mirror of
https://github.com/google-gemini/gemini-cli.git
synced 2026-07-01 13:46:46 -07:00
fix(core): trust explicitly allowed variables over name patterns
This removes the `NEVER_ALLOWED_NAME_PATTERNS` filter from `getSecureSanitizationConfig`. Previously, if a user explicitly added a variable like `GH_TOKEN` to their `allowedEnvironmentVariables` in `settings.json`, it would be silently dropped during configuration parsing because it matched the `NEVER_ALLOWED_NAME_PATTERNS` regex. This change ensures that explicit user allowlists take precedence over heuristic name-based pattern matching, while still maintaining the strict blocklist for known highly-sensitive system variables (`NEVER_ALLOWED_ENVIRONMENT_VARIABLES`).
This commit is contained in:
@@ -370,15 +370,16 @@ describe('getSecureSanitizationConfig', () => {
|
||||
);
|
||||
});
|
||||
|
||||
it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
|
||||
it('should not filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
|
||||
const requestedConfig = {
|
||||
allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'],
|
||||
allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN', 'GH_TOKEN'],
|
||||
};
|
||||
|
||||
const config = getSecureSanitizationConfig(requestedConfig);
|
||||
|
||||
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
|
||||
expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN');
|
||||
expect(config.allowedEnvironmentVariables).toContain('MY_SECRET_TOKEN');
|
||||
expect(config.allowedEnvironmentVariables).toContain('GH_TOKEN');
|
||||
});
|
||||
|
||||
it('should deduplicate variables in allowed and blocked lists', () => {
|
||||
|
||||
@@ -214,12 +214,6 @@ export function getSecureSanitizationConfig(
|
||||
if (NEVER_ALLOWED_ENVIRONMENT_VARIABLES.has(upperKey)) {
|
||||
return false;
|
||||
}
|
||||
// Never allow variables that match sensitive name patterns
|
||||
for (const pattern of NEVER_ALLOWED_NAME_PATTERNS) {
|
||||
if (pattern.test(upperKey)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user