Quote user_id literals in VertexAiSessionService list filters#5273
Closed
petrmarinec wants to merge 5 commits intogoogle:mainfrom
Closed
Quote user_id literals in VertexAiSessionService list filters#5273petrmarinec wants to merge 5 commits intogoogle:mainfrom
petrmarinec wants to merge 5 commits intogoogle:mainfrom
Conversation
adk-bot
added
the
services
rohityan
added
the
request clarification
Collaborator
|
Hi @petrmarinec, Thank you for your contribution! We appreciate you taking the time to submit this pull request. Please fix formatting errors by running autoformat.sh |
DeanChensj
approved these changes
Apr 21, 2026
DeanChensj
added
the
ready to pull
copybara-service Bot
pushed a commit
that referenced
this pull request
Apr 22, 2026
Merge #5273 ### Link to Issue or Description of Change **1. Link to an existing issue (if applicable):** - Related: #5270 **2. Or, if no issue exists, describe the change:** **Problem:** `VertexAiSessionService.list_sessions()` built an AIP-160 filter by interpolating raw `user_id` into a quoted string literal. Embedded quotes could break out of that literal and append additional filter syntax. **Solution:** Quote the `user_id` value before constructing the filter string so embedded quotes and backslashes stay inside the literal. Added a regression test that captures the exact filter passed to the Vertex client for a quote-containing payload. ### Testing Plan **Unit Tests:** - [x] I have added or updated unit tests for my change. - [ ] All unit tests pass locally. Passed locally: - `PYTHONPATH=src pytest tests/unittests/sessions/test_vertex_ai_session_service.py` - Result: `29 passed` Passed in clean Linux Docker (`python:3.11-bookworm`): - `pip install -e '.[test]'` - `PYTHONPATH=src pytest tests/unittests/sessions` - Result: `170 passed` **Manual Validation:** - On current `origin/main`, a payload of `attacker" OR user_id!=""` produced the filter string `user_id="attacker" OR user_id!=""`. - On this branch, the same payload produces `user_id="attacker\" OR user_id!=\"\""`, keeping the metacharacters inside the quoted literal. ### Checklist - [x] I have read the [CONTRIBUTING.md](https://github.com/google/adk-python/blob/main/CONTRIBUTING.md) document. - [x] I have performed a self-review of my own code. - [ ] I have commented my code, particularly in hard-to-understand areas. - [x] I have added tests that prove my fix is effective or that my feature works. - [ ] New and existing unit tests pass locally with my changes. - [ ] I have manually tested my changes end-to-end. - [x] Any dependent changes have been merged and published in downstream modules. ### Additional context This is a small, focused fix that keeps the current filter construction approach but ensures `user_id` values remain data instead of altering the filter expression. COPYBARA_INTEGRATE_REVIEW=#5273 from petrmarinec:fix-vertex-session-filter-escaping 4d14a1d PiperOrigin-RevId: 903926570
Collaborator
|
Thank you @petrmarinec for your contribution! 🎉 Your changes have been successfully imported and merged via Copybara in commit bdece00. Closing this PR as the changes are now in the main branch. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Link to Issue or Description of Change
1. Link to an existing issue (if applicable):
2. Or, if no issue exists, describe the change:
Problem:
VertexAiSessionService.list_sessions()built an AIP-160 filter by interpolating rawuser_idinto a quoted string literal. Embedded quotes could break out of that literal and append additional filter syntax.Solution:
Quote the
user_idvalue before constructing the filter string so embedded quotes and backslashes stay inside the literal. Added a regression test that captures the exact filter passed to the Vertex client for a quote-containing payload.Testing Plan
Unit Tests:
Passed locally:
PYTHONPATH=src pytest tests/unittests/sessions/test_vertex_ai_session_service.py29 passedPassed in clean Linux Docker (
python:3.11-bookworm):pip install -e '.[test]'PYTHONPATH=src pytest tests/unittests/sessions170 passedManual Validation:
origin/main, a payload ofattacker" OR user_id!=""produced the filter stringuser_id="attacker" OR user_id!="".user_id="attacker\" OR user_id!=\"\"", keeping the metacharacters inside the quoted literal.Checklist
Additional context
This is a small, focused fix that keeps the current filter construction approach but ensures
user_idvalues remain data instead of altering the filter expression.