feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231)

2026-04-12 22:31:12 -07:00 · 2026-03-13 14:11:51 -07:00
parent 24adacdbc2
commit fa024133e6
31 changed files with 558 additions and 94 deletions
--- a/packages/a2a-server/src/commands/memory.ts
+++ b/packages/a2a-server/src/commands/memory.ts
@@ -104,6 +104,7 @@ export class AddMemoryCommand implements Command {
      const signal = abortController.signal;
      await tool.buildAndExecute(result.toolArgs, signal, undefined, {
        sanitizationConfig: DEFAULT_SANITIZATION_CONFIG,
+        sandboxManager: context.config.sandboxManager,
      });
      await refreshMemory(context.config);
      return {
--- a/packages/a2a-server/src/utils/testing_utils.ts
+++ b/packages/a2a-server/src/utils/testing_utils.ts
@@ -21,6 +21,7 @@ import {
  tmpdir,
  type Config,
  type Storage,
+  NoopSandboxManager,
  type ToolRegistry,
 } from '@google/gemini-cli-core';
 import { createMockMessageBus } from '@google/gemini-cli-core/src/test-utils/mock-message-bus.js';
@@ -97,6 +98,14 @@ export function createMockConfig(
    }),
    getGitService: vi.fn(),
    validatePathAccess: vi.fn().mockReturnValue(undefined),
+    getShellExecutionConfig: vi.fn().mockReturnValue({
+      sandboxManager: new NoopSandboxManager(),
+      sanitizationConfig: {
+        allowedEnvironmentVariables: [],
+        blockedEnvironmentVariables: [],
+        enableEnvironmentVariableRedaction: false,
+      },
+    }),
    ...overrides,
  } as unknown as Config;