Potential fix for code scanning alert no. 2: Clear-text storage of sensitive information #6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nsitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
venkateshpabbati
pushed a commit
that referenced
this pull request
Nov 8, 2025
Merge google#2582 Relate to google#3306 ## Description Fixes issues #6 and google#1785 where ADK commands crash on Windows due to symlink creation requiring admin privileges. ## Problem On Windows, running ADK commands (like `adk run`) fails with `OSError: [WinError 1314] A required privilege is not held by the client: ...` because the logging system attempts to create a symlink for the latest log file. Windows requires administrator privileges for symlink creation by default (unless Developer Mode is enabled), causing crashes for non-admin users. ## Root Cause The issue was in [`logs.py`](https://github.com/google/adk-python/blob/main/src/google/adk/cli/utils/logs.py#L72) where `os.symlink()` was called unconditionally without error handling, causing the entire CLI to crash when symlink creation failed. ## Solution This PR implements graceful symlink handling. Changes made: - Extracted symlink creation into separate function with error handling - Added graceful fallback when symlink creation fails - Replaced crashes with warnings to keep CLI functional - Improved user messaging about log file locations This solution follows a similar pattern to the one used in [ROS2](https://github.com/ros2) in its [logging module](https://github.com/ros2/launch/blob/rolling/launch/launch/logging/__init__.py#L93). ## Testing ### Before (broken) ```bash > adk run my_agent Log setup complete: C:\Users\username\AppData\Local\Temp\agents_log\agent.20250817_215119.log Traceback (most recent call last): File "google\adk\cli\utils\logs.py", line 72, in log_to_tmp_folder os.symlink(log_filepath, latest_log_link) OSError: [WinError 1314] A required privilege is not held by the client ``` ### After (fixed) ```bash > adk run my_agent Log setup complete: C:\Users\username\AppData\Local\Temp\agents_log\agent.20250817_215319.log UserWarning: Cannot create symlink for latest log file: [WinError 1314] A required privilege is not held by the client To access latest log: tail -F C:\Users\username\AppData\Local\Temp\agents_log\agent.20250817_215319.log Running agent my_agent, type exit to exit. ``` Co-authored-by: Wei Sun (Jack) <[email protected]> COPYBARA_INTEGRATE_REVIEW=google#2582 from lorenzofavaro:fix/windows-symlink-permissions 1e99a62 PiperOrigin-RevId: 828690483
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/venkateshpabbati/adk-python/security/code-scanning/2
General fix:
To ensure that no sensitive or potentially sensitive information from user prompts is inadvertently written to the
.envfile, we should restrict the cleartext contents of that file to strictly non-sensitive configuration. Specifically, only include information that is not secret (such as generic flags or non-sensitive identifiers), and strictly avoid writing API keys, credentials, or potentially sensitive user input. Additionally, if there is any doubt about information sensitivity, default to not writing it, and update documentation and onscreen messages to remind users how and where to set required secrets.Detailed fix:
_generate_files, make sure that the lines written to.envonly include non-sensitive settings. Project and region names, while not as sensitive as API keys, should be handled per organizational standards. The existing code already avoids writing the API key, but we can reinforce this by refactoring the block to:GOOGLE_GENAI_USE_VERTEXAIto.env.GOOGLE_CLOUD_PROJECTandGOOGLE_CLOUD_LOCATIONas well, replacing this with a message instructing the user to set them as environment variables. This maximizes security and is consistent with the handling ofGOOGLE_API_KEY.Code changes required:
src/google/adk/cli/cli_create.py, lines associated with writing"GOOGLE_CLOUD_PROJECT=..."and"GOOGLE_CLOUD_LOCATION=..."should be commented or removed (lines 198–200).GOOGLE_GENAI_USE_VERTEXAI=0or=1is written to the.envfile.Suggested fixes powered by Copilot Autofix. Review carefully before merging.