Security: RCE Mitigation via HMAC-SHA256 Signatures, Hybrid JSON Refactor, and CLI Source Validation

[JoshuaProvoste]

Compliance with CONTRIBUTING.md:

Consistently with the project guidelines, this PR includes:

• Security Hardening: Implemented a "Defense in Depth" architecture combining Cryptographic HMAC-SHA256 signatures and a "Secure by Default" hybrid JSON refactor to eliminate multiple RCE vectors.
• Verified Fix: Successfully validated the neutralization of RCE sinks in the migration loop and shared state storage (MySQL/Spanner) through 9 dedicated security tests.
• Code Hygiene: Enforced Google-specific code style using isort and pyink across all modified files.
• Vulnerability Remediation: Implemented network-level validation in the CLI to prevent "Remote Pivot" attacks via SMB/UNC and external IP redirection.

---

Description

This PR addresses critical security vulnerabilities in the google-adk framework involving insecure pickle deserialization. The previous implementation allowed for Remote Code Execution (RCE) by loading unauthenticated binary blobs from session databases or remote migration sources.

To remediate this, I have transitioned the framework to a "Secure by Default" architecture. All serialization operations are now protected by HMAC-SHA256 signatures. Furthermore, I have refactored the legacy schema architecture to prioritize JSON over binary formats, providing a safe and transparent migration path for verified data while strictly blocking malicious payloads.

Key Benefits:

1. Criptographic Integrity: HMAC-SHA256 signatures ensure that only data generated by the SDK can be deserialized.
2. Architectural Modernization: Passive JSON-based parsing replaces execution-capable formats like pickle for new and migrated data.
3. Command-Line Safety: New source validation logic prevents the SDK from inadvertently connecting to malicious remote shares or external databases without explicit user authorization.

---

Technical Implementation Details

• src/google/adk/utils/serialization_utils.py:
  • Created a core security utility for secure_dumps and secure_loads with HMAC-SHA256 verification.
• src/google/adk/sessions/schemas/shared.py:
  • Implemented JsonEncodedType with a Hybrid Resolver that supports JSON for new data and secure HMAC-verified pickles for legacy artifacts.
• src/google/adk/sessions/schemas/v0.py:
  • Refactored the StorageEvent table to use the new JsonEncodedType, eliminating the unauthenticated PickleType.
• src/google/adk/sessions/migration/migration_runner.py:
  • Introduced a URL validation layer (_is_trusted_url) to detect and block remote IPs and Windows UNC paths.
  • Implemented a SecurityError to enforce safety boundaries during the migration process.
• src/google/adk/sessions/migration/migrate_from_sqlalchemy_pickle.py:
  • Refactored the _row_to_event function to use secure_loads, sanitizing the primary deserialization sink in the migration loop.
• src/google/adk/cli/cli_tools_click.py:
  • Added the --force-untrusted-source flag to the adk migrate session command, establishing a manual security gate for untrusted network operations.

---

Verification Performed

• Reproduced Vulnerabilities:
  • Confirmed that unauthenticated pickle payloads could trigger code execution in the migration loop.
  • Confirmed that CLI tools would previously attempt to connect to remote SMB shares without warning.
• Validated Fix:
  • Verified that the new gate rejects unsigned or tampered payloads with a SecurityError (5/5 unit tests passed).
  • Verified that the CLI successfully blocks external IP sources and UNC paths unless the force flag is used (4/4 integration tests passed).
  • Confirmed that data integrity is preserved during the hybrid JSON/Pickle transition.
• Code Quality: Successfully ran isort and pyink on all modified files to comply with Google Style standards.

---

Checklist

• Followed project guidelines for code hygiene.
• Includes security-focused refactoring of critical pickle sinks.
• Neutralizes RCE vectors in migration and persistent storage.
• Verified backward compatibility for signed legacy data via hybrid decoding.