fix(security): validate space name in chat +send

[anshul-garg27]

Summary

• Add validate_resource_name() to the --space argument in chat +send
• Prevents path traversal (../) and query injection (?, #) via the space parameter
• Consistent with validation already applied in gmail +watch, events +subscribe, and modelarmor helpers

Details

The --space value in chat +send was passed directly into params["parent"] without going through validate_resource_name(). While the executor's URL encoding layer mitigates most attacks, this is inconsistent with other helpers that validate resource names before URL construction.

Test plan

• Added test: space with ../ path traversal is rejected
• Added test: space with ?key=injected query injection is rejected
• Added test: valid space names still pass
• Existing chat tests updated for new Result return type

[changeset-bot]

🦋 Changeset detected

Latest commit: e37fa1d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security of the chat +send command by introducing robust validation for the --space argument. It prevents potential path traversal and query injection attacks, ensuring that resource names are properly sanitized before use. This change standardizes the validation process across various helper functions, contributing to a more secure and consistent application.

Highlights

• Security Validation: Implemented validate_resource_name() for the --space argument in the chat +send command to prevent path traversal (../) and query injection (?, #) vulnerabilities.
• Consistency: Aligned the validation logic for the chat +send command with existing security practices already applied in other helpers like gmail +watch and events +subscribe.
• Error Handling: Modified the parse_send_args function to return a Result type, allowing for proper error propagation when validation fails.

Changelog

• .changeset/fix-chat-send-validate-space.md
  • Added a new changeset file documenting the security fix for chat +send.
• src/helpers/chat.rs
  • Modified the parse_send_args function to return a Result type, enabling error propagation for validation failures.
  • Integrated crate::validate::validate_resource_name() to validate the space argument.
  • Updated existing test cases and added new tests to specifically verify rejection of path traversal and query injection in the space argument.

Activity

• Added tests to confirm rejection of space names containing path traversal sequences.
• Added tests to confirm rejection of space names containing query injection characters.
• Added tests to ensure valid space names continue to pass validation.
• Updated existing chat tests to accommodate the new Result return type from parse_send_args.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds important security validation to the chat +send command by checking the --space argument for path traversal and query injection attempts. The change is consistent with other helpers in the codebase and includes new tests to cover these security cases. My review focuses on improving the robustness of the argument parsing logic. I've suggested a change to avoid using unwrap() which could lead to a panic, even if it's unlikely to be triggered in practice.