Named sessions

[andrewwhitecdw]

new feature to name sessions

[gemini-code-assist]

Summary of Changes

Hello @andrewwhitecdw, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances session management capabilities by introducing the ability to name sessions and providing a dedicated tool to list and filter them. These changes aim to improve user experience by making sessions easier to identify and organize, especially when dealing with multiple concurrent or historical sessions.

Highlights

• Named Sessions Feature: Introduced a new name parameter for the session tool, allowing users to assign custom names to new or forked sessions. This enhances session identification in the session list.
• Session Listing Tool: Added a new session_list tool that provides a formatted table of all OpenCode sessions. It supports optional filtering by limit, from_date, and to_date.
• Improved Session Management Examples: Updated existing examples for session usage to demonstrate how to leverage the new name parameter for clearer session identification, particularly in 'new' and 'fork' modes.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• index.ts
  • Added documentation for the new name parameter in the session tool.
  • Updated session examples to include the name parameter for 'new' and 'fork' modes.
  • Modified the session tool's schema to accept an optional name string argument.
  • Implemented logic to use the provided name for session titles when creating new sessions.
  • Updated the return messages for new and forked sessions to include the custom name if specified.
  • Added functionality to update the title of forked sessions with the provided name.
  • Introduced a new session_list tool with arguments for filtering and a formatted output table.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable feature for naming sessions, enhancing usability, and adds the session_list tool. However, critical security concerns exist due to Markdown Injection and Prompt Injection vulnerabilities. User-supplied session names and agent names are not properly sanitized when embedded into markdown tables and tool response messages, potentially allowing attackers to spoof tool outputs or manipulate the agent's behavior. Beyond security, there are opportunities to improve session forking efficiency, and the session_list tool has discrepancies between its documentation and implementation, along with a bug in its date filtering logic.

[andrewwhitecdw]

/gemini review

[gemini-code-assist]

Code Review

This pull request adds a useful feature for naming sessions and a new tool for listing them. However, the implementation is vulnerable to markdown injection. The session_list tool constructs a markdown table, but the sanitizeForMarkdown function does not escape all special characters, potentially allowing an attacker to inject malicious links or formatting. This could lead to XSS or phishing attacks if the output is rendered in a web-based UI. Additionally, there are minor issues such as code duplication, a performance improvement opportunity, and a bug in the date filtering logic. Addressing these points will improve the code's maintainability, correctness, and security.

[gemini-code-assist]

When a session lacks a time.created property, you're defaulting its creation timestamp to 0. This can lead to incorrect filtering, as these sessions will be treated as if they were created at the Unix epoch (1970-01-01). It would be more robust to exclude sessions that don't have a creation date when filtering by date.

              sessions = sessions.filter((s) => {
                if (!s.time?.created) {
                  return false;
                }
                const created = new Date(s.time.created).getTime();
                return created >= fromDate;
              })

[gemini-code-assist]

Similar to the from_date filter, you're defaulting to a timestamp of 0 for sessions without a creation date. This can cause incorrect filtering. These sessions should be excluded from the results when a date filter is applied.

              sessions = sessions.filter((s) => {
                if (!s.time?.created) {
                  return false;
                }
                const created = new Date(s.time.created).getTime();
                return created <= toTimestamp;
              })

[gemini-code-assist]

The sanitizeForMarkdown function is vulnerable to markdown injection. It currently only escapes the pipe character (|) and newlines, but fails to escape other critical markdown special characters such as brackets ([ and ]) or parentheses (( and )). Since session titles are user-controlled, an attacker could inject malicious markdown, potentially leading to XSS or phishing attacks if rendered in a web-based UI. Additionally, for better performance, this function should be defined once outside the map loop, rather than being redefined on every iteration.

Suggested change

	const sanitizeForMarkdown = (str: string) =>
	str.replace(/\|/g, "\\|").replace(/\n/g, " ")
	const sanitizeForMarkdown = (str: string) =>
	str.replace(/[\\`*_{}\[\]()#+-.!|]/g, "\\$&").replace(/\n/g, " ")

[gemini-code-assist]

This sanitizeFork function is identical to sanitizeForPrompt defined earlier in the case "new" block (line 423). To improve maintainability and reduce redundancy, you could define this function once in a higher scope (e.g., before the switch statement) and reuse it in both places.