fix(skills): prevent path traversal in LocalSkillSource via normalize + boundary check

[herdiyana256]

Summary

LoadSkillResourceTool validates resourcePath with a string prefix check
(startsWith("references/"), startsWith("assets/"), startsWith("scripts/")),
but this check is trivially bypassed:
"references/../../../../etc/passwd".startsWith("references/") == true // bypassed!

LocalSkillSource.findResourcePath() then resolves the raw path against
skillsBasePath without calling Path.normalize() or asserting a boundary,
so the OS resolves .. components at Files.exists() time — resulting in
arbitrary file reads outside skillsBasePath.

The same issue exists in listResources() for the resourceDirectory parameter.

Fix

In LocalSkillSource.findResourcePath() and listResources():

1. Call .normalize() on the resolved path
2. Assert file.startsWith(base) — reject if the resolved path escapes the skill directory

The correct enforcement point is the filesystem layer after resolution,
not a string prefix check on raw user input.

Files Changed

• core/src/main/java/com/google/adk/skills/LocalSkillSource.java
  • findResourcePath(): normalize + boundary check
  • listResources(): normalize + boundary check on resourceDirectory

Testing

# Path traversal is now blocked:
# "references/../../../../etc/passwd" → SkillSourceException: Path traversal detected

javac PathTraversalPoC.java && java PathTraversalPoC
# [ESCAPE] Escapes skillsBasePath: true  ← without fix
# After fix: Single.error(SkillSourceException) returned before Files.exists()

References
: CWE-22: Improper Limitation of a Pathname to a Restricted Directory
: Related VRP: Issue 528977579