Merge branch 'main' into fix/retry-empty-model-response

Author: rohityan

src/google/adk/cli/fast_api.py

@@ -291,7 +291,7 @@ def _normalize_relative_path(path: str) -> str:
     def _has_parent_reference(path: str) -> bool:
       return any(part == ".." for part in path.split("/"))
 
-    _ALLOWED_UPLOAD_EXTENSIONS = frozenset({".yaml", ".yml"})
+    _ALLOWED_EXTENSIONS = frozenset({".yaml", ".yml"})
 
     def _parse_upload_filename(filename: Optional[str]) -> tuple[str, str]:
       if not filename:
@@ -307,10 +307,10 @@ def _parse_upload_filename(filename: Optional[str]) -> tuple[str, str]:
       if _has_parent_reference(rel_path):
         raise ValueError(f"Path traversal rejected: {filename!r}")
       ext = os.path.splitext(rel_path)[1].lower()
-      if ext not in _ALLOWED_UPLOAD_EXTENSIONS:
+      if ext not in _ALLOWED_EXTENSIONS:
         raise ValueError(
             f"File type not allowed: {rel_path!r}"
-            f" (allowed: {', '.join(sorted(_ALLOWED_UPLOAD_EXTENSIONS))})"
+            f" (allowed: {', '.join(sorted(_ALLOWED_EXTENSIONS))})"
         )
       return app_name, rel_path
 
@@ -322,6 +322,12 @@ def _parse_file_path(file_path: str) -> str:
         raise ValueError(f"Absolute file_path rejected: {file_path!r}")
       if _has_parent_reference(file_path):
         raise ValueError(f"Path traversal rejected: {file_path!r}")
+      ext = os.path.splitext(file_path)[1].lower()
+      if ext not in _ALLOWED_EXTENSIONS:
+        raise ValueError(
+            f"File type not allowed: {file_path!r}"
+            f" (allowed: {', '.join(sorted(_ALLOWED_EXTENSIONS))})"
+        )
       return file_path
 
     def _resolve_under_dir(root_dir: Path, rel_path: str) -> Path:

src/google/adk/cli/utils/agent_loader.py

@@ -19,6 +19,7 @@
 import logging
 import os
 from pathlib import Path
+import re
 import sys
 from typing import Any
 from typing import Literal
@@ -187,8 +188,36 @@ def _load_from_yaml_config(
       ) + e.args[1:]
       raise e
 
+  _VALID_AGENT_NAME_RE = re.compile(r"^[a-zA-Z0-9_]+$")
+
+  def _validate_agent_name(self, agent_name: str) -> None:
+    """Validate agent name to prevent arbitrary module imports."""
+    # Strip the special agent prefix for validation
+    if agent_name.startswith("__"):
+      name_to_check = agent_name[2:]
+      check_dir = os.path.abspath(SPECIAL_AGENTS_DIR)
+    else:
+      name_to_check = agent_name
+      check_dir = self.agents_dir
+
+    if not self._VALID_AGENT_NAME_RE.match(name_to_check):
+      raise ValueError(
+          f"Invalid agent name: {agent_name!r}. Agent names must be valid"
+          " Python identifiers (letters, digits, and underscores only)."
+      )
+
+    # Verify the agent exists on disk before allowing import
+    agent_path = Path(check_dir) / name_to_check
+    agent_file = Path(check_dir) / f"{name_to_check}.py"
+    if not (agent_path.is_dir() or agent_file.is_file()):
+      raise ValueError(
+          f"Agent not found: {agent_name!r}. No matching directory or module"
+          f" exists in '{os.path.join(check_dir, name_to_check)}'."
+      )
+
   def _perform_load(self, agent_name: str) -> Union[BaseAgent, App]:
     """Internal logic to load an agent"""
+    self._validate_agent_name(agent_name)
     # Determine the directory to use for loading
     if agent_name.startswith("__"):
       # Special agent: use special agents directory

src/google/adk/integrations/bigquery/__init__.py

@@ -20,6 +20,7 @@
 import pathlib
 from typing import Union
 
+from google.auth import credentials as auth
 from google.cloud import storage
 from pydantic import ValidationError
 import yaml
@@ -301,6 +302,8 @@ def _list_skills_in_dir(
 def _list_skills_in_gcs_dir(
     bucket_name: str,
     skills_base_path: str = "",
+    project_id: str | None = None,
+    credentials: auth.Credentials | None = None,
 ) -> Dict[str, models.Frontmatter]:
   """List skills in a GCS directory.
 
@@ -311,7 +314,7 @@ def _list_skills_in_gcs_dir(
   Returns:
     Dictionary mapping skill IDs to their frontmatter.
   """
-  client = storage.Client()
+  client = storage.Client(project=project_id, credentials=credentials)
   bucket = client.bucket(bucket_name)
 
   base_prefix = skills_base_path.strip("/")
@@ -350,13 +353,17 @@ def _load_skill_from_gcs_dir(
     bucket_name: str,
     skill_id: str,
     skills_base_path: str = "",
+    project_id: str | None = None,
+    credentials: auth.Credentials | None = None,
 ) -> models.Skill:
   """Load a complete skill from a GCS directory.
 
   Args:
     bucket_name: Name of the GCS bucket.
     skill_id: The ID of the skill (directory name).
     skills_base_path: Base directory within the bucket (e.g., 'path/to/skills').
+    project_id: Project ID to use for GCS client.
+    credentials: Credentials to use for GCS client.
 
   Returns:
     Skill object with all components loaded.
@@ -366,7 +373,8 @@ def _load_skill_from_gcs_dir(
     ValueError: If SKILL.md is invalid or the skill name does not match
       the directory name.
   """
-  client = storage.Client()
+
+  client = storage.Client(project=project_id, credentials=credentials)
   bucket = client.bucket(bucket_name)
 
   base_prefix = skills_base_path.strip("/")

src/google/adk/skills/_utils.py

@@ -27,23 +27,10 @@
    execute_sql can't arbitrarily mutate existing data.
 """
 
-import importlib
-import sys
+from .bigquery_credentials import BigQueryCredentialsConfig
+from .bigquery_toolset import BigQueryToolset
 
-# Redirect this module to integrations/bigquery for backward compatibility.
-_TARGET = "google.adk.integrations.bigquery"
-
-try:
-  _mod = importlib.import_module(_TARGET)
-  sys.modules[__name__] = _mod
-except ImportError:
-  # Fallback for static analysis or if import fails during transition
-  from google.adk.integrations.bigquery import BigQueryCredentialsConfig
-  from google.adk.integrations.bigquery import BigQueryToolset
-  from google.adk.integrations.bigquery import get_bigquery_skill
-
-  __all__ = [
-      "BigQueryToolset",
-      "BigQueryCredentialsConfig",
-      "get_bigquery_skill",
-  ]
+__all__ = [
+    "BigQueryToolset",
+    "BigQueryCredentialsConfig",
+]

src/google/adk/tools/bigquery/__init__.py

@@ -16,7 +16,7 @@
 
 from ...features import experimental
 from ...features import FeatureName
-from ...tools._google_credentials import BaseGoogleCredentialsConfig
+from .._google_credentials import BaseGoogleCredentialsConfig
 
 BIGQUERY_TOKEN_CACHE_KEY = "bigquery_token_cache"
 BIGQUERY_SCOPES = [