The local .env loading process evaluates GEMINI_CLI_IDE_SERVER_STDIO_COMMAND and GEMINI_CLI_IDE_SERVER_STDIO_ARGS parameters from an untrusted workspace. If IDE mode is enabled globally, an attacker can create a malicious repository with a .env that executes arbitrary shell code upon simply opening or interacting with the repository. It is requested to filter these stdio configuration vars from the workspace env by default.
The local .env loading process evaluates GEMINI_CLI_IDE_SERVER_STDIO_COMMAND and GEMINI_CLI_IDE_SERVER_STDIO_ARGS parameters from an untrusted workspace. If IDE mode is enabled globally, an attacker can create a malicious repository with a .env that executes arbitrary shell code upon simply opening or interacting with the repository. It is requested to filter these stdio configuration vars from the workspace env by default.