From 16126d6244686b3eda1c8d3adad90fc59995e950 Mon Sep 17 00:00:00 2001
From: Martin Brodeur <addressedemartin@gmail.com>
Date: Mon, 4 May 2026 12:15:24 -0400
Subject: [PATCH] fix: add path traversal validation to Documents get/delete

Add _validate_resource_name() guard to block '..' in resource names
for Documents.get(), Documents.delete(), AsyncDocuments.get(), and
AsyncDocuments.delete() operations.

Fixes Google VRP report 503098362.
---
 google/genai/documents.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/google/genai/documents.py b/google/genai/documents.py
index d542fea52..7e016ac71 100644
--- a/google/genai/documents.py
+++ b/google/genai/documents.py
@@ -13,6 +13,13 @@
 # limitations under the License.
 #
 
+
+def _validate_resource_name(name: str) -> None:
+  if '..' in name:
+    raise ValueError(
+        f'Invalid resource name {name!r}: must not contain path traversal sequences'
+    )
+
 # Code generated by the Google Gen AI SDK generator DO NOT EDIT.
 
 from functools import partial
@@ -156,6 +163,7 @@ def get(
       request_dict = _GetDocumentParameters_to_mldev(parameter_model)
       request_url_dict = request_dict.get('_url')
       if request_url_dict:
+        _validate_resource_name(request_url_dict.get('name', ''))
         path = '{name}'.format_map(request_url_dict)
       else:
         path = '{name}'
@@ -233,6 +241,7 @@ def delete(
       request_dict = _DeleteDocumentParameters_to_mldev(parameter_model)
       request_url_dict = request_dict.get('_url')
       if request_url_dict:
+        _validate_resource_name(request_url_dict.get('name', ''))
         path = '{name}'.format_map(request_url_dict)
       else:
         path = '{name}'
@@ -384,6 +393,7 @@ async def get(
       request_dict = _GetDocumentParameters_to_mldev(parameter_model)
       request_url_dict = request_dict.get('_url')
       if request_url_dict:
+        _validate_resource_name(request_url_dict.get('name', ''))
         path = '{name}'.format_map(request_url_dict)
       else:
         path = '{name}'
@@ -463,6 +473,7 @@ async def delete(
       request_dict = _DeleteDocumentParameters_to_mldev(parameter_model)
       request_url_dict = request_dict.get('_url')
       if request_url_dict:
+        _validate_resource_name(request_url_dict.get('name', ''))
         path = '{name}'.format_map(request_url_dict)
       else:
         path = '{name}'