fix(skills): prevent path traversal in LocalSkillSource via normalize + boundary check

[herdiyana256]

Summary

LoadSkillResourceTool validates resourcePath with a string prefix check
(startsWith("references/"), startsWith("assets/"), startsWith("scripts/")),
but this check is trivially bypassed:
"references/../../../../etc/passwd".startsWith("references/") == true // bypassed!

LocalSkillSource.findResourcePath() then resolves the raw path against
skillsBasePath without calling Path.normalize() or asserting a boundary,
so the OS resolves .. components at Files.exists() time — resulting in
arbitrary file reads outside skillsBasePath.

The same issue exists in listResources() for the resourceDirectory parameter.

Fix

In LocalSkillSource.findResourcePath() and listResources():

1. Call .normalize() on the resolved path
2. Assert file.startsWith(base) — reject if the resolved path escapes the skill directory

The correct enforcement point is the filesystem layer after resolution,
not a string prefix check on raw user input.

Files Changed

• core/src/main/java/com/google/adk/skills/LocalSkillSource.java
  • findResourcePath(): normalize + boundary check
  • listResources(): normalize + boundary check on resourceDirectory

Testing

# Path traversal is now blocked:
# "references/../../../../etc/passwd" → SkillSourceException: Path traversal detected

javac PathTraversalPoC.java && java PathTraversalPoC
# [ESCAPE] Escapes skillsBasePath: true  ← without fix
# After fix: Single.error(SkillSourceException) returned before Files.exists()

References
: CWE-22: Improper Limitation of a Pathname to a Restricted Directory
: Related VRP: Issue 528977579

[hemasekhar-p]

Hi @herdiyana256, thank you for your contribution! We appreciate you taking the time to submit this pull request. Could you please include the corresponding unit tests to verify your changes and i noticed some inconsistencies in the code formatting. Could you please take a look and address those issues?

[herdiyana256]

Thanks for the review! I've added unit tests to LocalSkillSourceTest.java covering both findResourcePath() and listResources():

• testLoadResource_pathTraversalBlocked - references/../../../../etc/passwd (main attack vector, bypasses the prefix check)
• testLoadResource_pathTraversalWithDoubleDotOnly - ../../outside.txt (no valid prefix)
• testLoadResource_legitimatePathNotBlocked - regression: valid path still resolves correctly
• testListResources_pathTraversalInResourceDirectoryBlocked - traversal via references/../../../../etc
• testListResources_dotDotResourceDirectoryBlocked - ../other-skill

Could you point out which formatting inconsistencies you noticed? Happy to address them.

[hemasekhar-p]

Thank you for the quick response @herdiyana256. Could you please review the PR contribution Policy and ensure the code formatting and ensure your PR having single commit?

[herdiyana256]

hii @hemasekhar-p Done! Squashed into a single commit (52bbada) and verified formatting with fmt-maven-plugin 0 files reformatted. Ready for re-review.