fix(security): validate --upload and --output file paths

[AshwinRenjith]

Harden file path handling for untrusted CLI inputs by adding safe upload/output validators and enforcing them centrally in execute_method.

Covers traversal, absolute paths, control characters, and symlink escapes before any file I/O. Adds regression tests and required changeset.

Description

This PR fixes a filesystem trust-boundary gap where untrusted CLI path inputs (--upload, --output) could be consumed directly for file I/O.

Changes:

• Added validate_safe_upload_file_path and validate_safe_output_file_path in src/validate.rs.
• Enforced both validators centrally in src/executor.rs::execute_method, so all command paths (including helpers) are covered.
• Added regression tests for traversal, absolute paths, control characters, and symlink-escape cases.
• Added required changeset: .changeset/hardening-upload-output-paths.md.

Dry Run Output (--output safe path):

{
  "body": null,
  "dry_run": true,
  "is_multipart_upload": false,
  "method": "GET",
  "query_params": {},
  "url": "https://www.googleapis.com/drive/v3/files"
}

Dry Run Output (--upload safe path):

{
  "body": null,
  "dry_run": true,
  "is_multipart_upload": true,
  "method": "POST",
  "query_params": {},
  "url": "https://www.googleapis.com/upload/drive/v3/files"
}

Checklist:

• My code follows the AGENTS.md guidelines (no generated google-* crates).
• I have run cargo fmt --all to format the code perfectly.
• I have run cargo clippy -- -D warnings and resolved all warnings.
• I have added tests that prove my fix is effective or that my feature works.
• I have provided a Changeset file (e.g. via pnpx changeset) to document my changes.

[changeset-bot]

🦋 Changeset detected

Latest commit: 9eaf1b0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the security posture of the application by implementing robust validation for user-provided file paths. It addresses a potential trust-boundary gap by ensuring that paths specified via --upload and --output CLI arguments are safe and do not lead to unintended file system access or manipulation. The changes centralize path validation and include comprehensive tests to prevent common file system attacks.

Highlights

• Enhanced File Path Validation: Introduced new validation functions (validate_safe_upload_file_path and validate_safe_output_file_path) to rigorously check --upload and --output CLI file paths for security vulnerabilities.
• Centralized Enforcement: Integrated the new path validators into the execute_method function in src/executor.rs, ensuring all command paths are securely handled before any file I/O operations.
• Robust Security Checks: The validation logic now explicitly rejects absolute paths, prevents directory traversal, and guards against symlink escapes, along with checking for control characters.
• Comprehensive Regression Tests: Added new #[tokio::test] cases to verify that unsafe upload and output paths are correctly rejected, covering various attack vectors.
• Changelog Entry: A new changeset file (.changeset/hardening-upload-output-paths.md) was added to document the security hardening for file path handling.

Changelog

• .changeset/hardening-upload-output-paths.md
  • Harden --upload and --output path handling by validating file paths against traversal, absolute paths, control characters, and symlink escape before any file I/O.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces important security validations for file paths provided via --upload and --output. However, the validation logic for output files is vulnerable to a bypass using broken symbolic links, which could allow an attacker to write files outside the current directory. Additionally, a critical Time-of-check to Time-of-use (TOCTOU) race condition vulnerability exists in the new validation logic, potentially allowing unintended file access. The new validation functions also perform blocking I/O within an async context, which may impact performance and stability.

[github-actions]

/gemini review

[github-actions]

/gemini review

[github-actions]

/gemini review

[github-actions]

/gemini review

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces important security hardening for file path handling, which is a great improvement. The use of spawn_blocking for file I/O and the TOCTOU-aware validation on Unix platforms using openat and O_NOFOLLOW are excellent.

However, I've found critical security vulnerabilities in the non-Unix implementations of read_safe_upload_file and open_safe_output_file. They are susceptible to Time-of-check to time-of-use (TOCTOU) race conditions, which could lead to arbitrary file reads and writes, undermining the goal of this PR. Please see my detailed comments in src/validate.rs.

[gemini-code-assist]

The non-unix implementation of read_safe_upload_file is vulnerable to a Time-of-check to time-of-use (TOCTOU) race condition. validate_safe_upload_file_path is called first, but std::fs::read(&canonical) is used afterwards, which follows symlinks. An attacker could replace a component of the validated path with a symlink to a sensitive file (e.g., ../../.ssh/id_rsa) between the validation check and the file read operation. This would bypass the path safety checks and could lead to arbitrary file reads. This is a critical security flaw.

To mitigate this on Windows, you would need to use the CreateFileW function from the Windows API with the FILE_FLAG_OPEN_REPARSE_POINT flag to open the symlink itself, and then verify its target. This is more complex than the std::fs API allows but is necessary for a secure implementation.

[gemini-code-assist]

The non-unix implementation of open_safe_output_file is vulnerable to a Time-of-check to time-of-use (TOCTOU) race condition. After validate_safe_output_file_path checks the path, opts.open(&canonical) is called, which follows symlinks. An attacker could replace a path component with a symlink to a sensitive file (e.g., /etc/passwd) between validation and opening, causing your application to overwrite it.

The post-open check canonical.canonicalize() is also racy as it operates on the path, not the opened file handle, and the file is already open for writing at this point.

This is a critical security vulnerability that could lead to arbitrary file writes.

To mitigate this on Windows, you would need to use the CreateFileW function with appropriate flags (CREATE_NEW for new files, and FILE_FLAG_OPEN_REPARSE_POINT to handle existing symlinks safely).