fix(agents): prevent path traversal in AgentTool config_path resolution

Absolute config_path values were accepted unconditionally, and relative
paths were joined without boundary validation, allowing traversal outside
the agent directory via "../../../etc/passwd" style inputs.

Fix: reject absolute paths; for relative paths, verify the normalized
result stays within the parent agent's directory before loading.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adilburaksen

src/google/adk/agents/config_agent_utils.py

@@ -157,14 +157,21 @@ def resolve_agent_reference(
   """
   if ref_config.config_path:
     if os.path.isabs(ref_config.config_path):
-      return from_config(ref_config.config_path)
-    else:
-      return from_config(
-          os.path.join(
-              os.path.dirname(referencing_agent_config_abs_path),
-              ref_config.config_path,
-          )
+      raise ValueError(
+          f"Absolute paths are not allowed in AgentTool config_path:"
+          f" {ref_config.config_path!r}"
       )
+    agent_dir = os.path.dirname(referencing_agent_config_abs_path)
+    resolved_path = os.path.normpath(
+        os.path.join(agent_dir, ref_config.config_path)
+    )
+    canonical_agent_dir = os.path.normpath(agent_dir)
+    if not resolved_path.startswith(canonical_agent_dir + os.sep):
+      raise ValueError(
+          f"Path traversal detected: config_path {ref_config.config_path!r}"
+          " resolves outside the agent directory"
+      )
+    return from_config(resolved_path)
   elif ref_config.code:
     return _resolve_agent_code_reference(ref_config.code)
   else: