fix(configurable): prevent path traversal in AgentTool config_path resolution

[adilburaksen]

Summary

ResolveAgentReference in configurable_utils.go accepted absolute refPath values unconditionally and joined relative paths via filepath.Join without boundary enforcement. An attacker-controlled config_path field in an agent YAML could read arbitrary files accessible to the server process.

Vulnerable pattern (before):

if !filepath.IsAbs(refPath) {
    targetPath = filepath.Join(filepath.Dir(parentPath), refPath)  // no ".." check
}
absPath, _ := filepath.Abs(targetPath)
a, err := FromConfig(ctx, absPath)  // reads file unconditionally

Fix

• Reject absolute refPath values
• After resolving, verify the path stays within the parent agent's directory using strings.HasPrefix on the cleaned path

Related

Same vulnerability exists in adk-python (PR: google/adk-python#5826) and adk-java (PR: google/adk-java#1218) — fix pattern is identical across all three SDKs.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adilburaksen]

@kdroste-google — would you (or another maintainer) be able to take a look at this small security fix when you have a moment? It adds a path-boundary check to AgentTool config_path resolution in configurable_utils.go, mirroring the same fix already in active review for adk-python (#5826) and adk-java (#1218). CLA is signed and CI is green. Happy to rebase if needed. Thanks!