fix: enforce agent-config args denylist when loaded under adk web

GWeale · copybara-github · commit e506fa6ba03b · 2026-06-25T17:40:02.000-07:00
Re-enable the config-load denylist (gated on the web UI) so agent configs
containing the `args` key are rejected when served via `adk web`, restoring
the defense-in-depth layer that complements the existing builder-upload
check. The load-time enforcement was inadvertently dropped in an earlier
config-wiring refactor.

Co-authored-by: George Weale &lt;gweale@google.com&gt;
PiperOrigin-RevId: 938283376
diff --git a/src/google/adk/agents/config_agent_utils.py b/src/google/adk/agents/config_agent_utils.py
@@ -82,6 +82,31 @@ def _resolve_agent_class(agent_class: str) -> type[BaseAgent]:
   )
 
 
+_BLOCKED_YAML_KEYS = frozenset({"args"})
+_ENFORCE_YAML_KEY_DENYLIST = False
+
+
+def _set_enforce_yaml_key_denylist(value: bool) -> None:
+  global _ENFORCE_YAML_KEY_DENYLIST
+  _ENFORCE_YAML_KEY_DENYLIST = value
+
+
+def _check_config_for_blocked_keys(node: Any, filename: str) -> None:
+  """Recursively check if the configuration contains any blocked keys."""
+  if isinstance(node, dict):
+    for key, value in node.items():
+      if key in _BLOCKED_YAML_KEYS:
+        raise ValueError(
+            f"Blocked key {key!r} found in {filename!r}. "
+            f"The '{key}' field is not allowed in agent configurations "
+            "because it can execute arbitrary code."
+        )
+      _check_config_for_blocked_keys(value, filename)
+  elif isinstance(node, list):
+    for item in node:
+      _check_config_for_blocked_keys(item, filename)
+
+
 def _load_config_from_path(config_path: str) -> AgentConfig:
   """Load an agent's configuration from a YAML file.
 
@@ -102,6 +127,9 @@ def _load_config_from_path(config_path: str) -> AgentConfig:
   with open(config_path, "r", encoding="utf-8") as f:
     config_data = yaml.safe_load(f)
 
+  if _ENFORCE_YAML_KEY_DENYLIST:
+    _check_config_for_blocked_keys(config_data, config_path)
+
   return AgentConfig.model_validate(config_data)
 
 
diff --git a/src/google/adk/cli/fast_api.py b/src/google/adk/cli/fast_api.py
@@ -486,6 +486,12 @@ def get_fast_api_app(
     The configured FastAPI application instance.
   """
 
+  # Enable the YAML key denylist for config loads if the web UI is enabled.
+  if web:
+    from ..agents import config_agent_utils
+
+    config_agent_utils._set_enforce_yaml_key_denylist(True)
+
   # Detect single agent mode
   agents_path = Path(agents_dir).resolve()
   is_single_agent = is_single_agent_directory(agents_path)
diff --git a/tests/unittests/agents/test_agent_config.py b/tests/unittests/agents/test_agent_config.py
@@ -603,3 +603,16 @@ def test_denylist_can_be_disabled():
     assert callable(result)
   finally:
     config_agent_utils._set_enforce_denylist(True)
+
+
+def test_load_config_from_path_blocks_args_when_enforced(tmp_path: Path):
+  """_load_config_from_path blocks the 'args' key when enforcement is on."""
+  config_file = tmp_path / "agent.yaml"
+  config_file.write_text("name: my_agent\nargs:\n  key: value\n")
+  config_agent_utils._set_enforce_yaml_key_denylist(True)
+  try:
+    with pytest.raises(ValueError) as exc_info:
+      config_agent_utils._load_config_from_path(str(config_file))
+    assert "Blocked key 'args' found" in str(exc_info.value)
+  finally:
+    config_agent_utils._set_enforce_yaml_key_denylist(False)
