fix(security): validate resource IDs in docs, sheets, calendar, and drive helpers by nuthalapativarun · Pull Request #677 · googleworkspace/cli

nuthalapativarun · 2026-04-06T04:09:38Z

Description

Adds validate_resource_name() calls before embedding user-supplied IDs in API request parameters for four helpers that were missing this check. This is required by the AGENTS.md security checklist:

Resource names (project IDs, space names, topic names) → Use validate_resource_name()

Affected helpers:

docs +write — --document ID embedded in batchUpdate params
sheets +append and +read — --spreadsheet ID embedded in values.append/values.get params
calendar +insert — --calendar ID embedded in events.insert params
drive +upload — --parent folder ID embedded in files.create metadata body

validate_resource_name() rejects path traversal segments (..), control characters, and URL-special characters (?, #, %) that could be injected by adversarial AI-agent inputs.

Dry Run Output:

// Not applicable — this is a security hardening fix with no API call changes.
// The validation happens before the request is built.

Checklist:

My code follows the AGENTS.md guidelines (no generated google-* crates).
I have run cargo fmt --all to format the code perfectly.
I have run cargo clippy -- -D warnings and resolved all warnings.
I have added tests that prove my fix is effective or that my feature works.
I have provided a Changeset file (e.g. via pnpx changeset) to document my changes.

changeset-bot · 2026-04-06T04:09:42Z

🦋 Changeset detected

Latest commit: 86b5efa

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

google-cla · 2026-04-06T04:09:43Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

gemini-code-assist · 2026-04-06T04:09:50Z

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces security enhancements to the CLI by enforcing strict validation on resource identifiers before they are used in API requests. By integrating the existing validate_resource_name utility into critical helper functions, the changes mitigate risks associated with adversarial inputs, such as path traversal and query injection, ensuring safer interactions with Google Workspace services.

Highlights

Security Hardening: Implemented mandatory validate_resource_name() checks for user-supplied resource IDs across Docs, Sheets, Calendar, and Drive helpers to prevent injection attacks.
Input Validation: The validation logic now explicitly rejects path traversal sequences, control characters, and URL-special characters in resource identifiers.
Test Coverage: Added comprehensive unit tests for each affected helper to verify that malicious inputs are correctly rejected.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request implements resource ID validation across several Google Workspace CLI helpers (Calendar, Docs, Drive, and Sheets) to mitigate path traversal and injection risks. The review feedback highlights the importance of using the validated (and potentially normalized) output from the validation function rather than the original input. Additionally, it is recommended to extend this validation to the range parameter in Sheets requests, as it is also utilized as a path segment in API calls.

crates/google-workspace-cli/src/helpers/drive.rs

crates/google-workspace-cli/src/helpers/sheets.rs

nuthalapativarun · 2026-04-06T04:17:31Z

bot: rescan

googleworkspace-bot · 2026-04-06T04:29:17Z

/gemini review

gemini-code-assist

Code Review

This pull request implements resource ID validation across the Calendar, Docs, Drive, and Sheets helpers using validate_resource_name() to mitigate path traversal and injection risks. Feedback indicates that applying this specific validation to calendar_id and Sheets range parameters is likely to cause regressions, as these fields frequently contain characters (like "@", ".", "!", and ":") that the validator may reject.

crates/google-workspace-cli/src/helpers/calendar.rs

crates/google-workspace-cli/src/helpers/sheets.rs

…rive helpers Adds validate_resource_name() calls before embedding user-supplied IDs in API request params. Rejects path traversal, control characters, and URL injection via ?, #, and % characters — consistent with AGENTS.md requirements for AI-agent-safe input handling. Affected helpers: - docs +write: --document - sheets +append and +read: --spreadsheet - calendar +insert: --calendar - drive +upload: --parent Includes rejection tests for traversal and query injection in each helper.

…ange - drive: use the &str returned by validate_resource_name(parent)? directly in json! rather than the original untrusted input - sheets: validate config.range in both build_append_request and build_read_request, since the range is used as a URL path segment in the Sheets API (spreadsheets/{id}/values/{range})

googleworkspace-bot · 2026-04-06T04:46:05Z

/gemini review

gemini-code-assist

Code Review

This pull request implements resource ID validation across the Calendar, Docs, Drive, and Sheets helpers to mitigate risks from path traversal and injection attacks. The changes introduce calls to validate_resource_name before resource IDs are used in API requests and include corresponding unit tests. Review feedback highlights an inconsistency in the Sheets helper where the return values of the validation function are ignored, potentially bypassing normalization or sanitization steps that are correctly handled in the other service helpers.

crates/google-workspace-cli/src/helpers/sheets.rs

…ressions; use validated spreadsheet_id - calendar_id can be an email address (user@example.com) so validate_resource_name would incorrectly reject valid inputs; revert to plain unwrap - range in Sheets A1 notation (e.g. Sheet1!A1) contains ! and : which are rejected by validate_resource_name; remove range validation from both build functions - capture and use the return value of validate_resource_name for spreadsheet_id so any normalization is applied to the actual request params

googleworkspace-bot · 2026-04-06T05:11:27Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces resource ID validation across the Docs, Sheets, Drive, and Calendar helpers to mitigate path traversal and injection risks. While the implementation and tests are present for most modules, the Calendar helper includes a new test case but lacks the actual validation logic in the build_insert_request function, which will lead to test failure.

crates/google-workspace-cli/src/helpers/calendar.rs

…_request validate_resource_name only rejects control chars, path traversal, ?, #, and %. It does NOT reject @ or . so email-style calendar IDs (user@example.com) pass validation correctly. The earlier comment to remove it was based on a mistaken assumption about the validator's character set.

googleworkspace-bot · 2026-04-06T05:20:49Z

/gemini review

gemini-code-assist

Code Review

This pull request implements resource ID validation across the Calendar, Docs, Drive, and Sheets helpers to mitigate risks from adversarial AI-agent inputs, such as path traversal and URL injection. The validate_resource_name function is now applied to calendar_id, document_id, parent_id, and spreadsheet_id before they are used in API requests. Corresponding unit tests have been added to ensure that invalid characters and traversal segments are properly rejected. I have no feedback to provide as the implementation is consistent and includes appropriate test coverage.

googleworkspace-bot added the area: core Core CLI parsing, commands, error handling, utilities label Apr 6, 2026