Skip to content

fix(core): resolve symlinks for non-existent paths during validation#21487

Merged
jerop merged 3 commits intomainfrom
adibakm/fix-symlink-path-validation
Mar 9, 2026
Merged

fix(core): resolve symlinks for non-existent paths during validation#21487
jerop merged 3 commits intomainfrom
adibakm/fix-symlink-path-validation

Conversation

@Adib234
Copy link
Contributor

@Adib234 Adib234 commented Mar 6, 2026
edited
Loading

Summary

Fixes a path validation bug where attempting to write a new file to a directory that is a symbolic link would fail with a "Path not in workspace" error. fs.realpathSync fails on non-existent paths, which caused it to fall back to an unresolved path that mismatched with the fully resolved project temporary directory during the isSubpath check.

Details

Updates resolveToRealPath in packages/core/src/utils/paths.ts to robustly resolve parent directories recursively if fs.realpathSync throws an ENOENT error. Updates Config.isPathAllowed to use this improved helper. Added unit tests to verify that symlinked parent paths are correctly resolved for non-existent children, and updated storage.test.ts to reflect the fixed resolveToRealPath behavior.

Related Issues

Fixes #21489

How to Validate

  1. Run the unit tests: npm test -w @google/gemini-cli-core
  2. Create a symlink to a directory.
  3. Use that symlink as your .gemini directory or temporary project path.
  4. Try to write a new file (e.g. creating a plan). It should now succeed.

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt
    • Windows
      • npm run
      • npx
      • Docker
    • Linux
      • npm run
      • npx
      • Docker

@Adib234 Adib234 requested a review from a team as a code owner March 6, 2026 23:36
@gemini-cli
Copy link
Contributor

gemini-cli bot commented Mar 6, 2026

Hi @Adib234, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Mar 6, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical path validation issue that previously prevented the creation of new files within directories that were symbolic links. The core of the fix involves significantly improving the resolveToRealPath utility function to correctly resolve paths even when parts of the path (specifically, the target file) do not yet exist. This is achieved by robustly handling ENOENT errors during fs.realpathSync calls and recursively resolving parent directories. This enhancement ensures that the system accurately identifies whether a given path falls within allowed workspace or temporary directories, thereby improving the reliability of file system operations.

Highlights

  • Path Validation Fix: Resolved a bug where attempting to write new files to directories that were symbolic links would incorrectly fail with a "Path not in workspace" error.
  • Robust Symlink Resolution: Enhanced the resolveToRealPath utility function to correctly handle non-existent paths by recursively resolving symlinked parent directories when fs.realpathSync throws an ENOENT error.
  • Improved isPathAllowed Logic: Updated Config.isPathAllowed to utilize the more robust resolveToRealPath function, ensuring accurate path checks for both workspace and temporary directories.
  • Expanded Test Coverage: Added new unit tests specifically for resolveToRealPath to verify its behavior with symlinked parent paths and non-existent children.
  • Test Case Updates: Modified existing error messages in storage.test.ts to reflect the improved and accurate path resolution logic provided by resolveToRealPath.
Changelog
  • packages/core/src/config/config.ts
    • Removed an unused import for the os module.
    • Imported the new resolveToRealPath utility function.
    • Refactored the isPathAllowed method to use the imported resolveToRealPath function for path resolution, replacing an inline realpath helper.
  • packages/core/src/config/storage.test.ts
    • Imported resolveToRealPath for use in test assertions.
    • Updated expected error messages in Storage tests to dynamically use resolveToRealPath for more accurate path comparisons.
  • packages/core/src/utils/paths.test.ts
    • Added a new test case to resolveToRealPath to verify its ability to recursively resolve symlinks for non-existent child paths.
  • packages/core/src/utils/paths.ts
    • Modified the resolveToRealPath function signature to use pathStr as the parameter name.
    • Extracted the core realpath logic into a new private helper function named robustRealpath.
    • Implemented recursive resolution within robustRealpath to handle ENOENT errors by resolving parent directories until a real path is found, then rejoining the remaining path segments.
Activity
  • Added and updated tests to cover the new path resolution logic.
  • Validated the changes on MacOS using npm run.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively addresses a bug with path validation for non-existent files in symlinked directories by introducing a robust, recursive resolveToRealPath function. The changes are well-implemented and include corresponding test updates. However, the fix is not fully propagated throughout the codebase. A similar path validation issue remains in WorkspaceContext, which is called by the modified code and could lead to incorrect behavior in scenarios involving workspace directories, as highlighted by our internal rules on path validation and symbolic link resolution. I've added a comment with more details.

@github-actions
Copy link

github-actions bot commented Mar 6, 2026
edited
Loading

Size Change: -249 B (0%)

Total Size: 26 MB

ℹ️ View Unchanged
Filename Size Change
./bundle/gemini.js 25.5 MB -249 B (0%)
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js 221 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js 227 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js 11.5 kB 0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js 132 B 0 B
./bundle/sandbox-macos-permissive-open.sb 890 B 0 B
./bundle/sandbox-macos-permissive-proxied.sb 1.31 kB 0 B
./bundle/sandbox-macos-restrictive-open.sb 3.36 kB 0 B
./bundle/sandbox-macos-restrictive-proxied.sb 3.56 kB 0 B
./bundle/sandbox-macos-strict-open.sb 4.82 kB 0 B
./bundle/sandbox-macos-strict-proxied.sb 5.02 kB 0 B

compressed-size-action

@Adib234 Adib234 self-assigned this Mar 6, 2026
@gemini-cli gemini-cli bot added the area/core Issues related to User Interface, OS Support, Core Functionality label Mar 6, 2026
@github-actions github-actions bot mentioned this pull request Mar 7, 2026
Open
@Adib234
fix(core): resolve symlinks for non-existent paths during validation
c478436 
The path validation logic in Config.isPathAllowed failed when attempting
to write a new file to a directory that is a symbolic link. This happened
because fs.realpathSync fails on non-existent paths, falling back to an
unresolved path which then mismatches with the resolved project temporary
directory during the isSubpath check.

This commit updates resolveToRealPath to robustly resolve parent
directories even if the leaf file does not exist, and updates
isPathAllowed to use this improved helper.
@Adib234 Adib234 force-pushed the adibakm/fix-symlink-path-validation branch from 54afae1 to c478436 Compare March 7, 2026 02:29
@jerop jerop added the release/patch-to-preview PR needs to be patch to preview release label Mar 9, 2026
@gemini-cli gemini-cli bot added the 🔒 maintainer only ⛔ Do not contribute. Internal roadmap item. label Mar 9, 2026
@jerop jerop added this pull request to the merge queue Mar 9, 2026
@Adib234 Adib234 removed this pull request from the merge queue due to a manual request Mar 9, 2026
@Adib234
Copy link
Contributor Author

Adib234 commented Mar 9, 2026

Tested locally with symlinks but want to verify it works with gctx

@Adib234 Adib234 added this pull request to the merge queue Mar 9, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 9, 2026
@jerop jerop added this pull request to the merge queue Mar 9, 2026
Merged via the queue into main with commit 7837194 Mar 9, 2026
27 checks passed
@jerop jerop deleted the adibakm/fix-symlink-path-validation branch March 9, 2026 16:19
@jerop
Copy link
Contributor

jerop commented Mar 9, 2026

/patch preview

@github-actions
Copy link

github-actions bot commented Mar 9, 2026

Patch workflow(s) dispatched successfully!

📋 Details:

  • Channels: preview
  • Commit: 7837194ab54fb66ee88153734c9be53b10085340
  • Workflows Created: 1

🔗 Track Progress:

github-actions bot pushed a commit that referenced this pull request Mar 9, 2026
@Adib234 @gemini-cli-robot
fix(core): resolve symlinks for non-existent paths during validation (#…
fc9f3df 
…21487)
@github-actions
Copy link

github-actions bot commented Mar 9, 2026

🚀 Patch PR Created!

📋 Patch Details:

📝 Next Steps:

  1. Review and approve the hotfix PR: #21720
  2. Once merged, the patch release will automatically trigger
  3. You'll receive updates here when the release completes

🔗 Track Progress:

@github-actions
Copy link

github-actions bot commented Mar 9, 2026

🚀 Patch Release Started!

📋 Release Details:

  • Environment: prod
  • Channel: preview → publishing to npm tag preview
  • Version: v0.33.0-preview.5
  • Hotfix PR: Merged ✅
  • Release Branch: release/v0.33.0-preview.5-pr-21487

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

@github-actions
Copy link

github-actions bot commented Mar 9, 2026

Patch Release Failed!

📋 Details:

  • Version: 0.33.0-preview.6
  • Channel: preview
  • Error: The patch release workflow encountered an error

🔍 Next Steps:

  1. Check the workflow logs for detailed error information
  2. The maintainers have been notified via automatic issue creation
  3. You may need to retry the patch once the issue is resolved

🔗 Troubleshooting:

@jerop
Copy link
Contributor

jerop commented Mar 9, 2026

/patch preview

@github-actions
Copy link

github-actions bot commented Mar 9, 2026

Patch workflow(s) dispatched successfully!

📋 Details:

  • Channels: preview
  • Commit: 7837194ab54fb66ee88153734c9be53b10085340
  • Workflows Created: 1

🔗 Track Progress:

@github-actions
Copy link

github-actions bot commented Mar 9, 2026

Patch creation failed!

There was an error creating the patch release.

🔍 Troubleshooting:

  • Check the workflow logs for detailed error information
  • Verify the commit SHA is valid and accessible
  • Ensure you have permissions to create branches and PRs

🔗 Links:

@AnushkaPandit-21 AnushkaPandit-21 mentioned this pull request Mar 9, 2026
Closed
5 tasks
@github-actions
Copy link

github-actions bot commented Mar 9, 2026

Patch Release Failed!

📋 Details:

  • Version: 0.33.0-preview.7
  • Channel: preview
  • Error: The patch release workflow encountered an error

🔍 Next Steps:

  1. Check the workflow logs for detailed error information
  2. The maintainers have been notified via automatic issue creation
  3. You may need to retry the patch once the issue is resolved

🔗 Troubleshooting:

@Adib234 Adib234 mentioned this pull request Mar 9, 2026
Closed
@yclian yclian mentioned this pull request Mar 10, 2026
Closed
16 tasks
@jerop jerop removed the release/patch-to-preview PR needs to be patch to preview release label Mar 10, 2026
@gemini-code-assist gemini-code-assist bot mentioned this pull request Mar 11, 2026
Merged
kunal-10-cloud pushed a commit to kunal-10-cloud/gemini-cli that referenced this pull request Mar 12, 2026
@Adib234 @kunal-10-cloud
fix(core): resolve symlinks for non-existent paths during validation (g…
7479c12 
…oogle-gemini#21487)
liamhelmer pushed a commit to badal-io/gemini-cli that referenced this pull request Mar 12, 2026
@Adib234 @liamhelmer
fix(core): resolve symlinks for non-existent paths during validation (g…
40eb501 
…oogle-gemini#21487)
yashodipmore pushed a commit to yashodipmore/geemi-cli that referenced this pull request Mar 21, 2026
@Adib234 @yashodipmore
fix(core): resolve symlinks for non-existent paths during validation (g…
b254093 
…oogle-gemini#21487)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jerop jerop jerop approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Adib234 Adib234

Labels

area/core Issues related to User Interface, OS Support, Core Functionality 🔒 maintainer only ⛔ Do not contribute. Internal roadmap item.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Writing a plan file fails when .gemini is a symlink

2 participants

@Adib234 @jerop