fix(agents): prevent path traversal in AgentTool config_path resolution

[adilburaksen]

Summary

resolveSubAgentFromConfigPath in ConfigAgentUtils.java accepted absolute configPath values unconditionally and resolved relative paths without boundary validation. An attacker-controlled config_path field in an agent YAML could read arbitrary files.

Vulnerable pattern (before):

if (Path.of(configPath).isAbsolute()) {
    subAgentConfigPath = Path.of(configPath);   // absolute accepted
} else {
    subAgentConfigPath = configDir.resolve(configPath);  // no ".." check
}

Fix

• Reject absolute configPath values with ConfigurationException
• Normalize the resolved path and verify it stays within configDir before loading

Related

Same vulnerability exists in adk-python (PR: google/adk-python#5826) and adk-go — fix pattern is identical across all three SDKs.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adilburaksen]

I have read the CLA Documents and I hereby sign the CLA.

[hemasekhar-p]

Hi @adilburaksen, thank you for your contribution! We appreciate you taking the time to submit this pull request. Could you please include the corresponding unit tests to verify your changes?

[adilburaksen]

Thanks for the review! I've added unit tests in ConfigAgentUtilsTest covering the change: an absolute config_path is rejected, a .. path that escapes the agent directory is rejected (with a real file present outside the dir to prove rejection happens before any read), a normal in-bounds relative path resolves successfully, and a .. that normalizes back inside the directory is still accepted (confirming the check is on the normalized path, not a naive substring). All pass locally (Tests run: 50, Failures: 0). Pushed as f077057.

[hemasekhar-p]

Thank you for your response. please ensure your PR consists of a single commit. Could you please change your commits accordingly?

[adilburaksen]

Done — squashed into a single commit (f10eceb) containing both the fix and the tests. Thanks!

[hemasekhar-p]

Thank you for the updates @adilburaksen. Currently this PR is under review by our team, we will keep you posted if any additional information is required. thank you.

[hemasekhar-p]

@sherryfox, Could you please review this PR.