feat(sdk): implements SessionContext for SDK tool calls#18862
Conversation
|
Hi there! Thank you for your contribution to Gemini CLI. To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md. This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding How to link an issue: Thank you for your understanding and for being a part of our community! |
|
Hi @mbleigh, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this. We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines. Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed. Thank you for your understanding and for being a part of our community! |
Summary of ChangesHello @mbleigh, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the Gemini CLI SDK by introducing a robust Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces SessionContext for SDK tool calls, providing tools with controlled access to session information, filesystem, and shell execution. While the implementation includes new modules (fs, shell, types), comprehensive tests, and an improved error handling mechanism with ModelVisibleError and sendErrorsToModel, a high-severity command injection vulnerability was identified in the SdkAgentShell.exec method. This method executes raw command strings, creating a significant risk if user-controllable input is used. Addressing this vulnerability is critical. Additionally, there is a high-severity suggestion to refine how tool errors are propagated to the model for correct response formatting.
…emove placeholder README
gemini-cli
bot
added
the
status/need-issue
- adds tests to SDK tools - adds ModelVisibleError for SDK error handling - adds sdk test-data to .prettierignore
mbleigh
force-pushed
the
sdk-02-session-context
branch
from
83a93f0 to
46b7f07
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
The pull request introduces SessionContext for SDK tool calls, enhancing the SDK's functionality by providing tools with access to session-specific information like sessionId, cwd, transcript, and interfaces for filesystem (fs) and shell (shell) operations. This change, however, significantly increases the attack surface, introducing a critical command injection vulnerability from passing LLM-generated arguments directly to shell commands (as highlighted by the rule on sanitizing user-provided file paths for file system operations), and a high-severity prompt injection vulnerability due to passing raw user input to the LLM without proper sanitization (as per the rule on avoiding user input in llmContent). While the PR also includes error handling for tool execution and new test files, these security risks need immediate attention. Other comments address markdown syntax, TypeScript type usage, and copyright years.
packages/sdk/src/agent.ts
Outdated
| const invocation = | ||
| tool instanceof SdkTool | ||
| ? tool.createInvocationWithContext( | ||
| args as object, | ||
| this.config.getMessageBus(), | ||
| context, | ||
| ) | ||
| : tool.build(args as object); |
There was a problem hiding this comment.
The GeminiCliAgent processes tool calls from the LLM by passing the model-generated arguments (toolCall.args) directly to tool implementations via the SessionContext. This context now includes powerful methods like context.shell.exec() and context.fs.writeFile(). If a developer creates a tool that passes arguments from the LLM to these methods, it creates a command injection vulnerability. An attacker can craft a prompt that causes the LLM to call such a tool with malicious arguments, leading to arbitrary command execution on the host system. The code on lines 148-155 in agent.ts directly facilitates this insecure data flow from the LLM to the tool invocation.
References
- Sanitize user-provided file paths used in file system operations to prevent path traversal vulnerabilities.
| @@ -0,0 +1,279 @@ | |||
| # `Gemini CLI SDK` | |||
|
|
|||
| # `Examples` | |||
There was a problem hiding this comment.
The heading for 'Examples' should be a level 2 heading to maintain consistency with other sections like 'Implementation Guidance' and 'Notes'.
| # `Examples` | |
| ## `Examples` |
| import { GeminiCliAgent } from "@google/gemini-cli-sdk"; | ||
|
|
||
| const agent = new GeminiCliAgent({ | ||
| instructions: "This is a static string instruction"; // this is valid |
There was a problem hiding this comment.
There's a syntax error here. A semicolon is used instead of a comma to separate the instructions properties.
| instructions: "This is a static string instruction"; // this is valid | |
| instructions: "This is a static string instruction", // this is valid |
| a: z.number().describe('first number to add'), | ||
| b: z.number().describe('second number to add'), | ||
| }), | ||
| }, (({a, b}) => ({result: a + b}),); |
There was a problem hiding this comment.
There's a syntax error here. A comma is missing after the closing parenthesis of the action function, and there's an extra comma at the end.
| }, (({a, b}) => ({result: a + b}),); | |
| }, (({a, b}) => ({result: a + b})); |
| ## `Subagents` | ||
|
|
||
| ```ts | ||
| import { GeminiCliAgent, subagent } from "@google/gemini-cli"; |
There was a problem hiding this comment.
The import path for subagent is incorrect. It should be from @google/gemini-cli-sdk.
| import { GeminiCliAgent, subagent } from "@google/gemini-cli"; | |
| import { GeminiCliAgent, subagent } from "@google/gemini-cli-sdk"; |
| @@ -0,0 +1,35 @@ | |||
| /** | |||
| * @license | |||
| * Copyright 2026 Google LLC | |||
There was a problem hiding this comment.
The copyright year is set to 2026, which is in the future. This should be updated to the current year.
| * Copyright 2026 Google LLC | |
| * Copyright 2024 Google LLC |
| @@ -0,0 +1,69 @@ | |||
| /** | |||
| * @license | |||
| * Copyright 2026 Google LLC | |||
There was a problem hiding this comment.
The copyright year is set to 2026, which is in the future. This should be updated to the current year.
| * Copyright 2026 Google LLC | |
| * Copyright 2024 Google LLC |
| @@ -0,0 +1,147 @@ | |||
| /** | |||
| * @license | |||
| * Copyright 2026 Google LLC | |||
There was a problem hiding this comment.
The copyright year is set to 2026, which is in the future. This should be updated to the current year.
| * Copyright 2026 Google LLC | |
| * Copyright 2024 Google LLC |
| @@ -0,0 +1,143 @@ | |||
| /** | |||
| * @license | |||
| * Copyright 2026 Google LLC | |||
There was a problem hiding this comment.
The copyright year is set to 2026, which is in the future. This should be updated to the current year.
| * Copyright 2026 Google LLC | |
| * Copyright 2024 Google LLC |
| @@ -0,0 +1,41 @@ | |||
| /** | |||
| * @license | |||
| * Copyright 2026 Google LLC | |||
There was a problem hiding this comment.
The copyright year is set to 2026, which is in the future. This should be updated to the current year.
| * Copyright 2026 Google LLC | |
| * Copyright 2024 Google LLC |
|
Hi there! Thank you for your contribution to Gemini CLI. To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md. This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding How to link an issue: Thank you for your understanding and for being a part of our community! |
There was a problem hiding this comment.
Should add an abort signal to the public method surfaces here.
|
Hi there! Thank you for your contribution to Gemini CLI. To improve our contribution process and better track changes, we now require all pull requests to be associated with an existing issue, as announced in our recent discussion and as detailed in our CONTRIBUTING.md. This pull request is being closed because it is not currently linked to an issue. Once you have updated the description of this PR to link an issue (e.g., by adding How to link an issue: Thank you for your understanding and for being a part of our community! |
|
Size Change: -2 B (0%) Total Size: 24.4 MB ℹ️ View Unchanged
|
2 participants
Adds SessionContext and error handling.