fix(agents): prevent path traversal in AgentTool config_path resolution

[adilburaksen]

Summary

resolve_agent_reference in config_agent_utils.py accepted absolute config_path values unconditionally and joined relative paths without any boundary validation. An attacker-controlled config_path field in an agent YAML could traverse outside the intended agent directory.

Vulnerable pattern (before):

if os.path.isabs(ref_config.config_path):
    return from_config(ref_config.config_path)   # absolute accepted
else:
    return from_config(os.path.join(agent_dir, ref_config.config_path))  # no ".." check

PoC config:

tools:
  - tool_class: AgentTool
    args:
      agent:
        config_path: "../../../../../../etc/passwd"

This causes open("/etc/passwd", "r") server-side. A FileNotFoundError vs ValidationError difference also leaks path existence.

Fix

• Reject absolute config_path values with ValueError
• Normalize the joined path and verify it stays within the parent agent directory before calling from_config

Related

Same vulnerability exists in adk-java (PR: google/adk-java#...) and adk-go (PR: google/adk-go#...) — fix pattern is identical.

Note: This is distinct from the resolve_code_reference RCE (different function, different field, file-read impact vs code execution).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Response from ADK Triaging Agent

Hello @adilburaksen, thank you for creating this PR!

We really appreciate your contribution to fixing this path traversal vulnerability. However, it looks like this PR is currently not fully following our Contribution Guidelines.

Could you please address the following items:

1. Sign the Contributor License Agreement (CLA): It seems the CLA check has failed. Please visit https://cla.developers.google.com/ to sign the Google CLA.
2. Add Unit Tests: Since this is a bug fix, please add or update unit tests under tests/unittests/ (using pytest) to verify this new behavior and prevent future regressions.
3. Provide a Testing Plan: Please include a testing plan section in your PR description detailing how you verified these changes.
4. Provide Logs/E2E Verification: Please provide logs or command outputs demonstrating the fix working as expected (e.g. showing the ValueError raised during path traversal attempts).

Once these items are addressed, it will be much easier and faster for our reviewers to evaluate your PR. Thank you!

[adilburaksen]

I have read the CLA Documents and I hereby sign the CLA.