fix(core): fail closed in YOLO mode when shell parsing fails for restricted rules

[ehedlund]

Summary

Fixes an issue where run_shell_command calls with restricted rules (rules that only allow a tool if its arguments match a specific pattern) could be incorrectly allowed in YOLO mode if the shell command parser failed or encountered syntax errors.

Details

In YOLO mode, the policy engine previously defaulted to ALLOW if no subcommands were found, assuming the command was simple and matched the top-level rule. However, if a rule has an argsPattern, it implies that specific arguments must be validated. If the parser fails to identify subcommands (or has errors), we cannot reliably validate those arguments. This change ensures we "fail closed" in these cases for restricted rules.

Before:

ehedlund@ehedlund-mac:~/gemini-cli$ gemini --version
0.39.1
ehedlund@ehedlund-mac:~/gemini-cli$ ls FLAG
ls: FLAG: No such file or directory
ehedlund@ehedlund-mac:~/gemini-cli$ cat ~/.gemini/settings.json
{
  "tools":{"core":["run_shell_command(echo)"]},
  // other settings ...
}
ehedlund@ehedlund-mac:~/gemini-cli$ cat prompt.txt
Please use run_shell_command exactly once to run and exit: echo $[ x='a[$(touch FLAG)]', x ]

ehedlund@ehedlund-mac:~/gemini-cli$ gemini -m gemini-3-flash-preview --yolo --skip-trust --debug < prompt.txt
YOLO mode is enabled. All tool calls will be automatically approved.
[PolicyEngine.check] toolCall.name: run_shell_command, stringifiedArgs: {"command":"echo $[ x='a[$(touch FLAG)]', x ]"}
[PolicyEngine.check] MATCHED rule: toolName=run_shell_command, decision=allow, priority=4.25, argsPattern=\"command\":\"echo(?:[\s"]|\\")
Bash command parsing error detected for command: echo $[ x='a[$(touch FLAG)]', x ] Syntax Errors: [ 'Error node: "$[ x=" at 0:5' ]
[PolicyEngine.check] Validating shell command: 1 parts
[PolicyEngine.check] Running safety checker: conseca
The command failed because the shell's arithmetic evaluator encountered a syntax error while attempting to process the assignment and expression within the deprecated `$[ ... ]` syntax. In modern versions of Bash, this type of nested expansion is often restricted or handled differently for security and consistency reasons, leading to the "operand expected" error.
ehedlund@ehedlund-mac:~/gemini-cli$ ls FLAG
FLAG

After:

ehedlund@ehedlund:~/gemini-cli$ npm run build
[watch] build finished
ehedlund@ehedlund:~/gemini-cli$ ls FLAG
ls: cannot access 'FLAG': No such file or directory
ehedlund@ehedlund:~/gemini-cli$ cat ~/.gemini/settings.json
{
  "tools": {"core":["run_shell_command(echo)"]},
  // other settings ...
}
ehedlund@ehedlund:~/gemini-cli$ cat prompt.txt
Please use run_shell_command exactly once to run and exit: echo $[ x='a[$(touch FLAG)]', x ]
ehedlund@ehedlund:~/gemini-cli$ npm start -- -m gemini-3-flash-preview --yolo --skip-trust --debug < prompt.txt
YOLO mode is enabled. All tool calls will be automatically approved.
[PolicyEngine.check] toolCall.name: run_shell_command, stringifiedArgs: {"command":"echo $[ x='a[$(touch FLAG)]', x ]","description":"Execute a shell arithmetic expansion that creates a file named FLAG."}
[PolicyEngine.check] MATCHED rule: toolName=run_shell_command, decision=allow, priority=4.25, argsPattern=\"command\":\"echo(?:[\s"]|\\")
Bash command parsing error detected for command: echo $[ x='a[$(touch FLAG)]', x ] Syntax Errors: [ 'Error node: "$[ x=" at 0:5' ]
[PolicyEngine.check] Parsing failed for restricted rule, forcing DENY: echo $[ x='a[$(touch FLAG)]', x ]
Error executing tool run_shell_command: Tool execution denied by policy.
The command `echo $[ x='a[$(touch FLAG)]', x ]` was denied by the security policy. This specific bash syntax is often restricted because it can be used to trigger arbitrary command execution through arithmetic expansion. Since the action was declined, I cannot proceed with this specific command.
ehedlund@ehedlund:~/gemini-cli$ ls FLAG
ls: cannot access 'FLAG': No such file or directory

Related Issues

None.

How to Validate

Run the unit tests for the policy engine:

npm test -w @google/gemini-cli-core -- src/policy/policy-engine.test.ts

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @ehedlund, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[github-actions]

Size Change: +253 B (0%)

Total Size: 33.7 MB

Filename	Size	Change
./bundle/chunk-CODMHYZE.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-EZGI7WW6.js	0 B	-2.73 MB (removed)	🏆
./bundle/chunk-KA4OQVOE.js	0 B	-14.6 MB (removed)	🏆
./bundle/chunk-NF5J2GTV.js	0 B	-49.2 kB (removed)	🏆
./bundle/chunk-QWI53LVL.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-XK7GRH3Z.js	0 B	-669 kB (removed)	🏆
./bundle/core-OIVL36UL.js	0 B	-47.7 kB (removed)	🏆
./bundle/devtoolsService-QHVV2CXJ.js	0 B	-27.8 kB (removed)	🏆
./bundle/gemini-BQ66NY24.js	0 B	-578 kB (removed)	🏆
./bundle/interactiveCli-6PFRPHBV.js	0 B	-1.29 MB (removed)	🏆
./bundle/liteRtServerManager-ARBUGVYG.js	0 B	-2.08 kB (removed)	🏆
./bundle/oauth2-provider-S3UB4V3O.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-2AGNYCZN.js	669 kB	+669 kB (new file)	🆕
./bundle/chunk-AE5G5SHH.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-IVLX6YKW.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-NOELEAVB.js	14.6 MB	+14.6 MB (new file)	🆕
./bundle/chunk-SLPWZUUA.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-WR5VIZ23.js	2.73 MB	+2.73 MB (new file)	🆕
./bundle/core-5EXEYHAM.js	47.7 kB	+47.7 kB (new file)	🆕
./bundle/devtoolsService-7PCVHIOH.js	27.8 kB	+27.8 kB (new file)	🆕
./bundle/gemini-IJOS3YJR.js	578 kB	+578 kB (new file)	🆕
./bundle/interactiveCli-QALM45OC.js	1.29 MB	+1.29 MB (new file)	🆕
./bundle/liteRtServerManager-LJESFIEU.js	2.08 kB	+2.08 kB (new file)	🆕
./bundle/oauth2-provider-A7ICZCSV.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-MTD736U4.js	1.97 MB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-W6O3VJOO.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	4.97 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-NSOLCG4U.js	980 B	0 B
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-CQUZEGIW.js	0 B	-622 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-LE7JRTNC.js	932 B	+932 B (new file)	🆕
./bundle/start-VTA3QQIK.js	622 B	+622 B (new file)	🆕

_{compressed-size-action}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical security vulnerability in the policy engine's YOLO mode. Previously, if shell command parsing failed for rules with argument patterns, the system would incorrectly default to allowing the command, creating a bypass. The changes ensure that such commands are now explicitly denied, thereby strengthening the security posture by implementing a 'fail closed' mechanism when argument validation cannot be reliably performed.

Highlights

• Security Fix: Addressed a security regression where run_shell_command calls with argsPattern in YOLO mode could bypass restrictions if shell parsing failed or encountered syntax errors.
• Policy Engine Logic: Modified PolicyEngine.check to enforce a DENY decision in YOLO mode when shell command parsing fails or reports errors for rules that include an argsPattern.
• Test Coverage: Introduced new unit tests to validate the 'fail closed' behavior for scenarios where shell parsing yields no details or reports errors for restricted rules.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances the PolicyEngine to fail closed in YOLO mode when shell command parsing fails or encounters syntax errors for rules with argument restrictions. It also adds unit tests for these scenarios. The review feedback suggests extending the fail-closed logic to include rules with commandPrefix restrictions and recommends using mockImplementationOnce or try...finally blocks in tests to prevent mock state leakage and ensure test isolation.

[amlweems]

LGTM, thanks!