fix: prevent crash when message contains image from clipboard on Windows

[enjoykumawat]

Summary

Fixes #24817 — On Windows, pasting a clipboard image into the CLI causes a RangeError: path should be a path.relative()'d string crash.

Root cause: Clipboard images are saved to a temp directory outside the project (e.g., C:/Users/.../.gemini/tmp/editor/images/clipboard-xxx.png). When resolveFilePaths() in atCommandProcessor.ts passes this absolute path to FileDiscoveryService.shouldIgnoreFile(), the ignore library's checkPath() throws a RangeError because it only accepts relative paths within the project root.

Fix: Convert absolute @path references to relative paths (relative to the workspace root) before calling the ignore check. If the resulting relative path starts with .. (meaning it's outside the project), skip the ignore check entirely — files outside the project can't be gitignored/geminiignored anyway.

Changes

• packages/cli/src/ui/hooks/atCommandProcessor.ts: Convert absolute paths to relative before ignore checks, skip check for out-of-project paths
• packages/cli/src/ui/hooks/atCommandProcessor.test.ts: Add test for absolute clipboard image paths outside the project

Test plan

• All 60 atCommandProcessor.test.ts tests pass (59 existing + 1 new)
• New test verifies: absolute temp path for clipboard image does not throw RangeError
• Existing git-ignore and gemini-ignore tests still pass (no regression)
• ESLint + Prettier pass via pre-commit hooks

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a runtime crash occurring on Windows when users paste images from the clipboard into the CLI. The issue was caused by the ignore library failing to process absolute paths pointing to temporary directories outside the project root. The changes ensure that such paths are correctly handled by converting them to relative paths or bypassing the ignore check entirely for out-of-project files.

Highlights

• Crash Prevention: Updated the path resolution logic to prevent a RangeError when processing absolute paths for clipboard images on Windows.
• Path Handling: Implemented conversion of absolute paths to relative paths before performing ignore checks, and added logic to skip checks for files located outside the project workspace.
• Test Coverage: Added a new test case to verify that absolute paths outside the project directory no longer trigger a crash.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request prevents crashes when handling absolute paths outside the project directory, such as temporary clipboard images, by converting them to relative paths before performing ignore checks. A review comment identified that the current logic is insufficient for Windows environments where paths across different drives can cause path.relative to return absolute paths. It is recommended to use a more robust resolution method to ensure consistent behavior and mitigate path traversal risks.

[gemini-code-assist]

The current logic for determining if a path is outside the project is incomplete for Windows environments where path.relative can return an absolute path for different drives. To ensure consistent and robust path resolution and to prevent path traversal vulnerabilities, use a single function like resolveToRealPath for all path validations as per repository standards. This ensures that path traversal checks are handled uniformly and correctly across different operating systems.

    let ignoreCheckPath = pathName;
    if (path.isAbsolute(pathName)) {
      const targetDir = resolveToRealPath(config.getTargetDir());
      const resolvedPath = resolveToRealPath(pathName);
      ignoreCheckPath = path.relative(targetDir, resolvedPath);
    }
    const isOutsideProject = ignoreCheckPath.startsWith('..') || path.isAbsolute(ignoreCheckPath);

References

1. Ensure consistent path resolution by using a single, robust function (e.g., resolveToRealPath) for all related path validations, including internal validations in components like WorkspaceContext.
2. Sanitize user-provided file paths used in file system operations to prevent path traversal vulnerabilities.

[enjoykumawat]

Good catch — addressed in commit 684bae1:

1. Cross-drive check: Added || path.isAbsolute(ignoreCheckPath) to isOutsideProject — on Windows, path.relative() between different drives (e.g., C: vs D:) returns an absolute path instead of a ..-prefixed one.

2. Consistent resolution: Now using resolveToRealPath() for both targetDir and pathName before computing the relative path, ensuring symlinks and junction points are resolved uniformly.

3. New test: Added a cross-drive path test that verifies the ignore check does not throw for paths on a different drive.

[enjoykumawat]

Thanks for the review! Addressed the cross-drive path concern in commit ade20ae.

The issue was that path.relative() between different Windows drives (e.g., C: and D:) returns the source path unchanged as an absolute path. The previous fix correctly guarded the ignore check with path.isAbsolute(), but the same pattern affected two more code paths:

1. File-stat path (relativePath ~line 292): when an absolute path on a different drive is resolved, path.relative(dir, absolutePath) still returns absolute. Now falls back to absolutePath.
2. Glob fallback path (pathSpec ~line 342): same issue for glob-found matches. Now falls back to firstMatchAbsolute.

Both cases now use path.isAbsolute() to detect the cross-drive scenario and fall back to the absolute path, which downstream tools handle correctly.

[gemini-cli]

Hi there! Thank you for your interest in contributing to Gemini CLI.

To ensure we maintain high code quality and focus on our prioritized roadmap, we have updated our contribution policy (see Discussion #17383).

We only guarantee review and consideration of pull requests for issues that are explicitly labeled as 'help wanted'. All other community pull requests are subject to closure after 14 days if they do not align with our current focus areas. For this reason, we strongly recommend that contributors only submit pull requests against issues explicitly labeled as 'help-wanted'.

This pull request is being closed as it has been open for 14 days without a 'help wanted' designation. We encourage you to find and contribute to existing 'help wanted' issues in our backlog! Thank you for your understanding and for being part of our community!