fix(agents): prevent path traversal in AgentTool config_path resolution

adilburaksen · adilburaksen · commit 6e306c8954b5 · 2026-05-24T00:47:04.000+03:00
Absolute config_path values were accepted unconditionally, and relative
paths were joined without boundary validation, allowing traversal outside
the agent directory via "../../../etc/passwd" style inputs.

Fix: reject absolute paths; normalize and verify the resolved path stays
within the parent agent's directory before loading.
diff --git a/core/src/main/java/com/google/adk/agents/ConfigAgentUtils.java b/core/src/main/java/com/google/adk/agents/ConfigAgentUtils.java
@@ -247,12 +247,18 @@ private static BaseAgent resolveSubAgentFromConfigPath(
       BaseAgentConfig.AgentRefConfig subAgentConfig, Path configDir) throws ConfigurationException {
 
     String configPath = subAgentConfig.configPath().trim();
-    Path subAgentConfigPath;
 
     if (Path.of(configPath).isAbsolute()) {
-      subAgentConfigPath = Path.of(configPath);
-    } else {
-      subAgentConfigPath = configDir.resolve(configPath);
+      throw new ConfigurationException(
+          "Absolute paths are not allowed in AgentTool config_path: " + configPath);
+    }
+
+    Path subAgentConfigPath = configDir.resolve(configPath).normalize().toAbsolutePath();
+    Path canonicalConfigDir = configDir.normalize().toAbsolutePath();
+
+    if (!subAgentConfigPath.startsWith(canonicalConfigDir)) {
+      throw new ConfigurationException(
+          "Path traversal detected: config_path resolves outside agent directory: " + configPath);
     }
 
     if (!Files.exists(subAgentConfigPath)) {
