[pull] main from google:main#402
Merged
Merged
Conversation
The agent-engine branch of get_gcp_resource() emitted the resource id under
a non-standard "cloud.resource.id" key, so the Agent Engine dashboard's
cloud.resource_id filter matched no rows and every panel read 0. Use the
OTel CLOUD_RESOURCE_ID constant ("cloud.resource_id").
Close #6247
Co-authored-by: George Weale <gweale@google.com>
PiperOrigin-RevId: 943528352
SequentialAgent, LoopAgent, and ParallelAgent were deprecated in favor of Workflow, but Workflow is not a BaseAgent and cannot be used as an LlmAgent sub_agent, so "use Workflow instead" is incomplete for the sub-agent composition pattern. Keep recommending Workflow for orchestration, but state the sub-agent limitation directly in the deprecation message. Relates to #5872. Co-authored-by: George Weale <gweale@google.com> PiperOrigin-RevId: 943529799
The Runner already dispatches run_after_run_callback on the BaseNode (_run_node_async) path; add an end-to-end regression test that a plugin's after_run_callback fires once on a Workflow root. Close #5282 Co-authored-by: George Weale <gweale@google.com> PiperOrigin-RevId: 943530150
Co-authored-by: Xuan Yang <xygoogle@google.com> PiperOrigin-RevId: 943533056
Merge #6305 **Please ensure you have read the [contribution guide](https://github.com/google/adk-python/blob/main/CONTRIBUTING.md) before creating a pull request.** ### Link to Issue or Description of Change **2. Or, if no issue exists, describe the change:** **Problem:** The with-persona evaluator prompt template in `src/google/adk/evaluation/simulation/per_turn_user_simulator_quality_prompts.py` misspells "existing" as "exsisting" in its "Definition of Conversation History" section. This text is part of the prompt sent to the model at evaluation time, so it is model-facing rather than an internal comment. The sibling non-persona template in the same file already uses the correct spelling in the identical sentence, so the two templates are inconsistent. **Solution:** Correct the single word `exsisting` -> `existing` on that line. This makes the two templates consistent and fixes the model-facing text. No code path changes. ### Testing Plan This is a small typo fix in a prompt string, so no behavioral tests are added. The existing module test suite still passes and linting is clean: - `pre-commit run --files src/google/adk/evaluation/simulation/per_turn_user_simulator_quality_prompts.py` -> all Passed/Skipped. - `pytest tests/unittests/evaluation/simulation/test_per_turn_user_simulation_quality_prompts.py -q` -> 6 passed. **Unit Tests:** - [ ] I have added or updated unit tests for my change. (N/A: typo-only fix in a prompt string literal; the module's tests mock the templates and do not snapshot the prompt text.) - [x] All unit tests pass locally. ### Checklist - [x] I have read the [CONTRIBUTING.md](https://github.com/google/adk-python/blob/main/CONTRIBUTING.md) document. - [x] I have performed a self-review of my own code. - [x] New and existing unit tests pass locally with my changes. COPYBARA_INTEGRATE_REVIEW=#6305 from anxkhn:docs/simulator-prompt-typo 34dc49f PiperOrigin-RevId: 943534249
Add a runnable sample under contributing/samples/managed_agent/basic showing how to use ManagedAgent (backed by the Managed Agents API) with the server-side google_search tool, mirroring the live integration test flow. The sample exposes a root_agent in agent.py and ships a README covering the required enterprise/ADC setup and example prompts (including a multi-turn follow-up that reuses the recovered remote sandbox). Co-authored-by: Haran Rajkumar <haranrk@google.com> PiperOrigin-RevId: 943536117
Updates the class description of GoogleSearchTool to refer generically to 'Gemini models' rather than 'Gemini 2 models', as it applies to the broader family. Closes #12345 Co-authored-by: Haran Rajkumar <haranrk@google.com> PiperOrigin-RevId: 943537157
This resolves a token conflict where actions/checkout persisted the default GITHUB_TOKEN, causing subsequent git push operations by create-pull-request (which uses RELEASE_PAT) to fail with a 400 Bad Request. Co-authored-by: Yifan Wang <wanyif@google.com> PiperOrigin-RevId: 943541293
This resolves a "Duplicate header: Authorization" error (HTTP 400) when create-pull-request runs. actions/checkout@v6 persists credentials by default, which conflicts with the token used by create-pull-request. Co-authored-by: Yifan Wang <wanyif@google.com> PiperOrigin-RevId: 943548154
Merge #6227 When the ADK web server is on loopback and no explicit allow-origins list is configured, require that the Origin header also resolves to a loopback host to prevent DNS-rebinding attacks. PiperOrigin-RevId: 943548404
Add a runnable sample under contributing/samples/managed_agent/code_execution showing how to use ManagedAgent with the server-side code execution tool. Since ManagedAgent has no code_executor field, code execution is enabled by passing the raw types.Tool(code_execution=types.ToolCodeExecution()) config in tools. The sample exposes a root_agent in agent.py and ships a README plus a matching single-turn live integration test that verifies a code-executed prime-sum computation. Co-authored-by: Haran Rajkumar <haranrk@google.com> PiperOrigin-RevId: 943548907
Merge #5526 ## Security Fix: XSS via Jinja2 Template Injection (CWE-79) ### Vulnerability `contributing/samples/gepa/rater_lib.py` instantiates `jinja2.Environment()` **without** `autoescape=True`. The companion template `rubric_validation_template.txt` renders `{{user_input}}` and `{{model_response}}` without escaping. ### Impact Since ADK is Google's official framework for building AI agents, developers copy/adapt this sample code into production web applications. Unescaped user-controlled input in Jinja2 templates enables: - **Cross-Site Scripting (XSS)** — Arbitrary JavaScript execution in browsers - **Session Hijacking** — Steal cookies/tokens if rendered in web context - **Phishing** — Inject fake login forms ### Proof of Concept ```python # user_input: <script>alert("XSS")</script> # Renders as: <main_prompt><script>alert("XSS")</script></main_prompt> # model_response: <img src=x onerror=alert("XSS from model")> # Renders as: <responses><img src=x onerror=alert("XSS from model")></responses> ``` ### Changes 1. **rater_lib.py:170** — `jinja2.Environment()` → `jinja2.Environment(autoescape=True)` 2. **rubric_validation_template.txt:158** — `{{user_input}}` → `{{user_input|e}}` 3. **rubric_validation_template.txt:163** — `{{model_response}}` → `{{model_response|e}}` Defense in depth: `autoescape=True` provides baseline protection, explicit `|e` filters ensure escaping even if autoescape is later disabled. ### References - CWE-79: Cross-site Scripting (XSS) - OWASP A7:2017 — Cross-site Scripting - Jinja2 docs: https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping Co-authored-by: Shangjie Chen <deanchen@google.com> COPYBARA_INTEGRATE_REVIEW=#5526 from k4w-wak:fix/jinja2-xss-autoescape b5b6d3e PiperOrigin-RevId: 943549514
Merge #5818 Closes #3046 ## Summary `AuthHandler.generate_auth_uri()` currently hardcodes `prompt=consent` when building OAuth authorization URLs. That makes app-level OAuth configuration less flexible than the underlying providers allow. Flows that need `prompt=none` (or another prompt mode) cannot express that through `OAuth2Auth`, even though the rest of the OAuth request metadata is already configurable. This change adds an optional `prompt` field to `OAuth2Auth`, preserves `consent` as the default, and uses the configured value when generating the authorization URL. ## Changes - `src/google/adk/auth/auth_credential.py` - Add optional `prompt` field to `OAuth2Auth`. - `src/google/adk/auth/auth_handler.py` - Use `auth_credential.oauth2.prompt or "consent"` when populating OAuth authorization params. - `tests/unittests/auth/test_auth_handler.py` - Extend the OAuth session test double to surface `prompt` in generated auth URIs. - Assert the default OAuth flow still includes `prompt=consent`. - Add coverage for a custom `prompt="none"` override. ## Test plan - [x] `python3.12 -m py_compile src/google/adk/auth/auth_credential.py src/google/adk/auth/auth_handler.py tests/unittests/auth/test_auth_handler.py` - [ ] `PYTHONPATH=src .venv/bin/python -m pytest tests/unittests/auth/test_auth_handler.py -q` - Blocked locally while bootstrapping a minimal ad hoc venv: importing `google.adk` for this test path pulls additional runtime dependencies (`google.genai`, `opentelemetry.semconv`, and friends). I stopped after confirming the touched files compile cleanly rather than trying to recreate the repo's full `uv sync --all-extras` environment by hand. - [ ] Reviewer / CI confirmation that the existing auth handler unit suite passes in the standard repo environment. Co-authored-by: George Weale <gweale@google.com> COPYBARA_INTEGRATE_REVIEW=#5818 from RaghunandanKumar:fix/oauth-prompt-configurable 727e2e5 PiperOrigin-RevId: 943553106
- Remove redundant self-transfer check in LlmAgentWrapper, relying on the unified check in transfer_utils. Co-authored-by: Shangjie Chen <deanchen@google.com> PiperOrigin-RevId: 943630479
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )