From f7dea974b78e232fecf048c563da1b0fd4da2f19 Mon Sep 17 00:00:00 2001 From: aimenhamzi01-dot Date: Wed, 13 May 2026 03:28:06 +0100 Subject: [PATCH 1/2] fix: enable YAML denylist by default in CLI mode --- src/google/adk/agents/config_agent_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py index f9a3e7f594..88826e1d53 100644 --- a/src/google/adk/agents/config_agent_utils.py +++ b/src/google/adk/agents/config_agent_utils.py @@ -81,7 +81,7 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]: _BLOCKED_YAML_KEYS = frozenset({"args"}) -_ENFORCE_DENYLIST = False +_ENFORCE_DENYLIST = True def _set_enforce_denylist(value: bool) -> None: From 174d7be3e6c07130cc3a2f2efbe16b2586e6915f Mon Sep 17 00:00:00 2001 From: aimenhamzi01-dot Date: Wed, 13 May 2026 04:40:38 +0100 Subject: [PATCH 2/2] fix: block RCE via module denylist in resolve_code_reference - Add _BLOCKED_MODULES to prevent dangerous module access - Expand _BLOCKED_YAML_KEYS to cover all dynamic code fields - Set _ENFORCE_DENYLIST = True globally Fixes RCE vulnerability via unsafe function resolution in YAML configuration loader (CVE candidate). --- src/google/adk/agents/config_agent_utils.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py index 88826e1d53..9c6ff3663f 100644 --- a/src/google/adk/agents/config_agent_utils.py +++ b/src/google/adk/agents/config_agent_utils.py @@ -79,8 +79,19 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]: " BaseAgent." ) - -_BLOCKED_YAML_KEYS = frozenset({"args"}) +_BLOCKED_MODULES = frozenset({ + "os", "sys", "subprocess", "builtins", + "importlib", "shutil", "socket", + "ctypes", "pickle", "marshal", +}) +_BLOCKED_YAML_KEYS = frozenset({ + "args", + "model_code", + "tools", + "callbacks", + "input_schema", + "output_schema", +}) _ENFORCE_DENYLIST = True @@ -214,7 +225,11 @@ def resolve_code_reference(code_config: CodeConfig) -> Any: """ if not code_config or not code_config.name: raise ValueError("Invalid CodeConfig.") - + top_level = code_config.name.split(".")[0] + if top_level in _BLOCKED_MODULES: + raise ValueError( + f"Module '{top_level}' is not allowed in code references." + ) module_path, obj_name = code_config.name.rsplit(".", 1) module = importlib.import_module(module_path) obj = getattr(module, obj_name)