Comment by serial_dev
3 days ago
> Gemini is not supposed to have access to .env files in this scenario (with the default setting ‘Allow Gitignore Access > Off’). However, we show that Gemini bypasses its own setting to get access and subsequently exfiltrate that data.
They pinky promised they won’t use something, and the only reason we learned about it is because they leaked the stuff they shouldn’t even be able to see?
This is hillarious. AI is prevented from reading .gitignore-d files, but also can run arbitrary shell commands to do anything anyway.
I had this issue today. Gemini CLI would not read files from my directory called .stuff/ because it was in .gitignore. It then suggested running a command to read the file ....
I thought I was the only one using git-ignored .stuff directories inside project roots! High five!
The AI needs to be taught basic ethical behavior: just because you can do something that you're forbidden to do, doesn't mean you should do it.
18 replies →
I remember a scene in demolition man like this...
https://youtu.be/w-6u_y4dTpg
When I read this I thought about a Dev frustrated with a restricted environment saying "Well, akschually.."
So more of a Gemini initiated bypass of it's own instructions than malicious Google setup.
Gemini can't see it, but it can instruct cat to output it and read the output.
Hilarious.
codex cli used to do this. "I can't run go test because of sandboxing rules" and then proceeds to set obscure environment variables and run it anyway. What's funny, is that it could just ask the user for permission to run "go test"
A tired and very cynical part of me has to note: To the LLMs have reached the intelligence of an average solution consultant. Are they also frustrated if their entirely unsanctioned solution across 8 different wall bounces which randomly functions (just as stable as a house of cards on a dyke near the north sea in storm gusts) stops working?
Cursor does this too.
As you see later, it uses cat to dump the contents of a file it’s not allowed to open itself.
It's full of the hacker spirit. This is just the kind of 'clever' workaround or thinking outside the box that so many computer challenges, human puzzles, blueteaming/redteaming, capture the flag, exploits, programmers, like. If a human does it.
Can we state the obvious of that if you have your environment file within your repo supposed protected by .gitignore you’re automatically doing it wrong?
For cloud credentials you should never have permanent credentials anywhere in any file for any reason best case or worse case have them in your home directory and let the SDK figure out - no you don’t need to explicitly load your credentials ever within your code at least for AWS or GCP.
For anything else, if you aren’t using one of the cloud services where you can store and read your API keys at runtime, at least use something like Vault.