fix: validate module paths in YAML config to prevent arbitrary code execution

[Ashutosh0x]

Summary

Fix for #5822 - Add module path validation to resolve_code_reference(), resolve_fully_qualified_name(), and _resolve_agent_code_reference() in config_agent_utils.py to prevent importing dangerous stdlib modules via YAML agent config.

Problem

These functions call importlib.import_module() with no validation on the module path. A malicious YAML config can specify any Python module path, causing the ADK to import os, subprocess, sys, or any stdlib module. Combined with attribute access via getattr(), this enables arbitrary code execution.

Example malicious YAML:
`yaml
tools:

• code:
  name: os.system
  `

Fix

Added _validate_module_path() that enforces:

• Blocklist: 25 dangerous stdlib modules (os, subprocess, sys, pickle, shutil, socket, ctypes, multiprocessing, etc.)
• Format validation: Regex ensures only valid Python identifiers with dots
• Dunder rejection: Blocks __builtins__ and similar dunder segments

Called in all 3 code resolution entry points:

• resolve_fully_qualified_name()
• _resolve_agent_code_reference()
• resolve_code_reference()

Testing

Added tests/unittests/agents/test_config_module_validation.py with 15 tests:

• Safe user modules pass (google.adk.*, custom packages)
• All blocked modules rejected (os, subprocess, sys, pickle, shutil, socket, etc.)
• Empty paths rejected
• Invalid characters rejected
• Dunder segments rejected

�ash pytest tests/unittests/agents/test_config_module_validation.py -v

Fixes #5822

[Ashutosh0x]

Hi @rohityan @surajksharma07 — this fixes #5822 which I reported 3 weeks ago.

The resolve_code_reference(), resolve_fully_qualified_name(), and _resolve_agent_code_reference() functions call importlib.import_module() without validating the module path. A malicious YAML agent config can import dangerous stdlib modules (os, subprocess, sys, pickle, etc.).

Fix: Added _validate_module_path() with a blocklist of 25 dangerous modules, regex format validation, and dunder segment rejection. 15 unit tests included.

Happy to adjust if needed!