fix(policy): require confirmation for shell parameter expansion

[huynhtrungcsc]

Summary

• downgrade allowlisted shell commands that contain shell parameter expansion to confirmation in interactive mode
• deny shell parameter expansion in YOLO/non-interactive mode
• add regression coverage for allowlisted echo commands, while preserving literal dollar strings

Tests

• npx prettier --write packages/core/src/policy/policy-engine.ts packages/core/src/policy/shell-safety.test.ts
• npx vitest run src/policy/shell-safety.test.ts src/policy/shell-substitution.test.ts --coverage.enabled=false
• npx vitest run src/policy/policy-engine.test.ts --coverage.enabled=false
• npm run build --workspace @google/gemini-cli-core
• npm run typecheck --workspace @google/gemini-cli-core

[github-actions]

📊 PR Size: size/M

• Lines changed: 166
• Additions: +166
• Deletions: -0
• Files changed: 2

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request strengthens the security of shell command execution by implementing stricter validation for shell parameter expansion. By detecting and restricting these patterns, the changes prevent potential unintended shell execution behaviors, ensuring that commands are either blocked or require explicit user confirmation based on the current execution mode.

Highlights

• Enhanced Shell Security: Introduced a new hasShellExpansion utility to detect shell parameter expansion, ensuring that commands containing these patterns are properly scrutinized.
• Policy Engine Updates: Updated PolicyEngine to downgrade allowlisted commands containing shell expansion to ASK_USER in interactive mode and explicitly deny them in non-interactive or YOLO modes.
• Regression Testing: Added comprehensive test cases to shell-safety.test.ts to verify the new security constraints while ensuring literal dollar signs remain permitted.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces shell parameter expansion detection in the PolicyEngine to prevent unauthorized variable expansions in allowed commands. It adds the hasShellExpansion helper and integrates it into the policy check flow, along with corresponding unit tests. The review feedback highlights a critical security vulnerability in hasShellExpansion where single quotes nested inside double quotes are incorrectly handled, allowing potential bypasses. It also notes that positional parameters are not detected and suggests robust code fixes and regression tests to address these gaps.

[huynhtrungcsc]

Addressed the review feedback in 2646455. The shell expansion detector now tracks double-quoted state separately, keeps single quotes inside double quotes expansion-capable, and detects positional/special parameters such as $1, $$, and $-. Added regression coverage for those cases.\n\nVerified locally with:\n\nbash\nnpx vitest run packages/core/src/policy/shell-safety.test.ts\n\n\nResult: 26 tests passed.