Security: Fix path traversal in GCS skill extraction (Zip Slip)

[Ashutosh0x]

Summary

Fix for #5603 - Validate normalized relative paths in skill extraction code to prevent directory traversal via malicious GCS skill resource names.

Problem

The _build_wrapper_code method in skill_toolset.py generates Python code that extracts skill files into a temporary directory. The relative paths from GCS blob names are used directly with os.path.join(td, rel_path) without validation.

A malicious skill resource name containing ../ (e.g., references/../../etc/cron.d/evil) would resolve outside the temporary directory, enabling arbitrary file writes. Combined with runpy.run_path(), this creates a path-traversal-to-RCE chain (CWE-22 / Zip Slip variant).

Fix

Added path normalization and validation before file extraction in the generated wrapper code:

1. Normalize the relative path with os.path.normpath()
2. Reject paths starting with .. (parent directory traversal)
3. Reject absolute paths via os.path.isabs()
4. Use os.path.abspath(td) for the base directory to prevent bypasses

Testing

Unit Tests Added

Added tests/unittests/tools/test_skill_path_traversal.py with 5 tests:

Test	Description
test_traversal_blocked_in_generated_code	Verifies generated code contains normpath/isabs/PermissionError checks
test_safe_paths_pass_validation	Verifies legitimate paths (including subdirectories) still work
test_execute_with_traversal_paths_raises	End-to-end test with mock executor verifying traversal paths are blocked
test_double_dot_path_blocked	Verifies ../../ traversal patterns are blocked at runtime
test_absolute_path_blocked	Verifies absolute paths like /etc/passwd are blocked

Testing Plan

# Run the new path traversal tests
pytest tests/unittests/tools/test_skill_path_traversal.py -v

# Run the full skill toolset test suite to verify no regressions
pytest tests/unittests/tools/test_skill_toolset.py -v

# Run all unit tests
pytest tests/unittests/ -v

Fixes #5603

[adk-bot]

Response from ADK Triaging Agent

Hello @Ashutosh0x, thank you for submitting this security fix!

To help our reviewers process this PR more efficiently, could you please make sure the following requirements from our Contribution Guidelines are addressed?

• Unit Tests: Please add or update unit tests under the tests/unittests/ directory covering the directory traversal checks in both _local_environment.py and skill_toolset.py.
• Pytest Results: Please run pytest or tox and include a summary of the passed test results.
• Testing Plan & Logs: Please provide a more detailed testing plan along with execution logs or verification steps demonstrating that path traversal is successfully blocked.

Thank you for your valuable contribution!

[Ashutosh0x]

Hi @adk-bot, thanks for the review checklist! Here's my response:

Unit Tests: Added ests/unittests/tools/test_skill_path_traversal.py with 5 tests covering:

• Generated code contains normpath/isabs/PermissionError path traversal checks
• Legitimate paths (including subdirectories) still work correctly
• End-to-end execution with mock executor verifying traversal paths are blocked
• ../../ parent directory traversal patterns are blocked
• Absolute paths like /etc/passwd are blocked

Testing Plan:

pytest tests/unittests/tools/test_skill_path_traversal.py -v
pytest tests/unittests/tools/test_skill_toolset.py -v

Fix Details:

• Removed the unrelated _local_environment.py commit (issue (CWE-22) Path traversal in experimental LocalEnvironment allows file access outside workspace #5869 is already fixed)
• Single clean commit with fix + tests
• Added os.path.normpath() validation, .. prefix check, and os.path.isabs() check in the generated extraction code
• Raises PermissionError with descriptive message on blocked paths

[Ashutosh0x]

@rohityan Hi! This PR fixes the same class of vulnerability as #5603 / PR #5281 (which you are reviewing). My fix targets the _build_wrapper_code method in skill_toolset.py specifically, adding os.path.normpath() validation to prevent Zip Slip-style directory traversal via malicious GCS skill resource names.

I've included unit tests in tests/unittests/tools/test_skill_path_traversal.py (5 tests covering traversal blocking, safe path passthrough, and absolute path rejection). All CI checks are green. CLA is signed.

This is a single clean commit with fix + tests. Could you please review?

[Ashutosh0x]

Hi @rohityan — this fixes a path traversal (Zip Slip) in GCS skill extraction reported in #5603.

The _build_wrapper_code method uses os.path.join(td, rel_path) with paths derived from GCS blob names without validating for ../ sequences. A malicious blob name like skill_prefix/../../../etc/cron.d/backdoor escapes the temp directory, enabling arbitrary file write.

The fix normalizes paths with os.path.normpath() and validates with os.path.commonpath() to ensure the resolved path stays within the extraction directory. Includes test coverage for the traversal case. Let me know if you'd like any adjustments!