Fix: Disallow overriding IDE stdio via workspace .env (RCE) (#25022)

Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-04-22 02:54:31 -07:00 · 2026-04-22 01:31:10 +08:00
parent a38e2f0048
commit 2c14954010
1 changed files with 6 additions and 1 deletions
@@ -78,7 +78,12 @@ export function getMergeStrategyForPath(

 export const USER_SETTINGS_PATH = Storage.getGlobalSettingsPath();
 export const USER_SETTINGS_DIR = path.dirname(USER_SETTINGS_PATH);
-export const DEFAULT_EXCLUDED_ENV_VARS = ['DEBUG', 'DEBUG_MODE'];
+export const DEFAULT_EXCLUDED_ENV_VARS = [
+  'DEBUG',
+  'DEBUG_MODE',
+  'GEMINI_CLI_IDE_SERVER_STDIO_COMMAND',
+  'GEMINI_CLI_IDE_SERVER_STDIO_ARGS',
+];

 const AUTH_ENV_VAR_WHITELIST = [
  'GEMINI_API_KEY',