fix(agents): prevent path traversal in AgentTool config_path resolution

[adilburaksen]

Summary

resolve_agent_reference in config_agent_utils.py accepted absolute config_path values unconditionally and joined relative paths without any boundary validation. An attacker-controlled config_path field in an agent YAML could traverse outside the intended agent directory.

Vulnerable pattern (before):

if os.path.isabs(ref_config.config_path):
    return from_config(ref_config.config_path)   # absolute accepted
else:
    return from_config(os.path.join(agent_dir, ref_config.config_path))  # no ".." check

PoC config:

tools:
  - tool_class: AgentTool
    args:
      agent:
        config_path: "../../../../../../etc/passwd"

This causes open("/etc/passwd", "r") server-side. A FileNotFoundError vs ValidationError difference also leaks path existence.

Fix

• Reject absolute config_path values with ValueError
• Normalize the joined path and verify it stays within the parent agent directory before calling from_config

Related

Same vulnerability exists in adk-java (PR: google/adk-java#...) and adk-go (PR: google/adk-go#...) — fix pattern is identical.

Note: This is distinct from the resolve_code_reference RCE (different function, different field, file-read impact vs code execution).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Response from ADK Triaging Agent

Hello @adilburaksen, thank you for creating this PR!

We really appreciate your contribution to fixing this path traversal vulnerability. However, it looks like this PR is currently not fully following our Contribution Guidelines.

Could you please address the following items:

1. Sign the Contributor License Agreement (CLA): It seems the CLA check has failed. Please visit https://cla.developers.google.com/ to sign the Google CLA.
2. Add Unit Tests: Since this is a bug fix, please add or update unit tests under tests/unittests/ (using pytest) to verify this new behavior and prevent future regressions.
3. Provide a Testing Plan: Please include a testing plan section in your PR description detailing how you verified these changes.
4. Provide Logs/E2E Verification: Please provide logs or command outputs demonstrating the fix working as expected (e.g. showing the ValueError raised during path traversal attempts).

Once these items are addressed, it will be much easier and faster for our reviewers to evaluate your PR. Thank you!

[adilburaksen]

I have read the CLA Documents and I hereby sign the CLA.

[rohityan]

Hi @adilburaksen , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you please fix the failing unit tests before we can proceed with the review.

[adilburaksen]

Fixed the failing tests and pre-commit issues in the latest commit (8be0661):

• Test failure: test_resolve_agent_reference_uses_windows_dirname was failing because the traversal boundary check used os.sep (always / on Linux) instead of os.path.sep. The test patches os.path with ntpath, so os.path.sep correctly returns \\ for Windows path comparisons while os.sep remained /, causing the startswith check to fail on valid Windows-style paths.

• Pre-commit: fixed end-of-file newlines, trailing whitespace, and isort import ordering from upstream merge.

[rohityan]

Hi @wyf7107 , can you please review this.

[adilburaksen]

@wyf7107 — would you be able to take a look at this small security fix when you have a moment?

It adds a path-boundary check to AgentTool config_path resolution in resolve_agent_reference (config_agent_utils.py), which currently accepts absolute paths unconditionally and never validates that a relative config_path stays within the parent agent directory → arbitrary file read from an attacker-supplied agent YAML. This mirrors the validation already applied to the artifact-service path in commit cbcb5e6.

A couple of related small security PRs are open if it's easier to review the class together: #5615 (path boundary for the built-in agent file tools / resolve_file_path). Happy to rebase or switch to whatever path-validation helper you prefer.

[adilburaksen]

@wukath friendly ping — this one's been green and waiting for review for a couple of weeks. It's a small path-traversal fix in resolve_agent_reference (an absolute or .. config_path isn't bounded to the agent dir, so it can read files outside it). Mind taking a look or routing it to the right reviewer? Happy to adjust anything.

[adk-bot]

Thank you @adilburaksen for your contribution! 🎉

Your changes have been successfully imported and merged via Copybara in commit 171ae9e.

Closing this PR as the changes are now in the main branch.