Secret upload apphosting

[christhompsongoogle]

Apphosting secret upload, this is a follow-on from #10010

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the migration workflow by automating the secure transfer of the GEMINI_API_KEY from local .env files to App Hosting secrets. This integration streamlines the setup for projects utilizing the Gemini API, ensuring that critical environment variables are correctly configured in the cloud environment without manual intervention, building on previous work for App Hosting secret management.

Highlights

• Automated Secret Upload: Introduced a new uploadSecrets function that automatically detects and uploads the GEMINI_API_KEY from a project's .env file to App Hosting secrets during the migration process.
• Non-Interactive Secret Prompt: Modified the apphostingSecretsSetAction to support non-interactive mode and set 'production' as the default environment for secret uploads, improving automation capabilities.
• Comprehensive Testing: Added extensive unit tests for the uploadSecrets function, covering scenarios such as the presence or absence of the .env file, and valid or blank GEMINI_API_KEY values.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/apphosting/secrets/index.ts
  • Updated secret type selection prompt to include non-interactive support and a default value.
• src/firebase_studio/migrate.spec.ts
  • Added unit tests for the new uploadSecrets function, verifying its behavior under various conditions.
• src/firebase_studio/migrate.ts
  • Implemented the uploadSecrets function to read GEMINI_API_KEY from .env and upload it to App Hosting secrets.
  • Integrated the uploadSecrets function into the main migrate process.

Activity

• This pull request is a follow-on from Initial refactor for moving secret logic to index.ts #10010, continuing work on App Hosting secret management.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds functionality to upload a "GEMINI_API_KEY" from a ".env" file as a secret for App Hosting during a migration process. However, a security audit identified two significant vulnerabilities. First, a high-severity information leak in the uploadSecrets function causes the entire ".env" file to be uploaded to Google Secret Manager instead of just the intended API key. Second, a medium-severity path traversal vulnerability was found in the downloadGitHubDir function, which could allow arbitrary file writes if the source GitHub repository is compromised. The uploadSecrets implementation also presents an opportunity to improve code structure by reducing nesting, adhering to the repository's style guide. Both security vulnerabilities and the structural issue should be addressed.

[gemini-code-assist]

The uploadSecrets function incorrectly passes the path to the entire .env file (envPath) as the dataFile argument to apphostingSecretsSetAction. This results in the entire content of the .env file, which may contain multiple environment variables and other sensitive information, being stored as the value for the GEMINI_API_KEY secret. This is a high-severity information leak, as the secret value should only be the API key. Furthermore, the current implementation checks for file existence and then reads it in a nested block, which increases nesting and can be simplified to adhere to the repository's style guide.

References

1. The repository's style guide recommends reducing nesting for improved code clarity and maintainability. ^(link)

[falahat]

LGTM, but feedback is the name uploadSecrets might be too general since it really just handles a specific secret (Gemini API keys) but overall approved