fix: enforce path boundary in built-in agent file tools and restrict YAML callback invocation

[adilburaksen]

Summary

This PR fixes two security issues in the Agent Builder Assistant's file tools and YAML agent config loading.

Fix 1 — Path boundary enforcement in resolve_file_path() (resolve_root_directory.py)

Issue: resolve_file_path() accepted absolute paths without checking whether they were within the project root, and trusted root_directory from session state without validation. This allowed file operations outside the intended project directory.

Fix:

• Add _validate_root_directory() that rejects absolute paths, null bytes, backslashes, and .. components in session-state-supplied root_directory (mirrors the same pattern applied in commit cbcb5e6 for file_artifact_service.py)
• After resolving the final path, enforce project root boundary using .relative_to() for both absolute and relative inputs

Fix 2 — Restrict callable invocation in resolve_code_reference() (config_agent_utils.py)

Issue: resolve_code_reference() called any Python callable with attacker-supplied args from YAML config at deserialization time. This allowed specifying dangerous built-ins (e.g. os.system) as callbacks with arbitrary arguments.

Fix: Only invoke a callable with args when the resolved object is a class constructor (inspect.isclass()). Plain functions cannot be called with args from YAML config; they are returned as references for the framework to invoke at the appropriate time.

Testing

Both fixes are verified with unit tests confirming:

• Absolute paths are blocked
• root_directory: "/" injection is blocked
• Legitimate relative paths continue to work
• os.system and other non-class callables with args are blocked in YAML config

[rohityan]

Hi @adilburaksen , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Please fix formatting errors by running autoformat.sh

[adilburaksen]

Fixed — ran autoformat.sh (pyink + isort). 3 files reformatted: resolve_root_directory.py and 2 contributing samples. Pyink check should pass now.

[adilburaksen]

Hi @rohityan — happy to provide any additional context.
The two fixes address:

1. Path traversal in resolve_file_path() — absolute paths and root_directory injection from session state were accepted without validation, allowing reads/writes outside the project root.

2. Arbitrary callable invocation in resolve_code_reference() — YAML agent configs could specify any Python callable (e.g. os.system) with attacker-controlled args at deserialization time.

Both issues are triggered through agent config loading or session state manipulation. Let me know if you'd like a more detailed write-up or additional test coverage for specific scenarios.

[adilburaksen]

Hi @rohityan — updating you on the status of this PR.

The YAML callback RCE portion of this PR (config_agent_utils.py changes) has since been addressed internally by the ADK team (2026-04-21). Thank you for that fix.

I've opened a replacement PR that focuses exclusively on the remaining path traversal issue in resolve_root_directory.py:

PR #5615: #5615

PR #5615 is rebased on the current main (no conflicts), contains only the resolve_root_directory.py fix, and should be easier to review and merge.

I'll close this PR (#5413) in favour of #5615. Please feel free to review #5615 when you get a chance.

Thank you for your time and the earlier response.

[adilburaksen]

Superseded by #5615 (path-traversal-only, rebased on current main, no conflicts).