Security: Fix path traversal and arbitrary code execution#5059
Security: Fix path traversal and arbitrary code execution#5059l3tchupkt wants to merge 4 commits intogoogle:mainfrom
Conversation
Fixes two critical vulnerabilities in ADK API server: 1. Path Traversal in agent_loader.py (CWE-22): - Added _validate_agent_path() to ensure agent_name resolves within agents_dir - Prevents directory traversal using .. sequences on all platforms - Called before loading YAML config from filesystem 2. Arbitrary Code Execution via importlib (CWE-470): - Added _SAFE_MODULE_PREFIXES allowlist to config_agent_utils.py - Restricts resolve_fully_qualified_name() to google.adk.* namespace - Also secured _resolve_agent_code_reference() and resolve_code_reference() 3. API Boundary Sanitization: - Added app_name validation to RunAgentRequest model - Rejects path traversal characters at HTTP API layer Author: Lakshmikanthan K <badassletchu@gmail.com>
rohityan
added
the
core
|
Hi @l3tchupkt ,Thank you for your contribution! We appreciate you taking the time to submit this pull request. Can you please fix the failing mypy-diff tests and formatting errors. |
rohityan
added
the
request clarification
Resolved pyink, isort, and mypy violations while tightening path traversal and RCE validation. Added comprehensive security test suite with 48 passing cases.
|
Hi @rohityan, Thanks for the feedback. I have pushed an update fixing the CI issues and improving the security fixes. Formatting, import ordering and typing issues are resolved. No new mypy errors are introduced. Path traversal checks are now stricter and input validation for app_name is enforced. Dynamic import handling is hardened with stricter allowlist validation and rejection of malformed module paths. I also added a security test suite with 48 test cases covering traversal payloads, module spoofing and edge cases. All tests pass locally. Please let me know if anything else is needed. |
2 participants
Description of Change
Problem:
Two security vulnerabilities exist in the ADK API server (
adk api_server/adk web):Path Traversal (CWE-22): The AgentLoader._load_from_yaml_config() method in src/google/adk/cli/utils/agent_loader.py directly joins
agents_dirwith the user-suppliedapp_nameparameter without validating the resolved path stays withinagents_dir. This allows an attacker to use..sequences (including URL-encoded Windows backslashes like%5C) to traverse outside the intended directory and load YAML config files from arbitrary filesystem locations.Arbitrary Code Execution (CWE-470): The resolve_fully_qualified_name() function in src/google/adk/agents/config_agent_utils.py calls
importlib.import_module()on strings read directly from YAML configuration files without any allowlisting or sandboxing. Combined with the path traversal, an attacker can place a malicious Python module and trigger its execution via YAML config references likebefore_model_callbacks.Solution:
Path Traversal Fix: Added _validate_agent_path() method that uses
Path.resolve()andPath.relative_to()to ensure the resolved agent path stays strictly withinagents_dir. This works on both Unix and Windows platforms.Import Restriction Fix: Added
_SAFE_MODULE_PREFIXESallowlist (frozenset({"google.adk."})) and applied security checks to:API Boundary Sanitization: Added
app_namevalidator to RunAgentRequest Pydantic model that rejects path traversal characters (..,/,\) at the HTTP API layer before processing.Testing Plan
Unit Tests:
Test Results:
Manual E2E Tests:
The fixes prevent the attack chain described in the vulnerability report:
..\evilor../evilinapp_nameis now blockedattacker_pkg.run.callback) are restricted togoogle.adk.*namespaceChecklist
Additional Context
CWE Classifications:
Affected Files:
Author: Lakshmikanthan K badassletchu@gmail.com