MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-03-31 00:11:11 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): replace hardcoded non-interactive ASK_USER denial with explicit policy rules (#23668)

Browse Source
This commit is contained in:
ruomeng
2026-03-26 14:35:12 -04:00
committed by GitHub
parent aa4d9316a9
commit c888da5f73
13 changed files with 207 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
packages/core/src/policy/config.ts
View File

@@ -285,6 +285,7 @@ export async function createPolicyEngineConfig(
settings: PolicySettings,
approvalMode: ApprovalMode,
defaultPoliciesDir?: string,
interactive: boolean = true,
): Promise<PolicyEngineConfig> {
const systemPoliciesDir = path.resolve(Storage.getSystemPoliciesDir());
const userPoliciesDir = path.resolve(Storage.getUserPoliciesDir());
@@ -524,7 +525,10 @@ export async function createPolicyEngineConfig(
return {
rules,
checkers,
defaultDecision: PolicyDecision.ASK_USER,
defaultDecision: interactive
? PolicyDecision.ASK_USER
: PolicyDecision.DENY,
nonInteractive: !interactive,
approvalMode,
disableAlwaysAllow: settings.disableAlwaysAllow,
};

7
packages/core/src/policy/policies/discovered.toml
View File

@@ -6,3 +6,10 @@
toolName = "discovered_tool_*"
decision = "ask_user"
priority = 10
interactive = true
[[rule]]
toolName = "discovered_tool_*"
decision = "deny"
priority = 10
interactive = false

7
packages/core/src/policy/policies/non-interactive.toml Normal file
View File

@@ -0,0 +1,7 @@
# Policy for non-interactive mode.
# ASK_USER is strictly forbidden here.
[[rule]]
toolName = "ask_user"
decision = "deny"
priority = 999
interactive = false

18
packages/core/src/policy/policies/plan.toml
View File

@@ -86,6 +86,16 @@ toolAnnotations = { readOnlyHint = true }
decision = "ask_user"
priority = 70
modes = ["plan"]
interactive = true
[[rule]]
toolName = "*"
mcpName = "*"
toolAnnotations = { readOnlyHint = true }
decision = "deny"
priority = 70
modes = ["plan"]
interactive = false
[[rule]]
toolName = [
@@ -108,6 +118,14 @@ toolName = ["ask_user", "save_memory"]
decision = "ask_user"
priority = 70
modes = ["plan"]
interactive = true
[[rule]]
toolName = ["ask_user", "save_memory"]
decision = "deny"
priority = 70
modes = ["plan"]
interactive = false
# Allow write_file and replace for .md files in the plans directory (cross-platform)
# We split this into two rules to avoid ReDoS checker issues with nested optional segments.

21
packages/core/src/policy/policies/write.toml
View File

@@ -31,6 +31,7 @@
toolName = "replace"
decision = "ask_user"
priority = 10
interactive = true
[[rule]]
toolName = "replace"
@@ -47,21 +48,25 @@ required_context = ["environment"]
toolName = "save_memory"
decision = "ask_user"
priority = 10
interactive = true
[[rule]]
toolName = "run_shell_command"
decision = "ask_user"
priority = 10
interactive = true
[[rule]]
toolName = "write_file"
decision = "ask_user"
priority = 10
interactive = true
[[rule]]
toolName = "activate_skill"
decision = "ask_user"
priority = 10
interactive = true
[[rule]]
toolName = "write_file"
@@ -84,3 +89,19 @@ modes = ["autoEdit"]
toolName = "web_fetch"
decision = "ask_user"
priority = 10
interactive = true
# Headless Denial Rule (Priority 10)
# Ensures that tools that normally default to ASK_USER are denied in non-interactive mode.
[[rule]]
toolName = [
"replace",
"save_memory",
"run_shell_command",
"write_file",
"activate_skill",
"web_fetch"
]
decision = "deny"
priority = 10
interactive = false

2
packages/core/src/policy/policies/yolo.toml
View File

@@ -30,12 +30,12 @@
# Ask-user tool always requires user interaction, even in YOLO mode.
# This ensures the model can gather user preferences/decisions when needed.
# Note: In non-interactive mode, this decision is converted to DENY by the policy engine.
[[rule]]
toolName = "ask_user"
decision = "ask_user"
priority = 999
modes = ["yolo"]
interactive = true
# Plan mode transitions are blocked in YOLO mode to maintain state consistency
# and because planning currently requires human interaction (plan approval),

125
packages/core/src/policy/policy-engine.test.ts
View File

@@ -293,8 +293,22 @@ describe('PolicyEngine', () => {
const config: PolicyEngineConfig = {
nonInteractive: true,
rules: [
{ toolName: 'interactive-tool', decision: PolicyDecision.ASK_USER },
{
toolName: 'interactive-tool',
decision: PolicyDecision.ASK_USER,
interactive: true,
},
{
toolName: 'interactive-tool',
decision: PolicyDecision.DENY,
interactive: false,
},
{ toolName: 'allowed-tool', decision: PolicyDecision.ALLOW },
{
toolName: 'ask_user',
decision: PolicyDecision.DENY,
interactive: false,
},
],
};
@@ -1258,6 +1272,51 @@ describe('PolicyEngine', () => {
).toBe(PolicyDecision.ALLOW);
});
it('should NOT automatically DENY redirected shell commands in non-interactive mode if rules permit it', async () => {
const toolName = 'run_shell_command';
const command = 'ls > out.txt';
const rules: PolicyRule[] = [
{
toolName,
decision: PolicyDecision.ALLOW,
allowRedirection: true,
},
];
engine = new PolicyEngine({ rules, nonInteractive: true });
expect(
(await engine.check({ name: toolName, args: { command } }, undefined))
.decision,
).toBe(PolicyDecision.ALLOW);
});
it('should respect DENY rules for redirected shell commands in non-interactive mode', async () => {
const toolName = 'run_shell_command';
const command = 'ls > out.txt';
const rules: PolicyRule[] = [
{
toolName,
decision: PolicyDecision.ASK_USER,
interactive: true,
},
{
toolName,
decision: PolicyDecision.DENY,
interactive: false,
},
];
engine = new PolicyEngine({ rules, nonInteractive: true });
expect(
(await engine.check({ name: toolName, args: { command } }, undefined))
.decision,
).toBe(PolicyDecision.DENY);
});
it('should NOT downgrade ALLOW to ASK_USER for quoted redirection chars', async () => {
const rules: PolicyRule[] = [
{
@@ -1423,21 +1482,25 @@ describe('PolicyEngine', () => {
expect(result.decision).toBe(PolicyDecision.DENY);
});
it('should DENY redirected shell commands in non-interactive mode', async () => {
it('should respect explicit DENY rules for redirected shell commands in non-interactive mode', async () => {
const config: PolicyEngineConfig = {
nonInteractive: true,
rules: [
{
toolName: 'run_shell_command',
decision: PolicyDecision.ALLOW,
interactive: true,
},
{
toolName: 'run_shell_command',
decision: PolicyDecision.DENY,
interactive: false,
},
],
};
engine = new PolicyEngine(config);
// Redirected command should be DENIED in non-interactive mode
// (Normally ASK_USER, but ASK_USER -> DENY in non-interactive)
expect(
(
await engine.check(
@@ -2215,34 +2278,6 @@ describe('PolicyEngine', () => {
const result = await engine.check({ name: 'tool' }, undefined);
expect(result.decision).toBe(PolicyDecision.ASK_USER);
});
it('should DENY if checker returns ASK_USER in non-interactive mode', async () => {
const rules: PolicyRule[] = [
{ toolName: 'tool', decision: PolicyDecision.ALLOW },
];
const checkers: SafetyCheckerRule[] = [
{
toolName: '*',
checker: {
type: 'in-process',
name: InProcessCheckerType.ALLOWED_PATH,
},
},
];
engine = new PolicyEngine(
{ rules, checkers, nonInteractive: true },
mockCheckerRunner,
);
vi.mocked(mockCheckerRunner.runChecker).mockResolvedValue({
decision: SafetyCheckDecision.ASK_USER,
reason: 'Suspicious path',
});
const result = await engine.check({ name: 'tool' }, undefined);
expect(result.decision).toBe(PolicyDecision.DENY);
});
});
describe('getExcludedTools', () => {
@@ -2345,18 +2380,42 @@ describe('PolicyEngine', () => {
expected: [],
},
{
name: 'should NOT include ASK_USER tools even in non-interactive mode',
name: 'should include tools in exclusion list only if explicitly denied in non-interactive mode',
rules: [
{
toolName: 'tool1',
decision: PolicyDecision.ASK_USER,
modes: [ApprovalMode.DEFAULT],
interactive: true,
},
{
toolName: 'tool1',
decision: PolicyDecision.DENY,
modes: [ApprovalMode.DEFAULT],
interactive: false,
},
],
nonInteractive: true,
allToolNames: ['tool1'],
expected: ['tool1'],
},
{
name: 'should specifically exclude ask_user tool in non-interactive mode',
rules: [
{
toolName: 'ask_user',
decision: PolicyDecision.DENY,
interactive: false,
},
{
toolName: 'read_file',
decision: PolicyDecision.ALLOW,
},
],
nonInteractive: true,
allToolNames: ['ask_user', 'read_file'],
expected: ['ask_user'],
},
{
name: 'should ignore rules with argsPattern',
rules: [

34
packages/core/src/policy/policy-engine.ts
View File

@@ -244,8 +244,10 @@ export class PolicyEngine {
}
}
this.defaultDecision = config.defaultDecision ?? PolicyDecision.ASK_USER;
this.nonInteractive = config.nonInteractive ?? false;
this.defaultDecision =
config.defaultDecision ??
(this.nonInteractive ? PolicyDecision.DENY : PolicyDecision.ASK_USER);
this.disableAlwaysAllow = config.disableAlwaysAllow ?? false;
this.checkerRunner = checkerRunner;
this.approvalMode = config.approvalMode ?? ApprovalMode.DEFAULT;
@@ -340,7 +342,7 @@ export class PolicyEngine {
): Promise<CheckResult> {
if (!command) {
return {
decision: this.applyNonInteractiveMode(ruleDecision),
decision: ruleDecision,
rule,
};
}
@@ -363,13 +365,13 @@ export class PolicyEngine {
}
debugLogger.debug(
`[PolicyEngine.check] Command parsing failed for: ${command}. Falling back to ASK_USER.`,
`[PolicyEngine.check] Command parsing failed for: ${command}. Falling back to ${this.defaultDecision}.`,
);
// Parsing logic failed, we can't trust it. Force ASK_USER (or DENY).
// Parsing logic failed, we can't trust it. Use default decision ASK_USER (or DENY in non-interactive).
// We return the rule that matched so the evaluation loop terminates.
return {
decision: this.applyNonInteractiveMode(PolicyDecision.ASK_USER),
decision: this.defaultDecision,
rule,
};
}
@@ -466,7 +468,7 @@ export class PolicyEngine {
}
return {
decision: this.applyNonInteractiveMode(aggregateDecision),
decision: aggregateDecision,
// If we stayed at ALLOW, we return the original rule (if any).
// If we downgraded, we return the responsible rule (or undefined if implicit).
rule: aggregateDecision === ruleDecision ? rule : responsibleRule,
@@ -474,7 +476,7 @@ export class PolicyEngine {
}
return {
decision: this.applyNonInteractiveMode(ruleDecision),
decision: ruleDecision,
rule,
};
}
@@ -597,7 +599,7 @@ export class PolicyEngine {
break;
}
} else {
decision = this.applyNonInteractiveMode(rule.decision);
decision = rule.decision;
matchedRule = rule;
break;
}
@@ -641,7 +643,7 @@ export class PolicyEngine {
decision = shellResult.decision;
matchedRule = shellResult.rule;
} else {
decision = this.applyNonInteractiveMode(this.defaultDecision);
decision = this.defaultDecision;
}
}
@@ -697,7 +699,7 @@ export class PolicyEngine {
}
return {
decision: this.applyNonInteractiveMode(decision),
decision,
rule: matchedRule,
};
}
@@ -866,7 +868,7 @@ export class PolicyEngine {
continue;
} else {
// Unconditional rule for this tool
const decision = this.applyNonInteractiveMode(rule.decision);
const decision = rule.decision;
staticallyExcluded = decision === PolicyDecision.DENY;
matchFound = true;
break;
@@ -876,7 +878,7 @@ export class PolicyEngine {
if (!matchFound) {
// Fallback to default decision if no rule matches
const defaultDec = this.applyNonInteractiveMode(this.defaultDecision);
const defaultDec = this.defaultDecision;
if (defaultDec === PolicyDecision.DENY) {
staticallyExcluded = true;
}
@@ -889,12 +891,4 @@ export class PolicyEngine {
return excludedTools;
}
private applyNonInteractiveMode(decision: PolicyDecision): PolicyDecision {
// In non-interactive mode, ASK_USER becomes DENY
if (this.nonInteractive && decision === PolicyDecision.ASK_USER) {
return PolicyDecision.DENY;
}
return decision;
}
}