Skip to content

fix(core): resolve symbolic link directory escape in memory import processor#28233

Merged
DavidAPierce merged 2 commits into
google-gemini:mainfrom
luisfelipe-alt:bugfix/WT-engineer_522410449
Jul 1, 2026
Merged

fix(core): resolve symbolic link directory escape in memory import processor#28233
DavidAPierce merged 2 commits into
google-gemini:mainfrom
luisfelipe-alt:bugfix/WT-engineer_522410449

Conversation

@luisfelipe-alt

Copy link
Copy Markdown
Contributor

Summary

This PR resolves a high-severity Symbolic Link Directory Escape vulnerability in the JIT Memory Import Processor of Gemini CLI.

By exploiting this flaw, an attacker could craft a malicious repository containing a directory symbolic link pointing outside the workspace (e.g., src/sym_home -> /home/username/) and reference a sensitive file through it in GEMINI.md (e.g., @./src/sym_home/.ssh/id_rsa). When opened, the CLI would silently read and exfiltrate the sensitive host file into the LLM's prompt memory context.

This fix ensures that all import paths and allowed directories are physically canonicalized on disk before boundary checks are performed, establishing a secure-by-default "Zero-Trust" workspace boundary.

Details

  • Physical Canonicalization: Replaced the purely string-based/lexical path.resolve with the project's pre-existing, robust resolveToRealPath utility (from packages/core/src/utils/paths.ts) inside validateImportPath.
  • Fail-Closed Design: Wrapped path resolution in a try-catch block to ensure that if resolution fails (e.g., due to malicious recursive symlink loops or invalid paths), the import is rejected (false).
  • Consistent Comparison: Canonicalized both the target import path and the allowed directories list to ensure a consistent physical-to-physical path comparison.
  • Comprehensive Test Coverage: Added a dedicated unit test to packages/core/src/utils/memoryImportProcessor.test.ts that creates a real temporary directory structure and directory symlink on disk to verify that out-of-bounds symlink escapes are successfully blocked.

Related Issues

How to Validate

  1. Run the specific unit tests:

    npx vitest run packages/core/src/utils/memoryImportProcessor.test.ts

    Expected Result: All 26 tests pass cleanly, including should reject paths that escape allowed directories via symbolic links.

  2. Run the linter:

    npm run lint

    Expected Result: Completes successfully with zero warnings or errors.

  3. Run type-checking:

    npm run typecheck -w @google/gemini-cli-core

    Expected Result: Completes successfully with zero errors.

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt
    • Windows
      • npm run
      • npx
      • Docker
    • Linux
      • npm run
      • npx
      • Docker

@luisfelipe-alt luisfelipe-alt requested a review from a team as a code owner July 1, 2026 17:57
@github-actions github-actions Bot added the size/m A medium sized PR label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

📊 PR Size: size/M

  • Lines changed: 70
  • Additions: +66
  • Deletions: -4
  • Files changed: 2

@luisfelipe-alt

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request strengthens the security of the Gemini CLI's memory import processor by preventing directory traversal attacks via symbolic links. By shifting from string-based path validation to physical disk canonicalization, the system now correctly identifies and blocks attempts to access files outside of the intended workspace boundaries, regardless of how the file system structure is represented.

Highlights

  • Security Vulnerability Fix: Resolved a high-severity Symbolic Link Directory Escape vulnerability in the JIT Memory Import Processor that could allow unauthorized access to sensitive host files.
  • Physical Path Canonicalization: Replaced lexical path resolution with physical canonicalization using the resolveToRealPath utility to ensure accurate boundary checks against symbolic links.
  • Fail-Closed Security Design: Implemented robust error handling around path resolution to ensure that any failed or invalid path lookups are rejected by default.
  • Verification: Added a comprehensive unit test that simulates directory symlink escapes to verify the effectiveness of the new security boundary.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the validateImportPath function in memoryImportProcessor.ts to canonicalize paths using resolveToRealPath, preventing directory traversal escapes via symbolic links, and adds a corresponding test. The review feedback recommends optimizing performance by pre-resolving allowed directories outside the .some loop to avoid redundant synchronous disk I/O. Additionally, for the test suite, it suggests using fsSync.mkdtempSync() to securely generate temporary directories and handling potential permission errors on Windows when creating symbolic links.

Comment thread packages/core/src/utils/memoryImportProcessor.ts Outdated
Comment thread packages/core/src/utils/memoryImportProcessor.test.ts

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances path validation in memoryImportProcessor.ts by canonicalizing paths using resolveToRealPath to prevent directory traversal via symbolic links, and adds a corresponding unit test. The review feedback correctly identifies potential test pollution if setup steps fail outside the try-finally block, as well as potential test failures on Windows due to symlink creation permissions, recommending wrapping the setup in the try block and gracefully skipping the test on Windows if permissions are missing.

Comment thread packages/core/src/utils/memoryImportProcessor.test.ts Outdated
@gemini-cli gemini-cli Bot added the status/need-issue Pull requests that need to have an associated issue. label Jul 1, 2026
@luisfelipe-alt luisfelipe-alt force-pushed the bugfix/WT-engineer_522410449 branch from c0f11c4 to e8e053d Compare July 1, 2026 18:49
@luisfelipe-alt

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances path validation in memoryImportProcessor.ts by resolving both the target import path and the allowed directories to their real physical paths using resolveToRealPath. This prevents directory traversal vulnerabilities through symbolic links. Additionally, a unit test has been added to verify this behavior, with cross-platform handling for Windows symlink permissions. There are no review comments, so no feedback is provided.

@DavidAPierce DavidAPierce added this pull request to the merge queue Jul 1, 2026
Merged via the queue into google-gemini:main with commit ff00dac Jul 1, 2026
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/m A medium sized PR status/need-issue Pull requests that need to have an associated issue.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants