Security: Fix path traversal and arbitrary code execution

[l3tchupkt]

Description of Change

Problem:
Two security vulnerabilities exist in the ADK API server (adk api_server / adk web):

1. Path Traversal (CWE-22): The AgentLoader._load_from_yaml_config() method in src/google/adk/cli/utils/agent_loader.py directly joins agents_dir with the user-supplied app_name parameter without validating the resolved path stays within agents_dir. This allows an attacker to use .. sequences (including URL-encoded Windows backslashes like %5C) to traverse outside the intended directory and load YAML config files from arbitrary filesystem locations.

2. Arbitrary Code Execution (CWE-470): The resolve_fully_qualified_name() function in src/google/adk/agents/config_agent_utils.py calls importlib.import_module() on strings read directly from YAML configuration files without any allowlisting or sandboxing. Combined with the path traversal, an attacker can place a malicious Python module and trigger its execution via YAML config references like before_model_callbacks.

Solution:

1. Path Traversal Fix: Added _validate_agent_path() method that uses Path.resolve() and Path.relative_to() to ensure the resolved agent path stays strictly within agents_dir. This works on both Unix and Windows platforms.

2. Import Restriction Fix: Added _SAFE_MODULE_PREFIXES allowlist (frozenset({"google.adk."})) and applied security checks to:

   • resolve_fully_qualified_name()
   • _resolve_agent_code_reference()
   • resolve_code_reference()

3. API Boundary Sanitization: Added app_name validator to RunAgentRequest Pydantic model that rejects path traversal characters (.., /, \) at the HTTP API layer before processing.

Testing Plan

Unit Tests:

• All existing unit tests pass locally.
• tests/unittests/cli/utils/test_agent_loader.py: 31 tests passed

Test Results:

tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_agent_without_root_agent_error PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_load_agent_from_yaml_config PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_yaml_agent_caching_returns_same_instance PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_yaml_agent_invalid_yaml_error PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_load_special_agent_from_yaml_config PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_validate_agent_name_allows_valid_names PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_yaml_config_agents_dir_parameter PASSED
tests/unittests/cli/utils/test_agent_loader.py::TestAgentLoader::test_list_agents_detailed_identifies_computer_use PASSED
...
31 passed, 14 warnings in 9.92s

Manual E2E Tests:
The fixes prevent the attack chain described in the vulnerability report:

1. Path traversal via ..\evil or ../evil in app_name is now blocked
2. Arbitrary module imports via YAML config (e.g., attacker_pkg.run.callback) are restricted to google.adk.* namespace

Checklist

• I have read the CONTRIBUTING.md document.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas (see _validate_agent_path(), _is_safe_module_import(), validate_app_name()).
• New and existing unit tests pass locally with my changes.
• Any dependent changes have been merged and published in downstream modules (N/A - standalone security fixes).

Additional Context

CWE Classifications:

• CWE-22: Improper Limitation of Pathname to Restricted Directory (Path Traversal)
• CWE-470: Use of Externally-Controlled Input to Select Classes or Code

Affected Files:

• src/google/adk/cli/utils/agent_loader.py - Added path traversal validation
• src/google/adk/agents/config_agent_utils.py - Added import allowlist
• src/google/adk/cli/adk_web_server.py - Added API boundary validation

Author: Lakshmikanthan K badassletchu@gmail.com

---