Skip to content

fix(agents): warn when AgentTool config_path escapes agent base directory#1218

Merged
copybara-service[bot] merged 1 commit into
google:mainfrom
adilburaksen:fix/config-path-traversal
Jul 10, 2026
Merged

fix(agents): warn when AgentTool config_path escapes agent base directory#1218
copybara-service[bot] merged 1 commit into
google:mainfrom
adilburaksen:fix/config-path-traversal

Conversation

@adilburaksen

@adilburaksen adilburaksen commented May 23, 2026

Copy link
Copy Markdown
Contributor

Summary

resolveSubAgentFromConfigPath in ConfigAgentUtils.java resolves a sub-agent
config_path from an agent YAML. Absolute paths and relative paths containing .. are
resolved as-is, so a config_path can point outside the agent's base directory without any
signal that this is happening.

Per maintainer guidance, blocking these paths outright is a breaking change (existing tools
legitimately rely on absolute / parent-relative config_path values), so this PR keeps the
current behavior and adds an observable warning ahead of stricter enforcement in a future
major release.

Change

  • Preserve backward-compatible resolution — absolute config_path values and relative
    paths containing .. are still honored.

  • Log a WARN deprecation notice when the resolved path escapes the agent's base
    directory:

    AgentTool config_path '{}' accesses a path outside the agent base directory; this
    behavior is deprecated and will be disallowed in a future release.
    

Tests

ConfigAgentUtilsTest (50/50 passing):

  • Absolute config_path still resolves successfully (backward compatibility).
  • Relative config_path with .. that escapes the base directory still resolves
    successfully and triggers the deprecation warning.
  • In-bounds relative and in-bounds .. paths continue to resolve.

Related

Same code path exists in adk-python (google/adk-python#5826) and adk-go.

@google-cla

google-cla Bot commented May 23, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@adilburaksen

Copy link
Copy Markdown
Contributor Author

I have read the CLA Documents and I hereby sign the CLA.

@adilburaksen adilburaksen force-pushed the fix/config-path-traversal branch from 4421e80 to 6e306c8 Compare May 23, 2026 21:47
@hemasekhar-p hemasekhar-p self-assigned this Jun 2, 2026
@hemasekhar-p

Copy link
Copy Markdown
Contributor

Hi @adilburaksen, thank you for your contribution! We appreciate you taking the time to submit this pull request. Could you please include the corresponding unit tests to verify your changes?

@hemasekhar-p hemasekhar-p added the waiting on reporter Waiting for reaction by reporter. Failing that, maintainers will eventually closed it as stale. label Jun 2, 2026
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Thanks for the review! I've added unit tests in ConfigAgentUtilsTest covering the change: an absolute config_path is rejected, a .. path that escapes the agent directory is rejected (with a real file present outside the dir to prove rejection happens before any read), a normal in-bounds relative path resolves successfully, and a .. that normalizes back inside the directory is still accepted (confirming the check is on the normalized path, not a naive substring). All pass locally (Tests run: 50, Failures: 0). Pushed as f077057.

@hemasekhar-p

Copy link
Copy Markdown
Contributor

Thank you for your response. please ensure your PR consists of a single commit. Could you please change your commits accordingly?

@hemasekhar-p hemasekhar-p added waiting on reporter Waiting for reaction by reporter. Failing that, maintainers will eventually closed it as stale. and removed waiting on reporter Waiting for reaction by reporter. Failing that, maintainers will eventually closed it as stale. labels Jun 2, 2026
@adilburaksen adilburaksen force-pushed the fix/config-path-traversal branch from f077057 to f10eceb Compare June 2, 2026 13:43
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Done — squashed into a single commit (f10eceb) containing both the fix and the tests. Thanks!

@hemasekhar-p

Copy link
Copy Markdown
Contributor

Thank you for the updates @adilburaksen. Currently this PR is under review by our team, we will keep you posted if any additional information is required. thank you.

@hemasekhar-p

Copy link
Copy Markdown
Contributor

@sherryfox, Could you please review this PR.

@hemasekhar-p hemasekhar-p added needs review and removed waiting on reporter Waiting for reaction by reporter. Failing that, maintainers will eventually closed it as stale. labels Jun 3, 2026
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Gentle follow-up on this one. It's been about two weeks since it went into team review (Jun 3, routed to @sherryfox) — CI is green, CLA is signed, and it's squashed to a single commit. It's a small, self-contained path-traversal fix in resolve_agent_reference (config_path is accepted as an absolute path / with .. and never bounded to the agent dir). Happy to address anything if a re-look surfaces changes. Thanks for your time!

@adilburaksen

Copy link
Copy Markdown
Contributor Author

Gentle ping for review. This is the Java side of the AgentTool config_path path-traversal fix (the Python fix already merged via #5826); it adds boundary validation in ConfigAgentUtils so absolute paths and .. escapes outside the parent agent directory are rejected, with tests. The Google OSS VRP report tracking this is waiting on the repo fixes to land, so a review here would help close it out. Happy to rebase or adjust — thanks!

@MiloszSobczyk MiloszSobczyk self-requested a review July 7, 2026 11:59
@MiloszSobczyk

Copy link
Copy Markdown
Member

Thank you for your response @adilburaksen . Could you please ensure your PR consists of a single commit?

@adilburaksen adilburaksen force-pushed the fix/config-path-traversal branch from 246195b to 644299f Compare July 7, 2026 12:12
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Done — squashed to a single commit (644299f). It rebases the config_path boundary-validation fix + tests onto current main with the merge commit removed, so the PR is now one clean commit. Thanks @MiloszSobczyk!

@MiloszSobczyk

MiloszSobczyk commented Jul 9, 2026

Copy link
Copy Markdown
Member

Hello @adilburaksen, after internal discussion we decided we cannot move forward with provided implementation, since it is a breaking change and could break tools that already operate using absolute paths or ...

Could you bring back the previous functionality and add logging when path outside the agent base directory is detected?

logger.error(
          "AgentTool config_path '{}' accesses a path outside the agent base directory; this"
              + " behavior is deprecated and will be disallowed in a future release.",
          configPath);

We will proceed with your initial implementation in the next major release. Thank you for your contribution!

@adilburaksen adilburaksen force-pushed the fix/config-path-traversal branch from 644299f to 14aa069 Compare July 9, 2026 09:15
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Thanks @MiloszSobczyk, that makes sense. I've reworked the PR accordingly:

  • Restored the previous resolution behavior — absolute paths and relative paths containing .. are honored again, so existing tools keep working.
  • Added the deprecation warning you suggested when the resolved path escapes the agent base directory:
logger.error(
    "AgentTool config_path '{}' accesses a path outside the agent base directory; this"
        + " behavior is deprecated and will be disallowed in a future release.",
    configPath);
  • Updated the tests: the two containment cases now assert that absolute / .. config paths still resolve successfully (backward compatibility), alongside the existing in-bounds cases. Full ConfigAgentUtilsTest passes (50/50).

Still a single commit (14aa0699). Happy to adjust the log level or wording if you'd prefer a warn instead of error. Looking forward to the stricter enforcement in the next major release.

@MiloszSobczyk

Copy link
Copy Markdown
Member

@adilburaksen Thanks for the change. You are right in saying that warn level log would be better suited here. Please adjust the code.

…tory

Preserve the existing behavior of resolving absolute and relative (including
`..`) AgentTool config_path values, but log a deprecation warning when the
resolved path escapes the agent's base directory. This keeps backward
compatibility for tools that rely on absolute or parent-relative paths while
surfacing the risky access pattern ahead of disallowing it in a future release.
@adilburaksen adilburaksen force-pushed the fix/config-path-traversal branch from 14aa069 to 7a4113e Compare July 9, 2026 09:20
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Done — switched the log to logger.warn (commit 7a4113e0, still a single commit). ConfigAgentUtilsTest still passes 50/50. Thanks!

@MiloszSobczyk

Copy link
Copy Markdown
Member

Summary

resolveSubAgentFromConfigPath in ConfigAgentUtils.java accepted absolute configPath values unconditionally and resolved relative paths without boundary validation. An attacker-controlled config_path field in an agent YAML could read arbitrary files.

Vulnerable pattern (before):

if (Path.of(configPath).isAbsolute()) {
    subAgentConfigPath = Path.of(configPath);   // absolute accepted
} else {
    subAgentConfigPath = configDir.resolve(configPath);  // no ".." check
}

Fix

  • Reject absolute configPath values with ConfigurationException
  • Normalize the resolved path and verify it stays within configDir before loading

Related

Same vulnerability exists in adk-python (PR: google/adk-python#5826) and adk-go — fix pattern is identical across all three SDKs.

@adilburaksen Could you update the description for the PR?

@adilburaksen adilburaksen changed the title fix(agents): prevent path traversal in AgentTool config_path resolution fix(agents): warn when AgentTool config_path escapes agent base directory Jul 9, 2026
@adilburaksen

Copy link
Copy Markdown
Contributor Author

Done — updated the title and description to reflect the current warn-on-escape behavior (backward-compatible resolution preserved, deprecation warning added), so it now matches the implementation. Thanks @MiloszSobczyk!

@copybara-service copybara-service Bot merged commit 08f4fdc into google:main Jul 10, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants