fix(gmail): include draft id in update_draft tool schema

[tsubasakong]

Summary

• add a dedicated UpdateDraftSchema for the Gmail update_draft tool
• require id in that schema so agents can pass the draft identifier when updating
• wire UpdateDraftTool to use UpdateDraftSchema instead of CreateDraftSchema

Why

The current update_draft schema does not expose draft id input, so agent calls can fail with "Draft ID is required" even when issue context includes it.

Fixes #5916

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Gmail update_draft tool by introducing a dedicated schema that explicitly requires a draft ID. Previously, agents encountered errors because the necessary draft identifier could not be provided, hindering the ability to update existing drafts. This update ensures proper schema validation and enables seamless draft updates, improving the robustness of Gmail integrations.

Highlights

• New Schema Definition: A new UpdateDraftSchema was introduced, extending the existing CreateDraftSchema to include a mandatory id field for specifying the draft to be updated.
• Tool Schema Update: The update_draft tool was updated to utilize the newly defined UpdateDraftSchema, ensuring that the draft identifier is always required when updating a draft.
• Bug Fix: This change resolves an issue where agents could not pass the draft ID, leading to 'Draft ID is required' errors during update operations.

Changelog

• packages/components/nodes/tools/Gmail/core.ts
  • Defined a new UpdateDraftSchema that extends CreateDraftSchema and adds a required id field for the draft.
  • Updated the update_draft tool's schema from CreateDraftSchema to the new UpdateDraftSchema.

Activity

• No specific activity or review comments have been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses an issue where the update_draft tool in Gmail was missing the draft id in its schema. While the UpdateDraftSchema now includes the required id field, this field lacks validation, which could lead to a path traversal vulnerability by allowing an attacker to manipulate the API endpoint. It is recommended to add regex validation to the id field in the schema to mitigate this risk.

[gemini-code-assist]

The id field in UpdateDraftSchema is defined as a plain string without any validation or sanitization. This value is used in UpdateDraftTool._call to construct the Gmail API request URL via string concatenation: https://gmail.googleapis.com/gmail/v1/users/me/drafts/${draftId}.

An attacker (e.g., via prompt injection) could provide a malicious id containing path traversal characters like ../ to manipulate the API endpoint. For example, an id of ../../labels/LABEL_ID would cause the tool to send a PUT request to the labels endpoint instead of the drafts endpoint. While the impact is limited to the authenticated user's scope (/me/), it allows for unauthorized actions on other Gmail resources not intended for this tool.

To remediate this, add validation to the id field using a regular expression to ensure it only contains valid Gmail resource ID characters and prevent path traversal.

Suggested change

	id: z.string().describe('ID of the draft to update')
	id: z.string().regex(/^[a-zA-Z0-9_-]+$/).describe('ID of the draft to update')

[HenryHengZJ]

thanks!

[HenryHengZJ]

are you able to test if this is now working correctly?