bbfc33ea24
fix(security): address MCP security findings (MCPSafe Grade F)
...
This PR addresses high and medium severity security findings related to MCP server integration, as reported by MCPSafe.
### Changes:
1. **Shell Heuristics Enforcement**: Updated `PolicyEngine` to apply shell heuristics (e.g., redirection detection) to any tool containing a `command` argument, not just those explicitly named in `SHELL_TOOL_NAMES`. This prevents security bypasses where MCP tools executing shell commands could skip safety checks.
2. **MCP Output Sanitization**: Implemented delimiters and HTML escaping for MCP tool text and resource outputs. This prevents prompt injection attacks where malicious tool output could be mistaken for system instructions by the LLM.
3. **Default Folder Trust**: Enabled folder trust by default in the CLI configuration. This ensures that the CLI verifies workspace trust before executing sensitive operations like loading local stdio MCP servers from project configuration.
4. **Type Safety**: Updated `McpResourceBlock` type to include the `uri` property, aligning with the MCP specification and fixing a TypeScript compilation error.
These changes significantly harden the gemini-cli against common attack vectors in the MCP ecosystem.
cc @mcpsafe-gh for visibility on the fixes.
cc @google-gemini-mcp-experts
Labels: bot-fix, area/security, kind/bug
2026-05-12 21:49:54 +00:00
3b7c17a22c
refactor(core): consolidate execute() arguments into ExecuteOptions ( #25101 )
2026-04-10 17:11:17 +00:00
84caf00cd4
fix: ACP: separate conversational text from execute tool command title ( #23179 )
2026-03-24 00:39:15 +00:00
b35c12d8d0
fix(core)!: Force policy config to specify toolName ( #23330 )
2026-03-23 22:35:08 +00:00
1d2585dba6
fix(core): explicitly pass messageBus to policy engine for MCP tool saves ( #22255 )
2026-03-13 01:31:13 +00:00
8432bcee75
fix(core): resolve MCP tool FQN validation, schema export, and wildcards in subagents ( #22069 )
2026-03-12 14:17:36 +00:00
a220874281
feat(policy): support auto-add to policy by default and scoped persistence ( #20361 )
2026-03-10 17:01:41 +00:00
dac3735626
Disallow underspecified types ( #21485 )
2026-03-07 21:05:38 +00:00
931e668b47
refactor(core): standardize MCP tool naming to mcp_ FQN format ( #21425 )
2026-03-06 22:17:28 +00:00
28af4e127f
fix: merge duplicate imports in packages/core (3/4) ( #20928 )
2026-03-04 00:12:59 +00:00
28e79831ac
fix(core): sanitize and length-check MCP tool qualified names ( #20987 )
2026-03-03 21:38:52 +00:00
20d884da2f
fix(core): reduce intrusive MCP errors and deduplicate diagnostics ( #20232 )
2026-02-27 20:04:36 +00:00
3ff5cfaaf6
feat(telemetry): Add context breakdown to API response event ( #19699 )
2026-02-24 23:26:28 +00:00
15f6c8b8da
feat(policy): Propagate Tool Annotations for MCP Servers ( #20083 )
2026-02-24 14:20:11 +00:00
05bc0399f3
feat(cli): allow expanding full details of MCP tool on approval ( #19916 )
2026-02-24 01:45:05 +00:00
acb7f577de
chore(lint): fix lint errors seen when running npm run lint ( #19844 )
2026-02-21 18:33:25 +00:00
6351352e54
feat(core): Implement parallel FC for read only tools. ( #18791 )
2026-02-20 00:38:22 +00:00
3408542a66
fix(core): prevent duplicate tool approval entries in auto-saved.toml ( #19487 )
...
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2026-02-19 20:03:52 +00:00
fd65416a2f
Disallow unsafe type assertions ( #18688 )
2026-02-10 00:10:15 +00:00
fe975da91e
feat(plan): implement support for MCP servers in Plan mode ( #18229 )
2026-02-05 21:37:28 +00:00
eccc200f4f
feat(core): enforce server prefixes for MCP tools in agent definitions ( #17574 )
2026-01-27 04:53:05 +00:00
97aac696fb
Fix mcp tool lookup in tool registry ( #17054 )
...
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
2026-01-21 04:18:33 +00:00
eb3f3cfdb8
feat(hooks): add mcp_context to BeforeTool and AfterTool hook inputs ( #15656 )
...
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com >
2026-01-08 18:35:33 +00:00
12c7c9cc42
feat(core,cli): enforce mandatory MessageBus injection (Phase 3 Hard Migration) ( #15776 )
2026-01-04 22:11:43 +00:00
90be9c3587
feat(core): Standardize Tool and Agent Invocation constructors (Phase 2) ( #15775 )
2026-01-04 20:51:23 +00:00
5f298c17d7
feat: Persistent "Always Allow" policies with granular shell & MCP support ( #14737 )
...
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-12-12 21:45:39 +00:00
2d3db97067
Fix: Correctly detect MCP tool errors ( #14937 )
2025-12-11 16:41:02 +00:00
c883403147
[feat] Extension Reloading - respect updates to exclude tools ( #12728 )
2025-11-07 20:18:35 +00:00
f5bd474e51
fix(core): prevent server name spoofing in policy engine ( #12511 )
2025-11-05 18:10:23 +00:00
236334d015
feat(telemetry): Add extension name to ToolCallEvent telemetry ( #12343 )
...
Co-authored-by: Shnatu <snatu@google.com >
2025-10-31 13:50:22 +00:00
064edc52f5
feat(policy): Introduce config-based policy engine with TOML configuration ( #11992 )
2025-10-28 16:20:57 +00:00
b188a51c32
feat(core): Introduce message bus for tool execution confirmation ( #11544 )
...
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-10-24 20:04:40 +00:00
c6a59896f3
Add extensions logging ( #11261 )
2025-10-21 20:55:16 +00:00
66c2184fe5
feat: Add AbortSignal support for retry logic and tool execution ( #9196 )
...
Co-authored-by: Sandy Tao <sandytao520@icloud.com >
2025-09-24 19:10:55 +00:00
d2ae869bb4
Simplify MCP server timeout configuration ( #7661 )
2025-09-03 17:34:32 +00:00
2a0e69d833
fix(trust): Update config.isTrustedFolder ( #7373 )
2025-08-29 02:41:33 +00:00
a0fbe000ee
Skip MCP server connections in untrusted folders ( #7358 )
2025-08-28 22:46:27 +00:00
0f031a7f89
Explict imports & exports with type modifier ( #3774 )
2025-08-25 22:04:53 +00:00
240830afac
feat(mcp): log include MCP request with error ( #6778 )
2025-08-22 18:10:30 +00:00
ec41b8db8e
feat(core): Annotate remaining error paths in tools with type. ( #6699 )
2025-08-21 21:40:18 +00:00
1738d40745
return the JSON stringified parameters from getDescription for MCP tools and Discovered tools ( #6655 )
2025-08-20 20:10:02 +00:00
2998f27f70
chore(compiler): Enable strict property access TS compiler flag. ( #6255 )
...
Co-authored-by: Jacob Richman <jacob314@gmail.com >
2025-08-17 16:43:21 +00:00
f47af1607a
bug(mcp): catch errors reported by GitHub MCP ( #6194 )
2025-08-14 22:30:05 +00:00
a90aeb3d8f
chore(build/compiler): Enable a bunch of strict TS compiler options. ( #6138 )
2025-08-13 20:17:38 +00:00
904f4623b6
feat(core): Continue declarative tool migration. ( #6114 )
2025-08-13 18:57:37 +00:00
d3fda9dafb
Zed integration schema upgrade ( #5536 )
...
Co-authored-by: Conrad Irwin <conrad.irwin@gmail.com >
Co-authored-by: Ben Brandt <benjamin@zed.dev >
2025-08-13 15:58:26 +00:00
d9fb08c9da
feat: migrate tools to use parametersJsonSchema. ( #5330 )
2025-08-11 23:12:41 +00:00
2778c7d851
feat(core): Parse Multimodal MCP Tool responses ( #5529 )
...
Co-authored-by: Luccas Paroni <luccasparoni@google.com >
2025-08-05 19:19:47 +00:00
0f6405e28d
fix typos in diverse files ( #3550 )
...
Co-authored-by: Pascal Birchler <pascal.birchler@gmail.com >
Co-authored-by: Pascal Birchler <pascalb@google.com >
Co-authored-by: N. Taylor Mullen <ntaylormullen@google.com >
2025-07-20 22:36:34 +00:00
4dbd9f30b6
Revert background agent commits ( #4479 )
2025-07-19 00:28:40 +00:00
gemini-cli[bot]