fix: temp fix for subagent invocation until subagent delegation is merged to stable #15007
Conversation
Summary of ChangesHello @abhipatel12, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a temporary fix by adjusting a policy configuration to explicitly allow Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Size Change: -2 B (0%) Total Size: 21.6 MB ℹ️ View Unchanged
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates a policy rule in read-only.toml to allow SubagentInvocation as a temporary fix for running the codebase_investigator subagent. This change, however, introduces two significant security concerns. First, the codebase_investigator agent is susceptible to a high-severity prompt injection vulnerability, which could allow an attacker to exfiltrate sensitive data by overriding its intended function. Second, the updated policy rule is overly broad, granting automatic execution permission to any tool named SubagentInvocation, not just the read-only codebase_investigator, thereby risking misuse by more powerful subagents. It is recommended to address the prompt injection by sanitizing the agent's input and to refine the policy rule, potentially using an argsPattern, to restrict permissions specifically to the codebase_investigator.
|
|
||
| [[rule]] | ||
| toolName = "codebase_investigator" | ||
| toolName = "SubagentInvocation" |
There was a problem hiding this comment.
This change broadens the policy from allowing a specific, read-only agent (codebase_investigator) to allowing any tool named SubagentInvocation. This means any current or future subagent invoked through this mechanism will be automatically allowed, regardless of its capabilities (e.g., file writing, shell execution). This poses a potential security risk by granting overly broad permissions.
While the PR title indicates this is a temporary fix, a safer approach would be to make this rule more specific. If the logic that creates the SubagentInvocation tool call can include the agent's name in the arguments (e.g., as agentName), you could use an argsPattern to restrict this permission. The rule would look something like this:
[[rule]]
toolName = "SubagentInvocation"
# This pattern matches if '"agentName":"codebase_investigator"' is in the arguments.
argsPattern = "agentName\\":\\"codebase_investigator"
decision = "allow"
priority = 50This would ensure only the intended read-only agent is allowed, mitigating the risk of unintentionally permitting more powerful subagents.
|
/patch preview |
|
✅ Patch workflow(s) dispatched successfully! 📋 Details:
🔗 Track Progress: |
|
🚀 Patch PR Created! 📋 Patch Details:
📝 Next Steps:
🔗 Track Progress: |
|
🚀 Patch Release Started! 📋 Release Details:
⏳ Status: The patch release is now running. You'll receive another update when it completes. 🔗 Track Progress: |
|
/patch stable |
|
✅ Patch workflow(s) dispatched successfully! 📋 Details:
🔗 Track Progress: |
…rged to stable (#15007) # Conflicts: # packages/core/src/policy/policies/read-only.toml
|
🚀 Patch PR Created! 📋 Patch Details:
📝 Next Steps:
🔗 Track Progress: |
|
✅ Patch Release Complete! 📦 Release Details:
🎉 Status: Your patch has been successfully released and published to npm! 📝 What's Available:
🔗 Links: |
|
🚀 Patch Release Started! 📋 Release Details:
⏳ Status: The patch release is now running. You'll receive another update when it completes. 🔗 Track Progress: |
|
✅ Patch Release Complete! 📦 Release Details:
🎉 Status: Your patch has been successfully released and published to npm! 📝 What's Available:
🔗 Links: |
… subagent delegation is merged to stable (google-gemini#15007)
2 participants
Fix forward for codebase investigator needing to be allowed via user confirmation.