Skip to content

fix: enforce path boundary in built-in agent file tools and restrict YAML callback invocation#5413

Open
adilburaksen wants to merge 3 commits intogoogle:mainfrom
adilburaksen:fix/built-in-agent-path-traversal-and-yaml-rce
Open

fix: enforce path boundary in built-in agent file tools and restrict YAML callback invocation#5413
adilburaksen wants to merge 3 commits intogoogle:mainfrom
adilburaksen:fix/built-in-agent-path-traversal-and-yaml-rce

Conversation

@adilburaksen
Copy link
Copy Markdown

@adilburaksen adilburaksen commented Apr 20, 2026

Summary

This PR fixes two security issues in the Agent Builder Assistant's file tools and YAML agent config loading.

Fix 1 — Path boundary enforcement in resolve_file_path() (resolve_root_directory.py)

Issue: resolve_file_path() accepted absolute paths without checking whether they were within the project root, and trusted root_directory from session state without validation. This allowed file operations outside the intended project directory.

Fix:

  • Add _validate_root_directory() that rejects absolute paths, null bytes, backslashes, and .. components in session-state-supplied root_directory (mirrors the same pattern applied in commit cbcb5e6 for file_artifact_service.py)
  • After resolving the final path, enforce project root boundary using .relative_to() for both absolute and relative inputs

Fix 2 — Restrict callable invocation in resolve_code_reference() (config_agent_utils.py)

Issue: resolve_code_reference() called any Python callable with attacker-supplied args from YAML config at deserialization time. This allowed specifying dangerous built-ins (e.g. os.system) as callbacks with arbitrary arguments.

Fix: Only invoke a callable with args when the resolved object is a class constructor (inspect.isclass()). Plain functions cannot be called with args from YAML config; they are returned as references for the framework to invoke at the appropriate time.

Testing

Both fixes are verified with unit tests confirming:

  • Absolute paths are blocked
  • root_directory: "/" injection is blocked
  • Legitimate relative paths continue to work
  • os.system and other non-class callables with args are blocked in YAML config

adilburaksen and others added 2 commits April 20, 2026 19:24
@adilburaksen
fix: enforce path boundary in built-in agent file tools and restrict …
297803b 
…YAML callback invocation

resolve_root_directory.py:
- Add _validate_root_directory() to reject absolute paths and '..' in
  session-state-supplied root_directory (mirrors cbcb5e6 for file_artifact_service)
- Enforce project root boundary in resolve_file_path() via .relative_to()
  for both absolute and relative input paths

config_agent_utils.py:
- Restrict resolve_code_reference() to only invoke callables with args
  when the resolved object is a class constructor (inspect.isclass()).
  Plain functions and built-ins (e.g. os.system) cannot be called with
  args from YAML config.
@rohityan
Merge branch 'main' into fix/built-in-agent-path-traversal-and-yaml-rce
8822aa0
@rohityan rohityan self-assigned this Apr 20, 2026
@rohityan rohityan added request clarification [Status] The maintainer need clarification or more information from the author agent config [Component] This issue is related to the Agent Config interface and implementation labels Apr 20, 2026
@rohityan
Copy link
Copy Markdown
Collaborator

rohityan commented Apr 20, 2026

Hi @adilburaksen , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Please fix formatting errors by running autoformat.sh

@adilburaksen
Copy link
Copy Markdown
Author

adilburaksen commented Apr 20, 2026

Fixed — ran autoformat.sh (pyink + isort). 3 files reformatted: resolve_root_directory.py and 2 contributing samples. Pyink check should pass now.

@adilburaksen
Copy link
Copy Markdown
Author

adilburaksen commented Apr 20, 2026

Hi @rohityan — happy to provide any additional context.
The two fixes address:

  1. Path traversal in resolve_file_path() — absolute paths and root_directory injection from session state were accepted without validation, allowing reads/writes outside the project root.

  2. Arbitrary callable invocation in resolve_code_reference() — YAML agent configs could specify any Python callable (e.g. os.system) with attacker-controlled args at deserialization time.

Both issues are triggered through agent config loading or session state manipulation. Let me know if you'd like a more detailed write-up or additional test coverage for specific scenarios.

@adilburaksen
style: apply autoformat.sh (pyink + isort)
629925f 
Fixes pyink formatting check failure requested by reviewer.
@adilburaksen adilburaksen force-pushed the fix/built-in-agent-path-traversal-and-yaml-rce branch from f5ecc81 to 629925f Compare April 20, 2026 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rohityan rohityan

Labels

agent config [Component] This issue is related to the Agent Config interface and implementation request clarification [Status] The maintainer need clarification or more information from the author

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adilburaksen @rohityan