Commit Graph

2544 Commits

Author SHA1 Message Date
gemini-cli[bot] bbfc33ea24 fix(security): address MCP security findings (MCPSafe Grade F)
This PR addresses high and medium severity security findings related to MCP server integration, as reported by MCPSafe.

### Changes:

1. **Shell Heuristics Enforcement**: Updated `PolicyEngine` to apply shell heuristics (e.g., redirection detection) to any tool containing a `command` argument, not just those explicitly named in `SHELL_TOOL_NAMES`. This prevents security bypasses where MCP tools executing shell commands could skip safety checks.
2. **MCP Output Sanitization**: Implemented delimiters and HTML escaping for MCP tool text and resource outputs. This prevents prompt injection attacks where malicious tool output could be mistaken for system instructions by the LLM.
3. **Default Folder Trust**: Enabled folder trust by default in the CLI configuration. This ensures that the CLI verifies workspace trust before executing sensitive operations like loading local stdio MCP servers from project configuration.
4. **Type Safety**: Updated `McpResourceBlock` type to include the `uri` property, aligning with the MCP specification and fixing a TypeScript compilation error.

These changes significantly harden the gemini-cli against common attack vectors in the MCP ecosystem.

cc @mcpsafe-gh for visibility on the fixes.
cc @google-gemini-mcp-experts

Labels: bot-fix, area/security, kind/bug
2026-05-12 21:49:54 +00:00
Adam Weidman c987b99394 refactor(core): introduce SubagentState enum for progress (#26934) 2026-05-12 18:58:25 +00:00
kevinjwang1 27a39b04b0 Enable NumericalRouter when using dynamic model configs (#26929) 2026-05-12 18:06:21 +00:00
Sandy Tao ebe15553a9 Exclude extension context from skill extraction agent (#26879) 2026-05-12 10:45:19 -07:00
Yulong Wu bc730b2c0f fix (telemetry): inject quota_project_id to prevent fallback to default oauth client (#26698)
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-12 17:02:15 +00:00
joshualitt 07792f98cd feat(context): Introduce adaptive token calculator to more accurately calculate content sizes. (#26888) 2026-05-12 15:51:20 +00:00
Coco Sheng 7a9ed4c20a fix: respect explicit model selection after Flash quota exhaustion (#26759) (#26872) 2026-05-12 14:26:50 +00:00
Eswar809 9f759f97a2 fix(core): ignore .pak and .rpa game archive formats by default (#26884)
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-11 21:58:08 +00:00
Daniel Weis e1b3ce5b36 revert 6b9b778d82 (#26893) 2026-05-11 21:07:54 +00:00
Suhaan Raqeeb Khavas 8e58df72c6 fix: prevent EISDIR crash when customIgnoreFilePaths contains directories (#19868) (#19898)
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-11 20:46:08 +00:00
Coco Sheng 1340c96071 fix(core): handle malformed projects.json in ProjectRegistry (#26885) 2026-05-11 20:19:01 +00:00
Daniel Weis f8198a25d8 fix(routing): Refactor tool turn handling for the conversation history in NumericalClassifierStrategy to prevent 400 Bad Request (#26761) 2026-05-11 20:09:38 +00:00
Aryan Singh ecfaac2dc7 fix(cli): prevent duplicate SessionStart systemMessage render (#25827)
Co-authored-by: Jacob Richman <jacob314@gmail.com>
2026-05-11 16:44:04 +00:00
joshualitt 8a3fde4c33 fix(context): Change snapshotter model config. (#26745) 2026-05-11 15:06:55 +00:00
joshualitt 1a894c18ea feat(context): Improvements to the snapshotter. (#26655) 2026-05-08 23:54:44 +00:00
Adam Weidman 54f1e8c6d7 feat(core): add RemoteSubagentProtocol behind AgentProtocol (#25303) 2026-05-08 22:48:17 +00:00
krishdef7 f51391a0f2 fix(mcp): treat GET 404 as 405 in StreamableHTTPClientTransport (#24847)
Co-authored-by: Coco Sheng <cocosheng@google.com>
Co-authored-by: Spencer <spencertang@google.com>
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-08 22:16:08 +00:00
Sri Pasumarthi 1238dcfe91 feat(acp/core): prefix tool call IDs with tool names to support tool rendering in ACP compliant IDEs. (#26676) 2026-05-08 21:21:54 +00:00
Coco Sheng 90e7155971 ci: implement codebase-aware effort level triage (#26666) 2026-05-08 20:48:54 +00:00
Adam Weidman 014bfeb89b feat(core): add LocalSubagentProtocol behind AgentProtocol (#25302) 2026-05-08 19:28:16 +00:00
Aishanee Shah 5890f50496 fix(core): resolve parallel tool call streaming ID collision (#26646) 2026-05-08 19:14:23 +00:00
Daniel Weis 6b9b778d82 fix: resolve "function response turn must come immediately after function call" error (#26691)
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-08 19:01:24 +00:00
Aishanee Shah f86e0ee418 fix(core): throw explicit error on dropped tool responses (#26668) 2026-05-08 18:36:39 +00:00
joshualitt 01635ddb83 fix(context): implement loose boundary policy for gc backstop. (#26594) 2026-05-08 17:36:57 +00:00
Adam Weidman 12c8469b34 refactor(core): agent session protocol changes (#26661) 2026-05-08 17:12:54 +00:00
AK ebeea7570d fix(core): cache model routing decision in LocalAgentExecutor (#26548) 2026-05-08 00:18:22 +00:00
Sandy Tao 16e345831b fix(cli): hide /memory add subcommand when memoryV2 is enabled (#26605) 2026-05-07 20:48:12 +00:00
Daniel Weis ac31e80984 fix(routing): fix resolveClassifierModel argument mismatch in ApprovalModeStrategy (#26658)
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-07 19:34:14 +00:00
Coco Sheng 49456e4e15 fix(core): preserve system PATH in Git environment to fix ENOENT (#25034) (#26587) 2026-05-07 18:24:49 +00:00
Tommaso Sciortino a809bc7c51 don't wrap args unnecessarily (#26599) 2026-05-06 23:20:47 +00:00
Michael Bleigh 90304b279c refactor(cli): migrate core tools to native ToolDisplay property and fix UI rendering (#25186) 2026-05-06 21:23:26 +00:00
Rhys Sullivan bb4224fdff fix(core): prevent silent hang during OAuth auth on headless Linux (#26571)
Co-authored-by: Jack Wotherspoon <jackwoth@google.com>
2026-05-06 19:47:30 +00:00
Sandy Tao 7fb5146c6b Tighten private Auto Memory patch allowlist (#26535) 2026-05-06 17:32:15 +00:00
joshualitt 897a4d7f83 fix(core): Fix hysteresis in async context management pipelines. (#26452) 2026-05-06 16:37:08 +00:00
cynthialong0-0 80e091a8e1 fix(core): handle invalid custom plans directory gracefully (#26560) 2026-05-06 13:37:59 +00:00
joshualitt 80d2690540 fix(core): Fix chat corruption bug in context manager. (#26534) 2026-05-05 22:50:01 +00:00
Gal Zahavi 3627f4777f fix(core): allow redirection in YOLO and AUTO_EDIT modes without sandboxing (#26542) 2026-05-05 21:26:16 +00:00
Himanshu Kumar d8f2a89865 fix(core): remove unsafe type assertion suppressions in error utils (#19881)
Co-authored-by: David Pierce <davidapierce@google.com>
2026-05-05 19:52:29 +00:00
Abhijit Balaji f29eb9a569 fix(core): reject numeric project IDs in GOOGLE_CLOUD_PROJECT (#24695) (#26532) 2026-05-05 19:50:36 +00:00
Aishanee Shah 0218817fe3 feat(core): steer model to use edit tool for surgical edits, fix a typo (#26480) 2026-05-05 19:35:04 +00:00
joshualitt 0803007c8f fix(core): Minor fixes for generalist profile. (#26357) 2026-05-05 19:32:13 +00:00
Coco Sheng f5c0977e96 fix(core): retry on ERR_STREAM_PREMATURE_CLOSE errors (#26519) 2026-05-05 19:19:50 +00:00
Adib234 6a3175e973 fix(core): properly format markdown in AskUser tool by unescaping newlines (#26349)
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-05-04 20:59:11 +00:00
Aishanee Shah 4d1ca92a19 fix(core): filter unsupported multimodal types from tool responses (#26352) 2026-05-04 20:31:20 +00:00
Coco Sheng 0d6bd29752 feat(cli): improve /agents refresh logging (#26442) 2026-05-04 19:40:48 +00:00
Adib234 75a8de83fc test(cleanup): fix temporary directory leaks in test suites (#26217) 2026-05-04 19:08:02 +00:00
Sandy Tao a7beb890d0 feat(memory): add Auto Memory inbox flow with canonical-patch contract (#26338) 2026-05-04 19:07:13 +00:00
Aryan Kumar d313cd7dde fix(core): use close event instead of exit in child_process fallback (#25695)
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-05-04 18:12:21 +00:00
Sandy Tao 165efa8a38 fix(hooks): preserve non-text parts in fromHookLLMRequest (#26275) 2026-05-04 17:45:52 +00:00
Coco Sheng 790f2cf815 feat: add minimal V8 heap snapshot utility for memory diagnostics (#26440) 2026-05-04 17:42:42 +00:00