fix(agents): prevent path traversal in AgentTool config_path resolution

adilburaksen · xuanyang15 · copybara-github · commit 171ae9e7bef6 · 2026-06-23T12:02:58.000-07:00
Merge #5826 ## Summary `resolve_agent_reference` in `config_agent_utils.py` accepted absolute `config_path` values unconditionally and joined relative paths without any boundary validation. An attacker-controlled `config_path` field in an agent YAML could traverse outside the intended agent directory. **Vulnerable pattern (before):** ```python if os.path.isabs(ref_config.config_path): return from_config(ref_config.config_path) # absolute accepted else: return from_config(os.path.join(agent_dir, ref_config.config_path)) # no ".." check ``` **PoC config:** ```yaml tools: - tool_class: AgentTool args: agent: config_path: "../../../../../../etc/passwd" ``` This causes `open("/etc/passwd", "r")` server-side. A `FileNotFoundError` vs `ValidationError` difference also leaks path existence. ## Fix - Reject absolute `config_path` values with `ValueError` - Normalize the joined path and verify it stays within the parent agent directory before calling `from_config` ## Related Same vulnerability exists in `adk-java` (PR: google/adk-java#...) and `adk-go` (PR: google/adk-go#...) — fix pattern is identical. Note: This is distinct from the `resolve_code_reference` RCE (different function, different field, file-read impact vs code execution). Co-authored-by: Xuan Yang <xygoogle@google.com> COPYBARA_INTEGRATE_REVIEW=#5826 from adilburaksen:fix/config-path-traversal 4630cd9 PiperOrigin-RevId: 936810988
diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
@@ -86,8 +86,8 @@ def _load_config_from_path(config_path: str) -> AgentConfig:
   """Load an agent's configuration from a YAML file.
 
   Args:
-    config_path: Path to the YAML config file. Both relative and absolute
-      paths are accepted.
+    config_path: Path to the YAML config file. Both relative and absolute paths
+      are accepted.
 
   Returns:
     The loaded and validated AgentConfig object.
@@ -124,21 +124,31 @@ def resolve_agent_reference(
   Args:
     ref_config: The agent reference configuration (AgentRefConfig).
     referencing_agent_config_abs_path: The absolute path to the agent config
-    that contains the reference.
+      that contains the reference.
 
   Returns:
     The created agent instance.
   """
   if ref_config.config_path:
     if os.path.isabs(ref_config.config_path):
-      return from_config(ref_config.config_path)
-    else:
-      return from_config(
-          os.path.join(
-              os.path.dirname(referencing_agent_config_abs_path),
-              ref_config.config_path,
-          )
+      raise ValueError(
+          "Absolute paths are not allowed in AgentRefConfig config_path:"
+          f" {ref_config.config_path!r}"
       )
+    agent_dir = os.path.dirname(referencing_agent_config_abs_path)
+    resolved_path = os.path.realpath(
+        os.path.join(agent_dir, ref_config.config_path)
+    )
+    canonical_agent_dir = os.path.realpath(agent_dir)
+    if (
+        os.path.commonpath([canonical_agent_dir, resolved_path])
+        != canonical_agent_dir
+    ):
+      raise ValueError(
+          f"Path traversal detected: config_path {ref_config.config_path!r}"
+          " resolves outside the agent directory"
+      )
+    return from_config(resolved_path)
   elif ref_config.code:
     return _resolve_agent_code_reference(ref_config.code)
   else:
diff --git a/tests/unittests/agents/test_agent_config.py b/tests/unittests/agents/test_agent_config.py
@@ -465,3 +465,24 @@ def fake_from_config(path: str):
   )
   assert result == "sentinel"
   assert recorded["path"] == expected_path
+
+
+def test_resolve_agent_reference_blocks_absolute_path():
+  """Verify resolve_agent_reference raises ValueError for absolute paths."""
+  ref_config = AgentRefConfig(config_path="/etc/passwd")
+  with pytest.raises(
+      ValueError,
+      match="Absolute paths are not allowed in AgentRefConfig config_path",
+  ):
+    config_agent_utils.resolve_agent_reference(
+        ref_config, "/workspace/main.yaml"
+    )
+
+
+def test_resolve_agent_reference_blocks_path_traversal():
+  """Verify resolve_agent_reference raises ValueError for path traversal."""
+  ref_config = AgentRefConfig(config_path="../outside.yaml")
+  with pytest.raises(ValueError, match="Path traversal detected"):
+    config_agent_utils.resolve_agent_reference(
+        ref_config, "/workspace/agents/main.yaml"
+    )
