Warn user when we overwrite a command due to conflict with extensions

[chrstnb]

Summary

PR Description: Extension Command Precedence Hijacking Mitigations

Description

This PR implements several security and usability mitigations to prevent "alphabetical precedence hijacking" of extension commands, as described in issue #1207.

Malicious extensions could previously capture unprefixed command names (e.g., /gcloud:deploy) simply by choosing a name that sorts alphabetically before legitimate extensions. These changes make command provenance explicit and warn users before potentially hijacked names are installed.

Key Changes

1, Notification on Extension Command Prefixing

• Modified CommandService.ts to dispatch an 'info' feedback event when an extension command is automatically renamed (prefixed) due to a naming conflict.
• Example: Extension command '/deploy' from 'firebase' was renamed to '/firebase.deploy' due to a conflict with an existing command.

3. Extension Installation Conflict Check

• Added checkCommandConflicts to ExtensionManager.ts.
• When installing or updating an extension, the CLI now scans the extension's commands/ directory and compares proposed command names against all currently registered commands.
• If conflicts are detected, a warning is displayed listing the affected commands and their new renamed paths. The user must explicitly consent to continue the installation.

Verification Results

Automated Tests

• Added a new test case to packages/cli/src/services/CommandService.test.ts to verify that conflict notifications are emitted.
• Verified all CommandService tests pass.
• Verified manual conflict check logic with a temporary test suite (later removed) covering:
  • New extension conflict detection.
  • User consent/denial handling.
  • Skipping conflict checks for an extension's own existing commands during updates.

Test Command

npm test -w packages/cli -- src/services/CommandService.test.ts

Fixes #1207

Details

Related Issues

How to Validate

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello @chrstnb, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and usability of extension command management by addressing potential "alphabetical precedence hijacking" issues. It introduces proactive conflict detection during extension installation, warning users about command name clashes and requiring their consent before proceeding. Additionally, it provides clear notifications when extension commands are automatically prefixed to resolve conflicts, ensuring transparency and preventing unexpected behavior.

Highlights

• Extension Command Prefixing Notification: The system now emits an 'info' feedback event when an extension command is automatically renamed (prefixed) due to a naming conflict, making users aware of the change and ensuring transparency.
• Extension Installation Conflict Check: A new mechanism has been introduced to scan for command name conflicts when installing or updating extensions. If conflicts are found, a warning is displayed to the user, listing affected commands and their renamed paths, requiring explicit consent to proceed with the installation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: +2.97 kB (+0.01%)

Total Size: 23.2 MB

Filename	Size	Change
./bundle/gemini.js	23.1 MB	+2.97 kB (+0.01%)

ℹ️ View Unchanged

Filename	Size
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request aims to mitigate extension command hijacking by checking for conflicts during installation and notifying users of renames. However, the new conflict detection logic in ExtensionManager is vulnerable to terminal injection because command names derived from extension filenames are used unsanitized in a security-sensitive consent prompt, which could allow manipulation of warning messages. Furthermore, the conflict detection logic has a high-severity issue that could lead to false positives by not fully validating .toml files against the schema.

[gemini-code-assist]

The checkCommandConflicts method is vulnerable to terminal injection as command names (baseCommandName) derived from filenames are not sanitized for ANSI escape sequences, potentially allowing malicious extensions to manipulate the terminal output during the consent warning. Sanitize these command names using escapeAnsiCtrlCodes. Furthermore, the current conflict detection logic can lead to false positives because it checks for .toml files without validating them against the TomlCommandDefSchema. Ensure accuracy by parsing and validating each .toml file against the schema before considering it a conflict.

[gemini-cli]

Hi there! Thank you for your contribution to Gemini CLI. We really appreciate the time and effort you've put into this pull request.

To keep our backlog manageable and ensure we're focusing on current priorities, we are closing pull requests that haven't seen maintainer activity for 30 days. Currently, the team is prioritizing work associated with 🔒 maintainer only or help wanted issues.

If you believe this change is still critical, please feel free to comment with updated details. Otherwise, we encourage contributors to focus on open issues labeled as help wanted. Thank you for your understanding!