fix(patch): cherry-pick 765fb67 to release/v0.36.0-preview.5-pr-24055 to patch version v0.36.0-preview.5 and create version 0.36.0-preview.6 (#24061)

Co-authored-by: Gal Zahavi <38544478+galz10@users.noreply.github.com>
This commit is contained in:
gemini-cli-robot
2026-03-27 18:27:29 -07:00
committed by GitHub
parent c1af5ab99d
commit 975b7dc163
6 changed files with 42 additions and 29 deletions
@@ -153,7 +153,10 @@ describe('MacOsSandboxManager', () => {
SAFE_VAR: '1',
GITHUB_TOKEN: 'sensitive',
},
policy: mockPolicy,
policy: {
...mockPolicy,
sanitizationConfig: { enableEnvironmentVariableRedaction: true },
},
});
expect(result.env['SAFE_VAR']).toBe('1');
@@ -375,9 +375,9 @@ describe('sanitizeEnvironment', () => {
});
describe('getSecureSanitizationConfig', () => {
it('should enable environment variable redaction by default', () => {
it('should default enableEnvironmentVariableRedaction to false', () => {
const config = getSecureSanitizationConfig();
expect(config.enableEnvironmentVariableRedaction).toBe(true);
expect(config.enableEnvironmentVariableRedaction).toBe(false);
});
it('should merge allowed and blocked variables from base and requested configs', () => {
@@ -440,13 +440,13 @@ describe('getSecureSanitizationConfig', () => {
expect(config.blockedEnvironmentVariables).toEqual(['BLOCKED_VAR']);
});
it('should force enableEnvironmentVariableRedaction to true even if requested false', () => {
it('should respect requested enableEnvironmentVariableRedaction value', () => {
const requestedConfig = {
enableEnvironmentVariableRedaction: false,
};
const config = getSecureSanitizationConfig(requestedConfig);
expect(config.enableEnvironmentVariableRedaction).toBe(true);
expect(config.enableEnvironmentVariableRedaction).toBe(false);
});
});
@@ -230,6 +230,9 @@ export function getSecureSanitizationConfig(
allowedEnvironmentVariables: [...new Set(allowed)],
blockedEnvironmentVariables: [...new Set(blocked)],
// Redaction must be enabled for secure configurations
enableEnvironmentVariableRedaction: true,
enableEnvironmentVariableRedaction:
requestedConfig.enableEnvironmentVariableRedaction ??
baseConfig?.enableEnvironmentVariableRedaction ??
false,
};
}
@@ -58,6 +58,11 @@ describe('NoopSandboxManager', () => {
MY_SECRET: 'super-secret',
SAFE_VAR: 'is-safe',
},
policy: {
sanitizationConfig: {
enableEnvironmentVariableRedaction: true,
},
},
};
const result = await sandboxManager.prepareCommand(req);
@@ -68,7 +73,7 @@ describe('NoopSandboxManager', () => {
expect(result.env['MY_SECRET']).toBeUndefined();
});
it('should NOT allow disabling environment variable redaction if requested in config (vulnerability fix)', async () => {
it('should allow disabling environment variable redaction if requested in config', async () => {
const req = {
command: 'echo',
args: ['hello'],
@@ -85,8 +90,8 @@ describe('NoopSandboxManager', () => {
const result = await sandboxManager.prepareCommand(req);
// API_KEY should be redacted because SandboxManager forces redaction and API_KEY matches NEVER_ALLOWED_NAME_PATTERNS
expect(result.env['API_KEY']).toBeUndefined();
// API_KEY should be preserved because redaction was explicitly disabled
expect(result.env['API_KEY']).toBe('sensitive-key');
});
it('should respect allowedEnvironmentVariables in config but filter sensitive ones', async () => {
@@ -101,6 +106,7 @@ describe('NoopSandboxManager', () => {
policy: {
sanitizationConfig: {
allowedEnvironmentVariables: ['MY_SAFE_VAR', 'MY_TOKEN'],
enableEnvironmentVariableRedaction: true,
},
},
};
@@ -124,6 +130,7 @@ describe('NoopSandboxManager', () => {
policy: {
sanitizationConfig: {
blockedEnvironmentVariables: ['BLOCKED_VAR'],
enableEnvironmentVariableRedaction: true,
},
},
};