Skip to content

Constrain InMemoryArtifactService artifact references to the caller scope#6125

Open
petrmarinec wants to merge 5 commits into
google:mainfrom
petrmarinec:codex/artifact-ref-scope
Open

Constrain InMemoryArtifactService artifact references to the caller scope#6125
petrmarinec wants to merge 5 commits into
google:mainfrom
petrmarinec:codex/artifact-ref-scope

Conversation

@petrmarinec

@petrmarinec petrmarinec commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #6124.

InMemoryArtifactService currently accepts caller-supplied artifact://... references and later dereferences the embedded scope during load_artifact() without checking that the embedded app_name, user_id, and session_id still match the caller.

This patch keeps same-scope references working while blocking references that escape the caller scope.

What changed

  • validate parsed artifact://... references against the caller app/user/session scope before storing them
  • validate the scope again before dereferencing an artifact reference on load
  • allow same-session references
  • allow same-user user: references across sessions
  • add regression coverage for allowed and blocked reference cases

Validation

Local targeted regression tests:

PYTHONPATH=src python -m pytest tests/unittests/artifacts/test_artifact_service.py -k "in_memory_artifact_reference" -q
5 passed

Formatting / diff hygiene:

python -m pyink --check src/google/adk/artifacts/in_memory_artifact_service.py tests/unittests/artifacts/test_artifact_service.py
passed

git diff --check -- src/google/adk/artifacts/in_memory_artifact_service.py tests/unittests/artifacts/test_artifact_service.py
passed

Broader local artifact slice on Windows:

PYTHONPATH=src python -m pytest tests/unittests/artifacts/test_artifact_service.py -q
62 passed, 3 failed

The remaining 3 failures were existing Windows-specific FileArtifactService path assertions unrelated to this change.

@surajksharma07 surajksharma07 mentioned this pull request Jun 15, 2026
Open
@rohityan rohityan self-assigned this Jun 15, 2026
@rohityan rohityan added the services [Component] This issue is related to runtime services, e.g. sessions, memory, artifacts, etc label Jun 17, 2026
@rohityan rohityan added the request clarification [Status] The maintainer need clarification or more information from the author label Jun 17, 2026
@rohityan

rohityan commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Hi @petrmarinec , Thank you for your contribution! We appreciate you taking the time to submit this pull request. Please fix mypy-diff errors before we can proceed with a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rohityan rohityan

Labels

request clarification [Status] The maintainer need clarification or more information from the author services [Component] This issue is related to runtime services, e.g. sessions, memory, artifacts, etc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: InMemoryArtifactService follows artifact:// references across app, user, and session scope

2 participants

@petrmarinec @rohityan