Remove experiment flag on studio migrate.

[christhompsongoogle]

Remove experiment flag on studio migrate.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request promotes the studio:export command from an experimental feature to a standard one. By removing the associated experiment flag and related conditional logic, the command is now always enabled and accessible to all users, streamlining its integration into the CLI.

Highlights

• Feature Flag Removal: The studio:export command is no longer behind an experiment flag and is now generally available.
• Code Cleanup: Removed all references to the studioexport experiment, including its definition and conditional checks.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/commands/index.ts
  • Removed the conditional check for the studioexport experiment when loading the studio.export command, making it always available.
• src/commands/studio-export.ts
  • Removed the import statement for the experiments module.
  • Removed the experiments.assertEnabled call, as the command is no longer experimental.
• src/experiments.ts
  • Removed the studioexport entry from the ALL_EXPERIMENTS object.

Activity

• No activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to make the studio:export feature generally available by removing the studioexport experiment flag. However, the command and its underlying migration logic contain critical security vulnerabilities, including a Zip Slip vulnerability and multiple path traversal flaws, which could lead to arbitrary file writes and remote code execution. These issues must be addressed before the command is made public. Additionally, consider renaming the command from studio:export to studio:migrate for better clarity and consistency, aligning with the PR's stated intention.

[gemini-code-assist]

The studio:export command, which is being promoted, contains a critical Zip Slip vulnerability in its extraction logic. The isChildDir function in src/unzip.ts is flawed, allowing an attacker to write files to arbitrary directories by providing a malicious zip file, potentially leading to arbitrary file write and remote code execution. This critical security flaw must be addressed. Additionally, consider renaming the command to studio:migrate for better clarity and consistency, as its purpose is migration and aligns with the PR's TODO.

Suggested change

	client.studio.export = loadCommand("studio-export");
	client.studio = {};
	client.studio.migrate = loadCommand("studio-migrate");

[gemini-code-assist]

The studio:export command is vulnerable to path traversal during the construction of the extraction directory. In src/commands/studio-export.ts, the extraction path is built using path.parse(rootPath).name. If a malicious zip file is named ...zip, path.parse().name returns .., which causes the extraction path to point to the parent directory of the zip file's location. Combined with the flawed isChildDir check in src/unzip.ts, this allows an attacker to extract files into unintended sensitive locations, including the root directory.

[gemini-code-assist]

The studio:export command extracts a projectId from an untrusted metadata.json file within the provided zip and uses it in API calls (e.g., apphosting.listBackends) without validation. A malicious project ID containing path traversal characters could be used to manipulate API request paths, potentially leading to unauthorized access to other Google Cloud resources (SSRF/API Path Traversal).

[joehan]

metadata.json is trusted, so this is overkill. However, we can/should add a quick check that the projectId matches a valid pattern (ie no /s)

[christhompsongoogle]

Done.

[joehan]

metadata.json is trusted, so this is overkill. However, we can/should add a quick check that the projectId matches a valid pattern (ie no /s)