fix(core): Use atomic writes for session files to prevent data loss on crash#14933
fix(core): Use atomic writes for session files to prevent data loss on crash#14933jflam wants to merge 2 commits intogoogle-gemini:mainfrom
Conversation
Summary of ChangesHello @jflam, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical vulnerability where session files could become corrupted or truncated if the application crashed during a write operation. By integrating the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Code Review
This pull request aims to prevent critical data loss in ChatRecordingService.writeConversation() by replacing fs.writeFileSync() with write-file-atomic for atomic session file writes. However, a high-severity Path Traversal vulnerability was identified: user-provided file paths are not validated, allowing an attacker to write to arbitrary locations on the filesystem. The new atomic write operation acts as a sink for this existing vulnerability.
| // Use atomic write (temp file + rename) to prevent partial reads | ||
| // by external tools polling this file during active sessions | ||
| writeFileAtomic.sync(this.conversationFile, newContent); |
There was a problem hiding this comment.
The initialize method on line 131 accepts a resumedSessionData object and directly uses resumedSessionData.filePath to set the this.conversationFile property on line 135. This property is later used in file writing operations, including the newly added writeFileAtomic.sync on line 424. There is no validation to ensure that resumedSessionData.filePath points to a file within the intended session storage directory. An attacker who can control the resumedSessionData object passed to the initialize method could provide a malicious path (e.g., ../../../../etc/passwd) to overwrite arbitrary files on the system with the permissions of the running process. This could lead to data corruption, denial of service, or potentially remote code execution if a critical application or system file is overwritten.
Remediation:
Before using resumedSessionData.filePath, validate that it is a legitimate path within the expected chat session directory. Use path.resolve to get the absolute path and then check if it is a subpath of the intended storage directory. You can use a helper function like isSubpath (which already exists in packages/core/src/utils/paths.ts) for this check.
Example:
'''typescript
import { isSubpath } from '../utils/paths.js';
// ... inside initialize method
if (resumedSessionData) {
const chatsDir = path.join(
this.config.storage.getProjectTempDir(),
'chats',
);
const resolvedPath = path.resolve(resumedSessionData.filePath);
if (!isSubpath(chatsDir, resolvedPath)) {
throw new Error('Attempted path traversal in session file path.');
}
this.conversationFile = resolvedPath;
// ...
}
'''
There was a problem hiding this comment.
This looks like a pre-existing issue unrelated to this change.
|
Hi @jflam, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this. We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines. Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed. Thank you for your understanding and for being a part of our community! |
|
Hi there! Thank you for your contribution to Gemini CLI. To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md. This pull request is being closed because it is not currently linked to an issue. You can easily reopen this PR once you have linked it to an issue. How to link an issue: Thank you for your understanding and for being a part of our community! |
Problem
ChatRecordingService.writeConversation()currently usesfs.writeFileSync()directly:This is vulnerable to data loss if the process crashes or is killed mid-write - the session file could be left truncated or corrupted, losing the user's chat history.
Solution
Replace
fs.writeFileSync()withwrite-file-atomic, which:fsync()to ensure data is flushed to diskThis guarantees that session files are always in a valid state - readers see either the previous complete version or the new complete version, never a partial write.
Changes
write-file-atomicdependency topackages/core/package.json@types/write-file-atomicto devDependencies for TypeScript supportChatRecordingService.writeConversation()to usewriteFileAtomic.sync()Trade-offs
The performance overhead is minimal for session files (~10-50KB written once per message).
write-file-atomicis widely used (40M+ weekly npm downloads) and is the standard solution for safe file writes in Node.js.Testing