clone/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-05-28 15:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
6,134 Commits 1,077 Branches 521 Tags
bbfc33ea24cf2ecb9f45a9ff92fa158070f855c0
Commit Graph

2544 Commits

Author SHA1 Message Date
gemini-cli[bot]
bbfc33ea24 fix(security): address MCP security findings (MCPSafe Grade F) 
This PR addresses high and medium severity security findings related to MCP server integration, as reported by MCPSafe.

### Changes:

1. **Shell Heuristics Enforcement**: Updated `PolicyEngine` to apply shell heuristics (e.g., redirection detection) to any tool containing a `command` argument, not just those explicitly named in `SHELL_TOOL_NAMES`. This prevents security bypasses where MCP tools executing shell commands could skip safety checks.
2. **MCP Output Sanitization**: Implemented delimiters and HTML escaping for MCP tool text and resource outputs. This prevents prompt injection attacks where malicious tool output could be mistaken for system instructions by the LLM.
3. **Default Folder Trust**: Enabled folder trust by default in the CLI configuration. This ensures that the CLI verifies workspace trust before executing sensitive operations like loading local stdio MCP servers from project configuration.
4. **Type Safety**: Updated `McpResourceBlock` type to include the `uri` property, aligning with the MCP specification and fixing a TypeScript compilation error.

These changes significantly harden the gemini-cli against common attack vectors in the MCP ecosystem.

cc @mcpsafe-gh for visibility on the fixes.
cc @google-gemini-mcp-experts

Labels: bot-fix, area/security, kind/bug
 2026-05-12 21:49:54 +00:00
Adam Weidman
c987b99394 refactor(core): introduce SubagentState enum for progress (#26934) 2026-05-12 18:58:25 +00:00
kevinjwang1
27a39b04b0 Enable NumericalRouter when using dynamic model configs (#26929) 2026-05-12 18:06:21 +00:00
Sandy Tao
ebe15553a9 Exclude extension context from skill extraction agent (#26879) 2026-05-12 10:45:19 -07:00
Yulong Wu
bc730b2c0f fix (telemetry): inject quota_project_id to prevent fallback to default oauth client (#26698) 
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-12 17:02:15 +00:00
joshualitt
07792f98cd feat(context): Introduce adaptive token calculator to more accurately calculate content sizes. (#26888) 2026-05-12 15:51:20 +00:00
Coco Sheng
7a9ed4c20a fix: respect explicit model selection after Flash quota exhaustion (#26759) (#26872) 2026-05-12 14:26:50 +00:00
Eswar809
9f759f97a2 fix(core): ignore .pak and .rpa game archive formats by default (#26884) 
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-11 21:58:08 +00:00
Daniel Weis
e1b3ce5b36 revert 6b9b778d82 (#26893) 2026-05-11 21:07:54 +00:00
Suhaan Raqeeb Khavas
8e58df72c6 fix: prevent EISDIR crash when customIgnoreFilePaths contains directories (#19868) (#19898) 
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-11 20:46:08 +00:00
Coco Sheng
1340c96071 fix(core): handle malformed projects.json in ProjectRegistry (#26885) 2026-05-11 20:19:01 +00:00
Daniel Weis
f8198a25d8 fix(routing): Refactor tool turn handling for the conversation history in NumericalClassifierStrategy to prevent 400 Bad Request (#26761) 2026-05-11 20:09:38 +00:00
Aryan Singh
ecfaac2dc7 fix(cli): prevent duplicate SessionStart systemMessage render (#25827) 
Co-authored-by: Jacob Richman <jacob314@gmail.com>
 2026-05-11 16:44:04 +00:00
joshualitt
8a3fde4c33 fix(context): Change snapshotter model config. (#26745) 2026-05-11 15:06:55 +00:00
joshualitt
1a894c18ea feat(context): Improvements to the snapshotter. (#26655) 2026-05-08 23:54:44 +00:00
Adam Weidman
54f1e8c6d7 feat(core): add RemoteSubagentProtocol behind AgentProtocol (#25303) 2026-05-08 22:48:17 +00:00
krishdef7
f51391a0f2 fix(mcp): treat GET 404 as 405 in StreamableHTTPClientTransport (#24847) 
Co-authored-by: Coco Sheng <cocosheng@google.com>
Co-authored-by: Spencer <spencertang@google.com>
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-08 22:16:08 +00:00
Sri Pasumarthi
1238dcfe91 feat(acp/core): prefix tool call IDs with tool names to support tool rendering in ACP compliant IDEs. (#26676) 2026-05-08 21:21:54 +00:00
Coco Sheng
90e7155971 ci: implement codebase-aware effort level triage (#26666) 2026-05-08 20:48:54 +00:00
Adam Weidman
014bfeb89b feat(core): add LocalSubagentProtocol behind AgentProtocol (#25302) 2026-05-08 19:28:16 +00:00
Aishanee Shah
5890f50496 fix(core): resolve parallel tool call streaming ID collision (#26646) 2026-05-08 19:14:23 +00:00
Daniel Weis
6b9b778d82 fix: resolve "function response turn must come immediately after function call" error (#26691) 
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-08 19:01:24 +00:00
Aishanee Shah
f86e0ee418 fix(core): throw explicit error on dropped tool responses (#26668) 2026-05-08 18:36:39 +00:00
joshualitt
01635ddb83 fix(context): implement loose boundary policy for gc backstop. (#26594) 2026-05-08 17:36:57 +00:00
Adam Weidman
12c8469b34 refactor(core): agent session protocol changes (#26661) 2026-05-08 17:12:54 +00:00
AK
ebeea7570d fix(core): cache model routing decision in LocalAgentExecutor (#26548) 2026-05-08 00:18:22 +00:00
Sandy Tao
16e345831b fix(cli): hide /memory add subcommand when memoryV2 is enabled (#26605) 2026-05-07 20:48:12 +00:00
Daniel Weis
ac31e80984 fix(routing): fix resolveClassifierModel argument mismatch in ApprovalModeStrategy (#26658) 
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-07 19:34:14 +00:00
Coco Sheng
49456e4e15 fix(core): preserve system PATH in Git environment to fix ENOENT (#25034) (#26587) 2026-05-07 18:24:49 +00:00
Tommaso Sciortino
a809bc7c51 don't wrap args unnecessarily (#26599) 2026-05-06 23:20:47 +00:00
Michael Bleigh
90304b279c refactor(cli): migrate core tools to native ToolDisplay property and fix UI rendering (#25186) 2026-05-06 21:23:26 +00:00
Rhys Sullivan
bb4224fdff fix(core): prevent silent hang during OAuth auth on headless Linux (#26571) 
Co-authored-by: Jack Wotherspoon <jackwoth@google.com>
 2026-05-06 19:47:30 +00:00
Sandy Tao
7fb5146c6b Tighten private Auto Memory patch allowlist (#26535) 2026-05-06 17:32:15 +00:00
joshualitt
897a4d7f83 fix(core): Fix hysteresis in async context management pipelines. (#26452) 2026-05-06 16:37:08 +00:00
cynthialong0-0
80e091a8e1 fix(core): handle invalid custom plans directory gracefully (#26560) 2026-05-06 13:37:59 +00:00
joshualitt
80d2690540 fix(core): Fix chat corruption bug in context manager. (#26534) 2026-05-05 22:50:01 +00:00
Gal Zahavi
3627f4777f fix(core): allow redirection in YOLO and AUTO_EDIT modes without sandboxing (#26542) 2026-05-05 21:26:16 +00:00
Himanshu Kumar
d8f2a89865 fix(core): remove unsafe type assertion suppressions in error utils (#19881) 
Co-authored-by: David Pierce <davidapierce@google.com>
 2026-05-05 19:52:29 +00:00
Abhijit Balaji
f29eb9a569 fix(core): reject numeric project IDs in GOOGLE_CLOUD_PROJECT (#24695) (#26532) 2026-05-05 19:50:36 +00:00
Aishanee Shah
0218817fe3 feat(core): steer model to use edit tool for surgical edits, fix a typo (#26480) 2026-05-05 19:35:04 +00:00
joshualitt
0803007c8f fix(core): Minor fixes for generalist profile. (#26357) 2026-05-05 19:32:13 +00:00
Coco Sheng
f5c0977e96 fix(core): retry on ERR_STREAM_PREMATURE_CLOSE errors (#26519) 2026-05-05 19:19:50 +00:00
Adib234
6a3175e973 fix(core): properly format markdown in AskUser tool by unescaping newlines (#26349) 
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
 2026-05-04 20:59:11 +00:00
Aishanee Shah
4d1ca92a19 fix(core): filter unsupported multimodal types from tool responses (#26352) 2026-05-04 20:31:20 +00:00
Coco Sheng
0d6bd29752 feat(cli): improve /agents refresh logging (#26442) 2026-05-04 19:40:48 +00:00
Adib234
75a8de83fc test(cleanup): fix temporary directory leaks in test suites (#26217) 2026-05-04 19:08:02 +00:00
Sandy Tao
a7beb890d0 feat(memory): add Auto Memory inbox flow with canonical-patch contract (#26338) 2026-05-04 19:07:13 +00:00
Aryan Kumar
d313cd7dde fix(core): use close event instead of exit in child_process fallback (#25695) 
Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
 2026-05-04 18:12:21 +00:00
Sandy Tao
165efa8a38 fix(hooks): preserve non-text parts in fromHookLLMRequest (#26275) 2026-05-04 17:45:52 +00:00
Coco Sheng
790f2cf815 feat: add minimal V8 heap snapshot utility for memory diagnostics (#26440) 2026-05-04 17:42:42 +00:00