Bug Description
The resolve_code_reference(), resolve_fully_qualified_name(), and _resolve_tools() functions in config_agent_utils.py call importlib.import_module() with no restriction on which modules can be imported. While the CVE-2026-4810 fix blocks the args key in YAML configurations, it does not prevent referencing dangerous standard library callables (e.g., os.system, subprocess.call) in callback, tool, schema, or model code-reference fields.
Steps to Reproduce
-
Create a YAML agent config with a blocked module reference:
name: test_agent
model: gemini-2.0-flash
instruction: harmless
before_agent_callbacks:
- name: os.system
-
Load via from_config() with _ENFORCE_DENYLIST=True - the os module is imported without restriction.
Expected Behavior
YAML agent configs should reject references to dangerous standard library modules when the denylist is enforced.
Actual Behavior
Any Python module can be imported via code reference fields, including os, subprocess, builtins, pickle, etc.
Proposed Fix
Add a _BLOCKED_MODULES set and _validate_module_reference() function to check module references before calling importlib.import_module(). See PR #5821.
Bug Description
The resolve_code_reference(), resolve_fully_qualified_name(), and _resolve_tools() functions in config_agent_utils.py call importlib.import_module() with no restriction on which modules can be imported. While the CVE-2026-4810 fix blocks the args key in YAML configurations, it does not prevent referencing dangerous standard library callables (e.g., os.system, subprocess.call) in callback, tool, schema, or model code-reference fields.
Steps to Reproduce
Create a YAML agent config with a blocked module reference:
Load via from_config() with _ENFORCE_DENYLIST=True - the os module is imported without restriction.
Expected Behavior
YAML agent configs should reject references to dangerous standard library modules when the denylist is enforced.
Actual Behavior
Any Python module can be imported via code reference fields, including os, subprocess, builtins, pickle, etc.
Proposed Fix
Add a _BLOCKED_MODULES set and _validate_module_reference() function to check module references before calling importlib.import_module(). See PR #5821.