clone/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-05-16 01:12:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): securely handle root CWD using isSubpath in isTrustedSystemPath

Browse Source
This commit is contained in:
Coco Sheng
2026-05-12 13:25:04 -04:00
parent ca41e1bad6
commit 5bcc400020
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/core/src/utils/paths.ts
View File

@@ -520,9 +520,10 @@ export function isTrustedSystemPath(filePath: string): boolean {
const normPath = normalizePath(filePath);
// 1. Explicitly reject paths in current working directory to prevent RCE
// Exclude root directories to avoid inadvertently rejecting all system paths.
const normCwd = normalizePath(process.cwd());
const relative = path.relative(normCwd, normPath);
if (!relative.startsWith('..') && !path.isAbsolute(relative)) {
const isRoot = normCwd === '/' || /^[a-zA-Z]:[\\/]?$/.test(normCwd);
if (!isRoot && isSubpath(normCwd, normPath)) {
return false;
}