fix(security): enforce case-insensitive sensitive path blocklist and vscode hitl

[luisfelipe-alt]

Summary

This PR implements a 100% robust, production-grade security fix for the case-insensitivity bypass and prompt injection vulnerability in Gemini CLI. It enforces a strict, case-insensitive blocklist for sensitive directories/files (.git, .env, node_modules) and ensures that any modifications to .vscode/ configuration files always require explicit user confirmation (Human-in-the-Loop), even in automated modes like autoEdit or YOLO.

Details

• Case-Insensitive Segment Blocklist in WorkspaceContext: Updated isPathWithinWorkspace in packages/core/src/utils/workspaceContext.ts to split resolved paths into segments and check them case-insensitively against ['.git', '.env', 'node_modules'].
• Case-Insensitive Segment Blocklist in AllowedPathChecker: Updated AllowedPathChecker in packages/core/src/safety/built-in.ts to enforce the same case-insensitive segment blocklist check, returning SafetyCheckDecision.DENY if matched.
• Mandatory HITL Confirmation for .vscode/ Configuration Files: Updated AllowedPathChecker to detect if a path is inside .vscode/ (case-insensitively) and return SafetyCheckDecision.ASK_USER, which downgrades the policy engine's decision to ASK_USER (requiring explicit user confirmation) even in automated modes like autoEdit or YOLO.
• Comprehensive Regression Tests: Added unit tests to packages/core/src/utils/workspaceContext.test.ts and packages/core/src/safety/built-in.test.ts to verify the fix.

Related Issues

How to Validate

1. Run the specific unit tests to verify that the security fixes and regression tests are working perfectly:

   npx vitest run packages/core/src/utils/workspaceContext.test.ts packages/core/src/safety/built-in.test.ts

2. Verify that all 56 tests pass successfully.
3. Run the TypeScript type checker to ensure everything compiles perfectly:

   npm run typecheck

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • Linux
    • npm run

[github-actions]

📊 PR Size: size/M

• Lines changed: 228
• Additions: +210
• Deletions: -18
• Files changed: 5

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces critical security enhancements to the Gemini CLI by hardening path validation logic. By enforcing case-insensitive checks on sensitive directory segments and requiring explicit user approval for modifications to IDE configuration files, the changes mitigate potential vulnerabilities related to path traversal and unauthorized configuration tampering in automated execution environments.

Highlights

• Case-Insensitive Security Blocklist: Implemented a robust, case-insensitive check for sensitive directories and files ('.git', '.env', 'node_modules') in both the workspace context and the path checker to prevent security bypasses.
• Mandatory Human-in-the-Loop (HITL) for .vscode: Enforced a requirement for explicit user confirmation when modifying files within '.vscode/', ensuring that automated modes cannot silently alter configuration settings.
• Regression Testing: Added comprehensive unit tests to verify the new security constraints and ensure that sensitive paths are correctly blocked regardless of casing.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request implements case-insensitive blocklist checks for sensitive paths (like .git, .env, and node_modules) and requires user confirmation (ASK_USER) for .vscode configuration files. The review highlights critical security issues, including a sandbox bypass where .vscode paths outside the workspace incorrectly trigger ASK_USER instead of DENY, and a Windows trailing character bypass (e.g., .git or .vscode.). The feedback suggests validating workspace allowance before checking blocked segments, handling trailing spaces/dots, using a unified path resolution function (resolveToRealPath), and adding regression tests to verify these edge cases.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces case-insensitive blocklist checks for sensitive paths (such as .git, .env, and node_modules) and requires explicit user confirmation for .vscode configuration files. It also adds comprehensive regression tests to verify these security controls. The review feedback highlights potential bypasses on Windows via NTFS Alternate Data Streams (e.g., .vscode::$DATA) and suggests stripping stream identifiers during segment cleaning, as well as using a unified path resolution function like resolveToRealPath to ensure consistent validation across components.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements case-insensitive blocklist checks for sensitive paths (such as .git, .env, and node_modules) and requires explicit user confirmation (ASK_USER) for modifying .vscode configuration files within the workspace. The feedback suggests refactoring the path validation logic to use asynchronous file system operations instead of synchronous ones to avoid blocking the event loop, and ensuring consistent path resolution.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a case-insensitive blocklist for sensitive paths (such as ".git", ".env", and "node_modules") and adds special handling for ".vscode" configuration files to prevent security bypasses, including Windows trailing characters and NTFS Alternate Data Streams. It also refactors safelyResolvePath to use asynchronous file system operations and adds comprehensive regression tests. There are no review comments, and I have no feedback to provide.

[gemini-cli]

Hi there! Thank you for your interest in contributing to Gemini CLI.

To ensure we maintain high code quality and focus on our prioritized roadmap, we only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'.

This PR will be closed in 7 days if it remains without that designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding.

[rmedranollamas]

Closing this pull request as it does not have an associated tracked issue linked, and there has been no progress since the nudge.

[rmedranollamas]

Reopening this PR as it is from a TVC and should remain open.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces case-insensitive blocklist checks for sensitive paths (such as .git and .env) and adds special handling for .vscode configuration files within AllowedPathChecker and WorkspaceContext. It also transitions path resolution to be asynchronous and implements a helper to trim trailing spaces and dots to prevent NTFS ADS and Windows trailing character bypasses. The review feedback correctly identifies that node_modules is missing from these blocklists, which poses a security risk (such as Remote Code Execution via dependency modification), and suggests adding it to both the implementation and the regression tests.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a case-insensitive blocklist and human-in-the-loop (HITL) checks for sensitive paths (such as .git, .env, node_modules, and .vscode) to prevent bypasses via Windows trailing characters or NTFS Alternate Data Streams. It updates AllowedPathChecker and WorkspaceContext to resolve paths asynchronously and safely check path segments. Feedback on these changes suggests optimizing performance in AllowedPathChecker by caching resolved allowed directories to avoid redundant asynchronous filesystem operations.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a case-insensitive blocklist for sensitive paths (such as .git, .env, and node_modules) and requires user confirmation (ASK_USER) for .vscode configuration files. It also migrates path resolution to use asynchronous filesystem APIs and adds a ReDoS-safe utility to trim trailing spaces and dots. The review feedback highlights a performance bottleneck where allowed directories are redundantly resolved inside a loop, and suggests resolving them once outside the loop and reusing the results.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request enhances path validation security by implementing case-insensitive blocklist checks for sensitive paths (such as .git, .env, and node_modules) and .vscode configurations in both AllowedPathChecker and WorkspaceContext. It mitigates Windows trailing character and NTFS Alternate Data Stream bypasses using a non-regex helper function to avoid ReDoS risks, and transitions path resolution to be asynchronous. The review feedback suggests optimizing the sequential directory resolution in AllowedPathChecker using Promise.all and utilizing a unified resolveToRealPath function to ensure consistent path resolution and prevent path traversal vulnerabilities.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements case-insensitive blocklist checks for sensitive paths (such as .git, .env, and node_modules) and .vscode configuration files in both AllowedPathChecker and WorkspaceContext, utilizing a custom non-regex utility to mitigate ReDoS risks. Feedback on the changes suggests reverting the safelyResolvePath helper method and its callers back to synchronous operations, as wrapping synchronous path and filesystem functions in an async context introduces unnecessary Promise allocation and microtask overhead on a hot execution path.

[luisfelipe-alt]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces case-insensitive blocklist checks for sensitive paths (such as .git, .env, and node_modules) and special handling for .vscode configuration files to prevent security bypasses, including Windows trailing characters and NTFS Alternate Data Stream bypasses. It implements a non-regex helper trimTrailingSpacesAndDots to mitigate ReDoS risks and optimizes path resolution. Corresponding unit tests have been added to verify these security controls. There are no review comments to address, and the changes look solid.

[DavidAPierce]

LGTM.

[abhipatel12]

Approving for tools/ for prompt approvers