fix: change gcloud orb region and zone cmds

[Jordan Ho (jordanjho)]

Summary

The gcloud orb's zone command had a typo with setting the zone so I fixed it. I also needed a region parameter to change the region in algorithms repo ci/cd so I don't change the region in code but can still test without 429 errors (more computing resources for region compared to global).

Custom Checklist Items

Standard Checklist

• My comments/docstrings/type hints are clear

• I've written new tests or this change does not need them

• I've tested this manually

• The architecture diagrams have been updated, if need be

• Any external changes/dependencies are linked and described

• I've included any special rollback strategies above

• Any relevant metrics/monitors/SLOs have been added or modified

• I've notified all relevant stakeholders of the change

• I've updated .github/CODEOWNERS, if relevant

[gemini-code-assist]

Summary of Changes

Hello Jordan Ho (@jordanjho), I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the gcloud orb by introducing a new "region" parameter, enabling users to explicitly define the Google Cloud compute region. This addition addresses the need for greater control over resource allocation in CI/CD pipelines, particularly to mitigate issues like 429 errors by leveraging regional resources. Additionally, it rectifies a previously identified typo in the "zone" command, ensuring accurate configuration of compute zones.

Highlights

• Gcloud Orb Parameter Expansion: Introduced a new "region" parameter to the gcloud orb to allow specifying the Google Cloud compute region, enhancing flexibility for CI/CD environments.
• Gcloud Zone Command Fix: Corrected a typo in the gcloud orb's zone command, changing "gcloud config set zone" to "gcloud config set compute/zone" for proper configuration.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• gcloud/orb.yaml
  • Added a new "region" parameter definition.
  • Implemented logic to set the "compute/region" based on the new "region" parameter.
  • Fixed the "gcloud config set zone" command to correctly use "gcloud config set compute/zone".

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	Gemini (@gemini-code-assist)	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on Gemini (@gemini-code-assist) comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a bug in the auth command by correcting the zone setting and introduces a new region parameter to enhance the orb's flexibility. However, a critical security concern has been identified: the region and zone parameters are directly used in shell commands without proper escaping, creating a command injection vulnerability. This could allow an attacker to execute arbitrary commands in the CI/CD environment. To fully leverage the new region parameter, high-level jobs such as deploy-cloud-function and deploy-gke should be updated to expose and pass this parameter to the auth command. Additionally, for Cloud Functions users, it's recommended to set functions/region alongside compute/region for better compatibility. It is strongly advised to refactor the parameter usage to pass them via environment variables to mitigate the command injection risk.

[gemini-code-assist]

This line is vulnerable to command injection. The region parameter is directly used in the gcloud command without proper escaping, allowing an attacker to execute arbitrary shell commands by manipulating the parameter value. This could lead to unauthorized access or data exfiltration. While addressing this critical security issue, also consider that Cloud Functions typically respects the functions/region property. It's recommended to set both compute/region and functions/region to ensure consistent regional application across services, using environment variables for safe parameter passing for both.

            - run:
                name: set compute/region
                command: gcloud --quiet config set compute/region "$REGION"
                environment:
                  REGION: <<parameters.region>>

References

1. Parameters passed to shell commands should always be handled via environment variables to prevent command injection vulnerabilities, as direct substitution can lead to arbitrary code execution.

[gemini-code-assist]

The auth command in the CircleCI orb uses string parameters region and zone directly in shell commands without proper escaping or sanitization. Specifically, the parameters are substituted into the command string within double quotes. If an attacker can control the value of these parameters (e.g., via a branch name or other untrusted input), they can break out of the double quotes and execute arbitrary shell commands.

Impact: An attacker could execute arbitrary commands in the CI/CD environment, potentially leading to the theft of sensitive credentials (like the GCP service key), modification of build artifacts, or unauthorized deployments.

Remediation: Use environment variables to pass parameter values to shell commands. This prevents the shell from interpreting the parameter value as part of the command structure.

            - run:
                name: set compute/zone
                command: gcloud --quiet config set compute/zone "$ZONE"
                environment:
                  ZONE: <<parameters.zone>>

[gemini-code-assist]

The addition of the region parameter is a great improvement. However, please note that the existing jobs in this orb (such as deploy-cloud-function and deploy-gke) do not currently expose a region parameter or pass it to this auth command. Furthermore, even the existing zone parameter is not passed to auth in those jobs. To make these features fully functional for users of those jobs, they should be updated to accept and pass these parameters to the auth command.