Fix unintended credential exposure to MCP Servers (#17311)

Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-04-21 02:24:09 -07:00 · 2026-01-28 13:56:15 -05:00
parent 3787c71d15
commit 47f4a3e50e
6 changed files with 131 additions and 9 deletions
@@ -33,7 +33,11 @@ import {
  type Tool as McpTool,
 } from '@modelcontextprotocol/sdk/types.js';
 import { parse } from 'shell-quote';
-import type { Config, MCPServerConfig } from '../config/config.js';
+import type {
+  Config,
+  GeminiCLIExtension,
+  MCPServerConfig,
+} from '../config/config.js';
 import { AuthProviderType } from '../config/config.js';
 import { GoogleCredentialProvider } from '../mcp/google-auth-provider.js';
 import { ServiceAccountImpersonationProvider } from '../mcp/sa-impersonation-provider.js';
@@ -1870,10 +1874,23 @@ export async function createTransport(
    const transport = new StdioClientTransport({
      command: mcpServerConfig.command,
      args: mcpServerConfig.args || [],
-      env: {
-        ...sanitizeEnvironment(process.env, sanitizationConfig),
-        ...(mcpServerConfig.env || {}),
-      } as Record<string, string>,
+      env: sanitizeEnvironment(
+        {
+          ...process.env,
+          ...getExtensionEnvironment(mcpServerConfig.extension),
+          ...(mcpServerConfig.env || {}),
+        },
+        {
+          ...sanitizationConfig,
+          allowedEnvironmentVariables: [
+            ...(sanitizationConfig.allowedEnvironmentVariables ?? []),
+            ...(mcpServerConfig.extension?.resolvedSettings?.map(
+              (s) => s.envVar,
+            ) ?? []),
+          ],
+          enableEnvironmentVariableRedaction: true,
+        },
+      ) as Record<string, string>,
      cwd: mcpServerConfig.cwd,
      stderr: 'pipe',
    });
@@ -1924,3 +1941,15 @@ export function isEnabled(
    )
  );
 }
+
+function getExtensionEnvironment(
+  extension?: GeminiCLIExtension,
+): Record<string, string> {
+  const env: Record<string, string> = {};
+  if (extension?.resolvedSettings) {
+    for (const setting of extension.resolvedSettings) {
+      env[setting.envVar] = setting.value;
+    }
+  }
+  return env;
+}