fix(security): add class loading allowlist to prevent arbitrary code execution from YAML configs

Add package-level allowlist validation for all dynamic class loading
paths in ToolResolver and ComponentRegistry to prevent arbitrary class
instantiation via malicious YAML agent configurations.

Vulnerability (Java equivalent of CVE-2026-4810):
ToolResolver.resolveToolFromClass(), resolveToolsetFromClass(),
resolveInstanceViaReflection(), and resolveToolsetInstanceViaReflection()
all call Thread.currentThread().getContextClassLoader().loadClass()
with class names directly from YAML config, with no validation on
which packages can be loaded. An attacker can specify any class on
the classpath (e.g., java.lang.Runtime, java.lang.ProcessBuilder)
to achieve arbitrary code execution.

Fix:
1. Add ALLOWED_CLASS_PREFIXES allowlist (com.google.adk., google.adk.)
   to restrict dynamic class loading to trusted ADK packages only
2. Add isAllowedClassForLoading() validation before every loadClass() call
3. Remove dangerous setAccessible(true) that bypasses access controls
4. Log blocked attempts at WARN level for security monitoring

Author: Ashutosh0x

core/src/main/java/com/google/adk/agents/ToolResolver.java

@@ -25,6 +25,7 @@
 import com.google.adk.tools.BaseToolset;
 import com.google.adk.utils.ComponentRegistry;
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
@@ -41,6 +42,35 @@ final class ToolResolver {
 
   private static final Logger logger = LoggerFactory.getLogger(LlmAgent.class);
 
+  /**
+   * Allowlist of trusted package prefixes for dynamic class loading from YAML configs.
+   *
+   * <p>Security: Only classes from these packages can be loaded via reflection when specified in
+   * YAML agent configurations. This prevents arbitrary class loading attacks where a malicious YAML
+   * config could specify dangerous classes (e.g., Runtime, ProcessBuilder) to achieve code
+   * execution. This is the Java equivalent of CVE-2026-4810 in adk-python.
+   */
+  private static final ImmutableSet<String> ALLOWED_CLASS_PREFIXES =
+      ImmutableSet.of("com.google.adk.", "google.adk.");
+
+  /**
+   * Validates that a class name is from an allowed package before dynamic loading.
+   *
+   * @param className the fully qualified class name to validate
+   * @return true if the class is from an allowed package
+   */
+  static boolean isAllowedClassForLoading(String className) {
+    if (isNullOrEmpty(className)) {
+      return false;
+    }
+    for (String prefix : ALLOWED_CLASS_PREFIXES) {
+      if (className.startsWith(prefix)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   private ToolResolver() {}
 
   /**
@@ -270,6 +300,11 @@ static BaseToolset resolveToolsetFromClass(
     if (toolsetClassOpt.isPresent()) {
       toolsetClass = toolsetClassOpt.get();
     } else if (isJavaQualifiedName(className)) {
+      // Security: Only allow class loading from trusted ADK packages
+      if (!isAllowedClassForLoading(className)) {
+        logger.warn("Blocked dynamic class loading from untrusted package: {}", className);
+        return null;
+      }
       // Try reflection to get class
       try {
         Class<?> clazz = Thread.currentThread().getContextClassLoader().loadClass(className);
@@ -345,6 +380,12 @@ static BaseToolset resolveToolsetInstanceViaReflection(String toolsetName)
     String className = toolsetName.substring(0, lastDotIndex);
     String fieldName = toolsetName.substring(lastDotIndex + 1);
 
+    // Security: Only allow class loading from trusted ADK packages
+    if (!isAllowedClassForLoading(className)) {
+      logger.warn("Blocked dynamic class loading from untrusted package: {}", className);
+      return null;
+    }
+
     Class<?> clazz = Thread.currentThread().getContextClassLoader().loadClass(className);
 
     try {
@@ -395,6 +436,11 @@ static BaseTool resolveToolFromClass(String className, ToolArgsConfig args, Stri
     if (classOpt.isPresent()) {
       toolClass = classOpt.get();
     } else if (isJavaQualifiedName(className)) {
+      // Security: Only allow class loading from trusted ADK packages
+      if (!isAllowedClassForLoading(className)) {
+        logger.warn("Blocked dynamic class loading from untrusted package: {}", className);
+        return null;
+      }
       // Try reflection to get class
       try {
         Class<?> clazz = Thread.currentThread().getContextClassLoader().loadClass(className);
@@ -435,7 +481,8 @@ static BaseTool resolveToolFromClass(String className, ToolArgsConfig args, Stri
     // No args provided or empty args, try default constructor
     try {
       Constructor<? extends BaseTool> constructor = toolClass.getDeclaredConstructor();
-      constructor.setAccessible(true);
+      // Security: Do not call setAccessible(true) — only use public constructors
+      // to prevent bypassing access controls on non-public classes.
       return constructor.newInstance();
     } catch (NoSuchMethodException e) {
       throw new ConfigurationException(
@@ -491,6 +538,12 @@ static BaseTool resolveInstanceViaReflection(String toolName)
     String className = toolName.substring(0, lastDotIndex);
     String fieldName = toolName.substring(lastDotIndex + 1);
 
+    // Security: Only allow class loading from trusted ADK packages
+    if (!isAllowedClassForLoading(className)) {
+      logger.warn("Blocked dynamic class loading from untrusted package: {}", className);
+      return null;
+    }
+
     Class<?> clazz = Thread.currentThread().getContextClassLoader().loadClass(className);
 
     try {

core/src/main/java/com/google/adk/utils/ComponentRegistry.java

@@ -437,7 +437,33 @@ private static <T> Optional<Class<? extends T>> getType(String name, Class<T> ty
         .map(clazz -> clazz.asSubclass(type));
   }
 
+  /**
+   * Allowlist of trusted package prefixes for dynamic class loading.
+   *
+   * <p>Security: Only classes from these packages can be loaded via reflection when specified in
+   * YAML agent configurations. This prevents arbitrary class loading attacks (CVE-2026-4810).
+   */
+  private static final Set<String> ALLOWED_CLASS_PREFIXES =
+      Set.of("com.google.adk.", "google.adk.");
+
+  private static boolean isAllowedClassForLoading(String className) {
+    if (isNullOrEmpty(className)) {
+      return false;
+    }
+    for (String prefix : ALLOWED_CLASS_PREFIXES) {
+      if (className.startsWith(prefix)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   private static Optional<Class<? extends BaseToolset>> loadToolsetClass(String className) {
+    // Security: Only allow class loading from trusted ADK packages
+    if (!isAllowedClassForLoading(className)) {
+      logger.warn("Blocked dynamic class loading from untrusted package: {}", className);
+      return Optional.empty();
+    }
     try {
       Class<?> clazz = Thread.currentThread().getContextClassLoader().loadClass(className);
       if (BaseToolset.class.isAssignableFrom(clazz)) {

core/src/test/java/com/google/adk/agents/ToolResolverTest.java

@@ -149,7 +149,7 @@ public void testResolveToolsetInstanceViaReflection_fieldNotFound_returnsNull()
 
   @Test
   public void testResolveToolsetInstanceViaReflection_classNotFound_throwsException() {
-    String toolsetName = "com.nonexistent.package.NonExistentClass.FIELD";
+    String toolsetName = "com.google.adk.nonexistent.NonExistentClass.FIELD";
 
     assertThrows(
         ClassNotFoundException.class,
@@ -194,7 +194,7 @@ public void testResolveInstanceViaReflection_fieldNotFound_returnsNull() throws
 
   @Test
   public void testResolveInstanceViaReflection_classNotFound_throwsException() {
-    String toolName = "com.nonexistent.package.NonExistentClass.FIELD";
+    String toolName = "com.google.adk.nonexistent.NonExistentClass.FIELD";
 
     assertThrows(
         ClassNotFoundException.class, () -> ToolResolver.resolveInstanceViaReflection(toolName));