MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-04-21 18:44:30 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): resolve Plan Mode deadlock during plan file creation due to sandbox restrictions (#24047)

Browse Source
This commit is contained in:
David Pierce
2026-03-31 22:06:50 +00:00
committed by GitHub
parent 9364dd8a49
commit 94f9480a3a
13 changed files with 555 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/src/sandbox/linux/LinuxSandboxManager.test.ts
+56
View File
@@ -8,6 +8,7 @@ import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
import { LinuxSandboxManager } from './LinuxSandboxManager.js';
import type { SandboxRequest } from '../../services/sandboxManager.js';
import fs from 'node:fs';
import path from 'node:path';
import * as shellUtils from '../../utils/shell-utils.js';
vi.mock('node:fs', async () => {
@@ -350,6 +351,61 @@ describe('LinuxSandboxManager', () => {
const binds = bwrapArgs.filter((a) => a === workspace);
expect(binds.length).toBe(2);
});
it('should bind the parent directory of a non-existent path', async () => {
vi.mocked(fs.existsSync).mockImplementation((p) => {
if (p === '/home/user/workspace/new-file.txt') return false;
return true;
});
const bwrapArgs = await getBwrapArgs({
command: '__write',
args: ['/home/user/workspace/new-file.txt'],
cwd: workspace,
env: {},
policy: {
allowedPaths: ['/home/user/workspace/new-file.txt'],
},
});
const parentDir = '/home/user/workspace';
const bindIndex = bwrapArgs.lastIndexOf(parentDir);
expect(bindIndex).not.toBe(-1);
expect(bwrapArgs[bindIndex - 2]).toBe('--bind-try');
});
});
describe('virtual commands', () => {
it('should translate __read to cat', async () => {
const testFile = path.join(workspace, 'file.txt');
const bwrapArgs = await getBwrapArgs({
command: '__read',
args: [testFile],
cwd: workspace,
env: {},
});
// args are: [...bwrapBaseArgs, '--', '/bin/cat', '.../file.txt']
expect(bwrapArgs[bwrapArgs.length - 2]).toBe('/bin/cat');
expect(bwrapArgs[bwrapArgs.length - 1]).toBe(testFile);
});
it('should translate __write to sh -c cat', async () => {
const testFile = path.join(workspace, 'file.txt');
const bwrapArgs = await getBwrapArgs({
command: '__write',
args: [testFile],
cwd: workspace,
env: {},
});
// args are: [...bwrapBaseArgs, '--', '/bin/sh', '-c', 'tee -- "$@" > /dev/null', '_', '.../file.txt']
expect(bwrapArgs[bwrapArgs.length - 5]).toBe('/bin/sh');
expect(bwrapArgs[bwrapArgs.length - 4]).toBe('-c');
expect(bwrapArgs[bwrapArgs.length - 3]).toBe('tee -- "$@" > /dev/null');
expect(bwrapArgs[bwrapArgs.length - 2]).toBe('_');
expect(bwrapArgs[bwrapArgs.length - 1]).toBe(testFile);
});
});
describe('forbiddenPaths', () => {
packages/core/src/sandbox/linux/LinuxSandboxManager.ts
+42 -3
View File
@@ -182,9 +182,23 @@ export class LinuxSandboxManager implements SandboxManager {
verifySandboxOverrides(allowOverrides, req.policy);
const commandName = await getCommandName(req);
let command = req.command;
let args = req.args;
// Translate virtual commands for sandboxed file system access
if (command === '__read') {
command = 'cat';
} else if (command === '__write') {
command = 'sh';
args = ['-c', 'cat > "$1"', '_', ...args];
}
const commandName = await getCommandName({ ...req, command, args });
const isApproved = allowOverrides
? await isStrictlyApproved(req, this.options.modeConfig?.approvedTools)
? await isStrictlyApproved(
{ ...req, command, args },
this.options.modeConfig?.approvedTools,
)
: false;
const workspaceWrite = !isReadonlyMode || isApproved;
const networkAccess =
@@ -280,11 +294,36 @@ export class LinuxSandboxManager implements SandboxManager {
bwrapArgs.push(bindFlag, mainGitDir, mainGitDir);
}
const includeDirs = sanitizePaths(this.options.includeDirectories) || [];
for (const includeDir of includeDirs) {
try {
const resolved = tryRealpath(includeDir);
bwrapArgs.push('--ro-bind-try', resolved, resolved);
} catch {
// Ignore
}
}
const allowedPaths = sanitizePaths(req.policy?.allowedPaths) || [];
const normalizedWorkspace = normalize(workspacePath).replace(/\/$/, '');
for (const allowedPath of allowedPaths) {
const resolved = tryRealpath(allowedPath);
if (!fs.existsSync(resolved)) continue;
if (!fs.existsSync(resolved)) {
// If the path doesn't exist, we still want to allow access to its parent
// if it's explicitly allowed, to enable creating it.
try {
const resolvedParent = tryRealpath(dirname(resolved));
bwrapArgs.push(
req.command === '__write' ? '--bind-try' : bindFlag,
resolvedParent,
resolvedParent,
);
} catch {
// Ignore
}
continue;
}
const normalizedAllowedPath = normalize(resolved).replace(/\/$/, '');
if (normalizedAllowedPath !== normalizedWorkspace) {
bwrapArgs.push('--bind-try', resolved, resolved);
packages/core/src/sandbox/macos/MacOsSandboxManager.test.ts
+56 -22
View File
@@ -17,24 +17,29 @@ describe('MacOsSandboxManager', () => {
const mockNetworkAccess = true;
let mockPolicy: ExecutionPolicy;
let manager: MacOsSandboxManager | undefined;
let manager: MacOsSandboxManager;
beforeEach(() => {
mockWorkspace = fs.mkdtempSync(
path.join(os.tmpdir(), 'gemini-cli-macos-test-'),
mockWorkspace = fs.realpathSync(
fs.mkdtempSync(path.join(os.tmpdir(), 'gemini-cli-macos-test-')),
);
mockAllowedPaths = [
path.join(os.tmpdir(), 'gemini-cli-macos-test-allowed'),
];
if (!fs.existsSync(mockAllowedPaths[0])) {
fs.mkdirSync(mockAllowedPaths[0]);
const allowedPathTemp = path.join(
os.tmpdir(),
'gemini-cli-macos-test-allowed-' + Math.random().toString(36).slice(2),
);
if (!fs.existsSync(allowedPathTemp)) {
fs.mkdirSync(allowedPathTemp);
}
mockAllowedPaths = [fs.realpathSync(allowedPathTemp)];
mockPolicy = {
allowedPaths: mockAllowedPaths,
networkAccess: mockNetworkAccess,
};
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
// Mock the seatbelt args builder to isolate manager tests
vi.spyOn(seatbeltArgsBuilder, 'buildSeatbeltProfile').mockReturnValue(
'(mock profile)',
@@ -51,7 +56,6 @@ describe('MacOsSandboxManager', () => {
describe('prepareCommand', () => {
it('should correctly format the base command and args', async () => {
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
const result = await manager.prepareCommand({
command: 'echo',
args: ['hello'],
@@ -64,8 +68,8 @@ describe('MacOsSandboxManager', () => {
workspace: mockWorkspace,
allowedPaths: mockAllowedPaths,
forbiddenPaths: undefined,
networkAccess: true,
workspaceWrite: true,
networkAccess: mockNetworkAccess,
workspaceWrite: false,
additionalPermissions: {
fileSystem: {
read: [],
@@ -92,7 +96,6 @@ describe('MacOsSandboxManager', () => {
});
it('should correctly pass through the cwd to the resulting command', async () => {
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
const result = await manager.prepareCommand({
command: 'echo',
args: ['hello'],
@@ -105,7 +108,6 @@ describe('MacOsSandboxManager', () => {
});
it('should apply environment sanitization via the default mechanisms', async () => {
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
const result = await manager.prepareCommand({
command: 'echo',
args: ['hello'],
@@ -125,7 +127,6 @@ describe('MacOsSandboxManager', () => {
});
it('should allow network when networkAccess is true', async () => {
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
await manager.prepareCommand({
command: 'echo',
args: ['hello'],
@@ -139,9 +140,43 @@ describe('MacOsSandboxManager', () => {
);
});
describe('virtual commands', () => {
it('should translate __read to /bin/cat', async () => {
const testFile = path.join(mockWorkspace, 'file.txt');
const result = await manager.prepareCommand({
command: '__read',
args: [testFile],
cwd: mockWorkspace,
env: {},
policy: mockPolicy,
});
expect(result.args[result.args.length - 2]).toBe('/bin/cat');
expect(result.args[result.args.length - 1]).toBe(testFile);
});
it('should translate __write to /bin/sh -c tee ...', async () => {
const testFile = path.join(mockWorkspace, 'file.txt');
const result = await manager.prepareCommand({
command: '__write',
args: [testFile],
cwd: mockWorkspace,
env: {},
policy: mockPolicy,
});
expect(result.args[result.args.length - 5]).toBe('/bin/sh');
expect(result.args[result.args.length - 4]).toBe('-c');
expect(result.args[result.args.length - 3]).toBe(
'tee -- "$@" > /dev/null',
);
expect(result.args[result.args.length - 2]).toBe('_');
expect(result.args[result.args.length - 1]).toBe(testFile);
});
});
describe('governance files', () => {
it('should ensure governance files exist', async () => {
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
await manager.prepareCommand({
command: 'echo',
args: [],
@@ -160,7 +195,6 @@ describe('MacOsSandboxManager', () => {
describe('allowedPaths', () => {
it('should parameterize allowed paths and normalize them', async () => {
manager = new MacOsSandboxManager({ workspace: mockWorkspace });
await manager.prepareCommand({
command: 'echo',
args: [],
@@ -182,11 +216,11 @@ describe('MacOsSandboxManager', () => {
describe('forbiddenPaths', () => {
it('should parameterize forbidden paths and explicitly deny them', async () => {
manager = new MacOsSandboxManager({
const customManager = new MacOsSandboxManager({
workspace: mockWorkspace,
forbiddenPaths: ['/tmp/forbidden1'],
});
await manager.prepareCommand({
await customManager.prepareCommand({
command: 'echo',
args: [],
cwd: mockWorkspace,
@@ -202,11 +236,11 @@ describe('MacOsSandboxManager', () => {
});
it('explicitly denies non-existent forbidden paths to prevent creation', async () => {
manager = new MacOsSandboxManager({
const customManager = new MacOsSandboxManager({
workspace: mockWorkspace,
forbiddenPaths: ['/tmp/does-not-exist'],
});
await manager.prepareCommand({
await customManager.prepareCommand({
command: 'echo',
args: [],
cwd: mockWorkspace,
@@ -222,11 +256,11 @@ describe('MacOsSandboxManager', () => {
});
it('should override allowed paths if a path is also in forbidden paths', async () => {
manager = new MacOsSandboxManager({
const customManager = new MacOsSandboxManager({
workspace: mockWorkspace,
forbiddenPaths: ['/tmp/conflict'],
});
await manager.prepareCommand({
await customManager.prepareCommand({
command: 'echo',
args: [],
cwd: mockWorkspace,
packages/core/src/sandbox/macos/MacOsSandboxManager.ts
+25 -10
View File
@@ -21,16 +21,16 @@ import {
getSecureSanitizationConfig,
} from '../../services/environmentSanitization.js';
import { buildSeatbeltProfile } from './seatbeltArgsBuilder.js';
import {
initializeShellParsers,
getCommandName,
} from '../../utils/shell-utils.js';
import { initializeShellParsers } from '../../utils/shell-utils.js';
import {
isKnownSafeCommand,
isDangerousCommand,
isStrictlyApproved,
} from '../utils/commandSafety.js';
import { verifySandboxOverrides } from '../utils/commandUtils.js';
import {
verifySandboxOverrides,
getCommandName as getFullCommandName,
isStrictlyApproved,
} from '../utils/commandUtils.js';
import { parsePosixSandboxDenials } from '../utils/sandboxDenialUtils.js';
import { handleReadWriteCommands } from '../utils/sandboxReadWriteUtils.js';
@@ -68,11 +68,23 @@ export class MacOsSandboxManager implements SandboxManager {
// Reject override attempts in plan mode
verifySandboxOverrides(allowOverrides, req.policy);
let command = req.command;
let args = req.args;
// Translate virtual commands for sandboxed file system access
if (command === '__read') {
command = '/bin/cat';
} else if (command === '__write') {
command = '/bin/sh';
args = ['-c', 'cat > "$1"', '_', ...args];
}
const currentReq = { ...req, command, args };
// If not in readonly mode OR it's a strictly approved pipeline, allow workspace writes
const isApproved = allowOverrides
? await isStrictlyApproved(
req.command,
req.args,
currentReq,
this.options.modeConfig?.approvedTools,
)
: false;
@@ -82,7 +94,7 @@ export class MacOsSandboxManager implements SandboxManager {
this.options.modeConfig?.network || req.policy?.networkAccess || false;
// Fetch persistent approvals for this command
const commandName = await getCommandName(req.command, req.args);
const commandName = await getFullCommandName(currentReq);
const persistentPermissions = allowOverrides
? this.options.policyManager?.getCommandPermissions(commandName)
: undefined;
@@ -115,7 +127,10 @@ export class MacOsSandboxManager implements SandboxManager {
const sandboxArgs = buildSeatbeltProfile({
workspace: this.options.workspace,
allowedPaths: [...(req.policy?.allowedPaths || [])],
allowedPaths: [
...(req.policy?.allowedPaths || []),
...(this.options.includeDirectories || []),
],
forbiddenPaths: this.options.forbiddenPaths,
networkAccess: mergedAdditional.network,
workspaceWrite,
packages/core/src/sandbox/windows/WindowsSandboxManager.test.ts
+67 -1
View File
@@ -125,7 +125,9 @@ describe('WindowsSandboxManager', () => {
});
it('should handle persistent permissions from policyManager', async () => {
const persistentPath = path.resolve('/persistent/path');
const persistentPath = path.join(testCwd, 'persistent_path');
fs.mkdirSync(persistentPath, { recursive: true });
const mockPolicyManager = {
getCommandPermissions: vi.fn().mockReturnValue({
fileSystem: { write: [persistentPath] },
@@ -466,4 +468,68 @@ describe('WindowsSandboxManager', () => {
fs.rmSync(conflictPath, { recursive: true, force: true });
}
});
it('should translate __write to PowerShell safely using environment variables', async () => {
const filePath = path.join(testCwd, 'test.txt');
fs.writeFileSync(filePath, '');
const req: SandboxRequest = {
command: '__write',
args: [filePath],
cwd: testCwd,
env: {},
};
const result = await manager.prepareCommand(req);
// [network, cwd, --forbidden-manifest, manifestPath, command, ...args]
expect(result.args[4]).toBe('PowerShell.exe');
expect(result.args[7]).toBe('-Command');
const psCommand = result.args[8];
expect(psCommand).toBe(
'& { $Input | Out-File -FilePath $env:GEMINI_TARGET_PATH -Encoding utf8 }',
);
expect(result.env['GEMINI_TARGET_PATH']).toBe(filePath);
});
it('should safely handle special characters in __write path using environment variables', async () => {
const maliciousPath = path.join(testCwd, 'foo"; echo bar; ".txt');
fs.writeFileSync(maliciousPath, '');
const req: SandboxRequest = {
command: '__write',
args: [maliciousPath],
cwd: testCwd,
env: {},
};
const result = await manager.prepareCommand(req);
expect(result.args[4]).toBe('PowerShell.exe');
const psCommand = result.args[8];
expect(psCommand).toBe(
'& { $Input | Out-File -FilePath $env:GEMINI_TARGET_PATH -Encoding utf8 }',
);
// The malicious path should be injected safely via environment variable, not interpolated in args
expect(result.env['GEMINI_TARGET_PATH']).toBe(maliciousPath);
});
it('should translate __read to PowerShell safely using environment variables', async () => {
const filePath = path.join(testCwd, 'test.txt');
fs.writeFileSync(filePath, 'hello');
const req: SandboxRequest = {
command: '__read',
args: [filePath],
cwd: testCwd,
env: {},
};
const result = await manager.prepareCommand(req);
expect(result.args[4]).toBe('PowerShell.exe');
expect(result.args[7]).toBe('-Command');
const psCommand = result.args[8];
expect(psCommand).toBe(
'& { Get-Content -LiteralPath $env:GEMINI_TARGET_PATH -Raw }',
);
expect(result.env['GEMINI_TARGET_PATH']).toBe(filePath);
});
});
packages/core/src/sandbox/windows/WindowsSandboxManager.ts
+68 -12
View File
@@ -212,8 +212,35 @@ export class WindowsSandboxManager implements SandboxManager {
// Reject override attempts in plan mode
verifySandboxOverrides(allowOverrides, req.policy);
let command = req.command;
let args = req.args;
let targetPathEnv: string | undefined;
// Translate virtual commands for sandboxed file system access
if (command === '__read') {
// Use PowerShell for safe argument passing via env var
targetPathEnv = args[0] || '';
command = 'PowerShell.exe';
args = [
'-NoProfile',
'-NonInteractive',
'-Command',
'& { Get-Content -LiteralPath $env:GEMINI_TARGET_PATH -Raw }',
];
} else if (command === '__write') {
// Use PowerShell for piping stdin to a file via env var
targetPathEnv = args[0] || '';
command = 'PowerShell.exe';
args = [
'-NoProfile',
'-NonInteractive',
'-Command',
'& { $Input | Out-File -FilePath $env:GEMINI_TARGET_PATH -Encoding utf8 }',
];
}
// Fetch persistent approvals for this command
const commandName = await getCommandName(req.command, req.args);
const commandName = await getCommandName(command, args);
const persistentPermissions = allowOverrides
? this.options.policyManager?.getCommandPermissions(commandName)
: undefined;
@@ -243,7 +270,7 @@ export class WindowsSandboxManager implements SandboxManager {
}
const defaultNetwork =
this.options.modeConfig?.network || req.policy?.networkAccess || false;
this.options.modeConfig?.network ?? req.policy?.networkAccess ?? false;
const networkAccess = defaultNetwork || mergedAdditional.network;
// 1. Handle filesystem permissions for Low Integrity
@@ -251,8 +278,8 @@ export class WindowsSandboxManager implements SandboxManager {
// If not in readonly mode OR it's a strictly approved pipeline, allow workspace writes
const isApproved = allowOverrides
? await isStrictlyApproved(
req.command,
req.args,
command,
args,
this.options.modeConfig?.approvedTools,
)
: false;
@@ -261,24 +288,48 @@ export class WindowsSandboxManager implements SandboxManager {
await this.grantLowIntegrityAccess(this.options.workspace);
}
// Grant "Low Mandatory Level" access to includeDirectories.
const includeDirs = sanitizePaths(this.options.includeDirectories) || [];
for (const includeDir of includeDirs) {
await this.grantLowIntegrityAccess(includeDir);
}
// Grant "Low Mandatory Level" read/write access to allowedPaths.
const allowedPaths = sanitizePaths(req.policy?.allowedPaths) || [];
for (const allowedPath of allowedPaths) {
await this.grantLowIntegrityAccess(allowedPath);
const resolved = await tryRealpath(allowedPath);
if (!fs.existsSync(resolved)) {
throw new Error(
`Sandbox request rejected: Allowed path does not exist: ${resolved}. ` +
'On Windows, granular sandbox access can only be granted to existing paths to avoid broad parent directory permissions.',
);
}
await this.grantLowIntegrityAccess(resolved);
}
// Grant "Low Mandatory Level" write access to additional permissions write paths.
const additionalWritePaths =
sanitizePaths(mergedAdditional.fileSystem?.write) || [];
for (const writePath of additionalWritePaths) {
await this.grantLowIntegrityAccess(writePath);
const resolved = await tryRealpath(writePath);
if (!fs.existsSync(resolved)) {
throw new Error(
`Sandbox request rejected: Additional write path does not exist: ${resolved}. ` +
'On Windows, granular sandbox access can only be granted to existing paths to avoid broad parent directory permissions.',
);
}
await this.grantLowIntegrityAccess(resolved);
}
// 2. Collect secret files and apply protective ACLs
// On Windows, we explicitly deny access to secret files for Low Integrity
// processes to ensure they cannot be read or written.
const secretsToBlock: string[] = [];
const searchDirs = new Set([this.options.workspace, ...allowedPaths]);
const searchDirs = new Set([
this.options.workspace,
...allowedPaths,
...includeDirs,
]);
for (const dir of searchDirs) {
try {
// We use maxDepth 3 to catch common nested secrets while keeping performance high.
@@ -352,19 +403,24 @@ export class WindowsSandboxManager implements SandboxManager {
// GeminiSandbox.exe <network:0|1> <cwd> --forbidden-manifest <path> <command> [args...]
const program = this.helperPath;
const args = [
const finalArgs = [
networkAccess ? '1' : '0',
req.cwd,
'--forbidden-manifest',
manifestPath,
req.command,
...req.args,
command,
...args,
];
const finalEnv = { ...sanitizedEnv };
if (targetPathEnv !== undefined) {
finalEnv['GEMINI_TARGET_PATH'] = targetPathEnv;
}
return {
program,
args,
env: sanitizedEnv,
args: finalArgs,
env: finalEnv,
cwd: req.cwd,
};
}