fix(security): enforce strict policy directory permissions (#17353)

Co-authored-by: Yuna Seol <yunaseol@google.com>

packages/core/src/config/storage.test.ts

@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { describe, it, expect, vi } from 'vitest';
+import { describe, it, expect, vi, afterEach } from 'vitest';
 import * as os from 'node:os';
 import * as path from 'node:path';
 
@@ -85,3 +85,55 @@ describe('Storage – additional helpers', () => {
     expect(storage.getProjectTempPlansDir()).toBe(expected);
   });
 });
+
+describe('Storage - System Paths', () => {
+  const originalEnv = process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'] = originalEnv;
+    } else {
+      delete process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
+    }
+  });
+
+  it('getSystemSettingsPath returns correct path based on platform (default)', () => {
+    delete process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
+
+    const platform = os.platform();
+    const result = Storage.getSystemSettingsPath();
+
+    if (platform === 'darwin') {
+      expect(result).toBe(
+        '/Library/Application Support/GeminiCli/settings.json',
+      );
+    } else if (platform === 'win32') {
+      expect(result).toBe('C:\\ProgramData\\gemini-cli\\settings.json');
+    } else {
+      expect(result).toBe('/etc/gemini-cli/settings.json');
+    }
+  });
+
+  it('getSystemSettingsPath follows GEMINI_CLI_SYSTEM_SETTINGS_PATH if set', () => {
+    const customPath = '/custom/path/settings.json';
+    process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'] = customPath;
+    expect(Storage.getSystemSettingsPath()).toBe(customPath);
+  });
+
+  it('getSystemPoliciesDir returns correct path based on platform and ignores env var', () => {
+    process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'] =
+      '/custom/path/settings.json';
+    const platform = os.platform();
+    const result = Storage.getSystemPoliciesDir();
+
+    expect(result).not.toContain('/custom/path');
+
+    if (platform === 'darwin') {
+      expect(result).toBe('/Library/Application Support/GeminiCli/policies');
+    } else if (platform === 'win32') {
+      expect(result).toBe('C:\\ProgramData\\gemini-cli\\policies');
+    } else {
+      expect(result).toBe('/etc/gemini-cli/policies');
+    }
+  });
+});

packages/core/src/config/storage.ts

@@ -74,21 +74,25 @@ export class Storage {
     );
   }
 
+  private static getSystemConfigDir(): string {
+    if (os.platform() === 'darwin') {
+      return '/Library/Application Support/GeminiCli';
+    } else if (os.platform() === 'win32') {
+      return 'C:\\ProgramData\\gemini-cli';
+    } else {
+      return '/etc/gemini-cli';
+    }
+  }
+
   static getSystemSettingsPath(): string {
     if (process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH']) {
       return process.env['GEMINI_CLI_SYSTEM_SETTINGS_PATH'];
     }
-    if (os.platform() === 'darwin') {
-      return '/Library/Application Support/GeminiCli/settings.json';
-    } else if (os.platform() === 'win32') {
-      return 'C:\\ProgramData\\gemini-cli\\settings.json';
-    } else {
-      return '/etc/gemini-cli/settings.json';
-    }
+    return path.join(Storage.getSystemConfigDir(), 'settings.json');
   }
 
   static getSystemPoliciesDir(): string {
-    return path.join(path.dirname(Storage.getSystemSettingsPath()), 'policies');
+    return path.join(Storage.getSystemConfigDir(), 'policies');
   }
 
   static getGlobalTempDir(): string {