mirror of
https://github.com/google-gemini/gemini-cli.git
synced 2026-05-14 16:32:49 +00:00
bbfc33ea24
This PR addresses high and medium severity security findings related to MCP server integration, as reported by MCPSafe. ### Changes: 1. **Shell Heuristics Enforcement**: Updated `PolicyEngine` to apply shell heuristics (e.g., redirection detection) to any tool containing a `command` argument, not just those explicitly named in `SHELL_TOOL_NAMES`. This prevents security bypasses where MCP tools executing shell commands could skip safety checks. 2. **MCP Output Sanitization**: Implemented delimiters and HTML escaping for MCP tool text and resource outputs. This prevents prompt injection attacks where malicious tool output could be mistaken for system instructions by the LLM. 3. **Default Folder Trust**: Enabled folder trust by default in the CLI configuration. This ensures that the CLI verifies workspace trust before executing sensitive operations like loading local stdio MCP servers from project configuration. 4. **Type Safety**: Updated `McpResourceBlock` type to include the `uri` property, aligning with the MCP specification and fixing a TypeScript compilation error. These changes significantly harden the gemini-cli against common attack vectors in the MCP ecosystem. cc @mcpsafe-gh for visibility on the fixes. cc @google-gemini-mcp-experts Labels: bot-fix, area/security, kind/bug