Feature - file delete tool

[jutaz]

Adds a file delete tool with various configurable safeguards. This is likely better than trying to configure and safeguard rm tool which gets very complex very quickly.

TODO:

• Rebase this onto latest to use new tooltips.
• Double check the prompt.

[gemini-code-assist]

Summary of Changes

Hello @jutaz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances agent capabilities by introducing a dedicated and highly configurable file_delete tool. This new tool prioritizes safety and control, allowing users to define precise rules for file and directory deletion, including pattern-based restrictions and size limits. The addition of a dry-run feature provides a crucial layer of protection, enabling users to verify deletion actions before execution. The changes also include necessary UI updates for configuration and a migration path to ensure seamless integration with existing agent profiles.

Highlights

• New File Deletion Tool: Introduced a new file_delete tool with configurable safeguards, offering a safer alternative to direct rm commands for agents. This tool allows for precise control over what files and directories can be deleted.
• Configurable Safeguards: The file_delete tool includes extensive settings such as allowed/denied glob patterns for files and directories, a maximum file size limit, and an option to control recursive directory deletion. These settings are managed via the agent's profile.
• Dry-Run Mode: A dry-run mode has been implemented for the file_delete tool, allowing users to preview what would be deleted without actually modifying the filesystem, enhancing safety and predictability.
• Enhanced User Interface for Settings: New UI components have been added to the agent settings page, enabling users to easily configure the various safeguards and options for the file_delete tool.
• Robust Testing: Comprehensive unit tests have been added for the file_delete tool, covering critical aspects like path traversal protection, parent directory validation, tilde expansion, dry-run functionality, directory deletion logic, file not found/permission errors, size limits, and pattern matching.
• Migration for Agent Profiles: A new migration script (v17-to-v18) has been added to ensure that existing agent profiles are correctly updated with default toolApprovals and toolSettings for the new file_delete tool, maintaining backward compatibility.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new file_delete power tool, a significant and well-implemented feature. However, a critical security vulnerability has been identified: the primary path traversal protection, specifically within the fileDeleteTool, relies on a flawed validation function isValidProjectFile. This function can be bypassed using prefix-matching paths, potentially allowing an agent to delete or inspect files outside the designated task directory if they share a common path prefix. While the tool also includes configurable pattern-based restrictions, size limits, a dry-run mode, and an extensive test suite, addressing this vulnerability is paramount. Additionally, there is a suggestion for a minor refactoring to improve code maintainability.

[gemini-code-assist]

The fileDeleteTool relies on isValidProjectFile to prevent path traversal, but this check is insufficient. The isValidProjectFile function (defined in src/main/utils/file-system.ts) uses startsWith to verify if the resolved path is within the task directory. This can be bypassed if the target path shares a prefix with the task directory.

For example, if the task directory is /path/to/task, a target path of /path/to/task-secret would be incorrectly validated as safe because /path/to/task-secret starts with /path/to/task. This allows an attacker (or a compromised LLM) to delete files or directories outside the intended scope, or list their contents using the dryRun mode.

To fix this, update isValidProjectFile to use a more robust containment check, such as ensuring the base directory ends with a path separator before comparison, or using path.relative and checking for .. segments:

const relative = path.relative(taskDir, absolutePath);
const isInside = !relative.startsWith('..') && !path.isAbsolute(relative);

[gemini-code-assist]

The pattern checking logic for allowed and denied patterns is duplicated for both directories (here) and files (lines 1050-1061). This could be extracted into a reusable helper function to improve maintainability and reduce code duplication.

A helper function could look like this:

const checkPatterns = (
  relativePath: string,
  itemType: 'File' | 'Directory',
  allowedPatterns?: string[],
  deniedPatterns?: string[],
): string | null => {
  if (allowedPatterns && allowedPatterns.length > 0) {
    const matchesAllowed = allowedPatterns.some((pattern) => minimatch(relativePath, pattern, { dot: true }));
    if (!matchesAllowed) {
      return `Error: ${itemType} '${relativePath}' does not match any allowed ${itemType.toLowerCase()} patterns.`;
    }
  }

  if (deniedPatterns && deniedPatterns.length > 0) {
    const matchesDenied = deniedPatterns.some((pattern) => minimatch(relativePath, pattern, { dot: true }));
    if (matchesDenied) {
      return `Error: ${itemType} '${relativePath}' matches a protected ${itemType.toLowerCase()} pattern.`;
    }
  }

  return null;
};

You could then use it for both directories and files, simplifying the logic in the execute function.