From 1274b091d1965060d622b6f3e54e7ba5fc26e675 Mon Sep 17 00:00:00 2001 From: adilburaksen Date: Sun, 24 May 2026 00:38:09 +0300 Subject: [PATCH] fix(agents): prevent path traversal in AgentTool config_path resolution Absolute config_path values were accepted unconditionally, and relative paths were joined without boundary validation, allowing traversal outside the agent directory via "../../../etc/passwd" style inputs. Fix: reject absolute paths; for relative paths, verify the normalized result stays within the parent agent's directory before loading. --- src/google/adk/agents/config_agent_utils.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py index f9a3e7f594..9dc3f732f9 100644 --- a/src/google/adk/agents/config_agent_utils.py +++ b/src/google/adk/agents/config_agent_utils.py @@ -157,14 +157,21 @@ def resolve_agent_reference( """ if ref_config.config_path: if os.path.isabs(ref_config.config_path): - return from_config(ref_config.config_path) - else: - return from_config( - os.path.join( - os.path.dirname(referencing_agent_config_abs_path), - ref_config.config_path, - ) + raise ValueError( + f"Absolute paths are not allowed in AgentTool config_path:" + f" {ref_config.config_path!r}" ) + agent_dir = os.path.dirname(referencing_agent_config_abs_path) + resolved_path = os.path.normpath( + os.path.join(agent_dir, ref_config.config_path) + ) + canonical_agent_dir = os.path.normpath(agent_dir) + if not resolved_path.startswith(canonical_agent_dir + os.sep): + raise ValueError( + f"Path traversal detected: config_path {ref_config.config_path!r}" + " resolves outside the agent directory" + ) + return from_config(resolved_path) elif ref_config.code: return _resolve_agent_code_reference(ref_config.code) else: