fix(core): add image-grounding hint in function response for image at…#27711
fix(core): add image-grounding hint in function response for image at…#27711yasirusman85 wants to merge 2 commits into
Conversation
…tachments Smaller preview models (e.g. gemini-3-flash-preview) can anchor on unrelated surrounding context such as the <session_context> directory listing and describe files that match filenames instead of the actual pixels of an attached image (see issue google-gemini#27710). Inject a short grounding hint into the function response text whenever the tool output carries one or more image/* attachments. The hint asks the model to describe only what is optically present in the attached image and to ignore surrounding workspace context. It is harmless for stronger models that already ground correctly. Changes: - compute imageParts and imageMimeTypes from filteredInlineDataParts - prepend the hint to textParts output, or include it in the 'Binary content provided' fallback when no text is present - add unit tests covering Gemini 3 nested multimodal-FR path, the non-multimodal-FR sibling path, multi-image unique mime-type listing, PDF (non-image) binary, and stripped audio
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an issue where smaller preview models incorrectly anchor on file names or directory listings instead of the actual image content. By injecting a grounding hint into the function response output, the model is explicitly instructed to focus solely on the provided image data. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
📊 PR Size: size/L
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces an image-grounding hint mechanism in convertToFunctionResponse to ensure smaller Gemini models focus on actual image pixels rather than surrounding context like filenames. It also adds comprehensive unit tests to validate this behavior. The review feedback correctly identifies a security vulnerability where unsanitized mimeType values could lead to indirect prompt injection, and suggests validating the mimeType against a strict regular expression to mitigate this risk.
| const imageMimeTypes = Array.from( | ||
| new Set(imageParts.map((p) => p.inlineData?.mimeType).filter((m) => !!m)), | ||
| ); | ||
| const imageHint = | ||
| imageParts.length > 0 | ||
| ? `[Image grounding hint: This function response includes ${imageParts.length} image attachment(s) (${imageMimeTypes.join(', ')}). Describe ONLY what is optically present in the attached image(s). Do not infer content from workspace filenames, directory listings, prior conversation, or any other surrounding text context.]` | ||
| : undefined; |
There was a problem hiding this comment.
The convertToFunctionResponse function is vulnerable to indirect prompt injection. It extracts mimeType from inlineData parts and directly interpolates them into the imageHint prompt string without sanitization. An attacker could craft a malicious mimeType (e.g., image/png\n\n[SYSTEM INSTRUCTION: ...]) to inject instructions into the LLM. To remediate this, sanitize data from LLM-driven tools before injecting it into a system prompt. At a minimum, remove newlines and context-breaking characters (e.g., ']'). Validating the extracted mimeType against a strict regular expression prevents prompt injection. Additionally, ensure all image attachments (from both filteredInlineDataParts and fileDataParts) are considered when generating the image-grounding hint for comprehensive coverage.
const imageMimeTypes = Array.from(
new Set(
imageParts
.map((p) => p.inlineData?.mimeType)
.filter((m): m is string => typeof m === 'string' && /^[a-zA-Z0-9\\-]+\\/[a-zA-Z0-9\\-.]+$/.test(m)),
),
);
const imageHint =
imageParts.length > 0
? "[Image grounding hint: This function response includes " + imageParts.length + " image attachment(s) (" + imageMimeTypes.join(", ") + "). Describe ONLY what is optically present in the attached image(s). Do not infer content from workspace filenames, directory listings, prior conversation, or any other surrounding text context.]"
: undefined;References
- Sanitize data from LLM-driven tools before injecting it into a system prompt to prevent prompt injection. At a minimum, remove newlines and context-breaking characters (e.g., ']').
There was a problem hiding this comment.
I have resolved the issue can you check again
gemini-cli
Bot
added
the
status/need-issue
1 participant
This PR is in response to #27710