payloads.

Changelog

• packages/cli/src/acp/acpClient.test.ts
  • Updated the expected number of authentication methods to include the new gateway type.
  • Added a test to verify the metadata for the new gateway authentication method.
  • Modified existing refreshAuth calls to align with the updated method signature.
  • Introduced new tests for successful gateway authentication and error handling for malformed gateway payloads.
• packages/cli/src/acp/acpClient.ts
  • Added baseUrl and customHeaders properties to the GeminiAgent class.
  • Included AuthType.GATEWAY in the list of supported authentication methods with its descriptive metadata.
  • Enhanced the authenticate method to parse and validate gateway-specific _meta data, storing baseUrl and customHeaders.
  • Updated calls to config.refreshAuth to pass the newly extracted baseUrl and customHeaders.
• packages/core/src/config/config.test.ts
  • Adjusted a test case for refreshAuth to match the updated method signature, passing additional undefined arguments.
• packages/core/src/config/config.ts
  • Modified the refreshAuth method signature to accept optional baseUrl and customHeaders parameters.
  • Updated the internal call to createContentGeneratorConfig to forward the new baseUrl and customHeaders.
• packages/core/src/core/contentGenerator.ts
  • Added GATEWAY as a new AuthType enum member.
  • Extended the ContentGeneratorConfig type and createContentGeneratorConfig function signature to include baseUrl and customHeaders.
  • Incorporated baseUrl and customHeaders into the contentGeneratorConfig object.
  • Updated the createContentGenerator function to conditionally apply customHeaders and baseUrl to HTTP options when using AuthType.GATEWAY.

Activity

• This pull request was automatically cherry-picked from commit 7ec477d to patch version v0.33.0-preview.3, creating version 0.33.0-preview.4.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +1.58 kB (+0.01%)

Total Size: 25.9 MB

Filename	Size	Change
./bundle/gemini.js	25.4 MB	+1.58 kB (+0.01%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request introduces a new 'gateway' authentication method, allowing users to connect to a custom AI API gateway by providing a baseUrl and custom headers. While the implementation across the cli and core packages, including zod schema validation and unit tests, is generally robust, a critical security flaw has been identified. In acpClient.ts, internal state is updated with untrusted values before authentication is verified. This could allow a malicious client to redirect AI requests to an attacker-controlled server, even if a standard authentication method is selected. This vulnerability must be addressed.

[gemini-code-assist]

The authenticate method updates the agent's internal state (this.apiKey, this.baseUrl, and this.customHeaders) before successfully completing the authentication process via this.config.refreshAuth. If refreshAuth fails (e.g., due to an invalid API key or an unreachable gateway), the agent is left with these untrusted configuration values in its memory.

These values are subsequently used in newSession and other methods. This creates a vulnerability where a malicious client can send a failed authenticate request to "poison" the agent's configuration. For example, an attacker could set a malicious baseUrl in a failed authentication attempt. If the user later starts a new session using a standard authentication method (like USE_GEMINI), the agent will use the malicious baseUrl from the previous failed attempt, effectively redirecting the user's AI requests and potentially leaking their real API key and chat history to the attacker's gateway.

To remediate this, update the internal state only after this.config.refreshAuth has successfully completed.

References

1. Security-sensitive settings should not use a merge strategy that allows less-trusted configuration scopes (like a workspace) to completely override more-trusted scopes (like global user settings). This comment highlights a similar issue where untrusted input from a failed authentication attempt can 'poison' security-sensitive internal state, effectively overriding it.