fix(core): address GCS path input (#11221)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: cornmander <shikhman@google.com>

packages/a2a-server/src/persistence/gcs.test.ts

@@ -227,6 +227,35 @@ describe('GCSTaskStore', () => {
         'tar.c command failed to create',
       );
     });
+
+    it('should throw an error if taskId contains path traversal sequences', async () => {
+      const store = new GCSTaskStore('test-bucket');
+      const maliciousTask: SDKTask = {
+        id: '../../../malicious-task',
+        metadata: {
+          _internal: {
+            agentSettings: {
+              cacheDir: '/tmp/cache',
+              dataDir: '/tmp/data',
+              logDir: '/tmp/logs',
+              tempDir: '/tmp/temp',
+            },
+            taskState: 'working',
+          },
+        },
+        kind: 'task',
+        status: {
+          state: 'working',
+          timestamp: new Date().toISOString(),
+        },
+        contextId: 'test-context',
+        history: [],
+        artifacts: [],
+      };
+      await expect(store.save(maliciousTask)).rejects.toThrow(
+        'Invalid taskId: ../../../malicious-task',
+      );
+    });
   });
 
   describe('load', () => {
@@ -323,6 +352,14 @@ describe('GCSTaskStore', () => {
       );
     });
   });
+
+  it('should throw an error if taskId contains path traversal sequences', async () => {
+    const store = new GCSTaskStore('test-bucket');
+    const maliciousTaskId = '../../../malicious-task';
+    await expect(store.load(maliciousTaskId)).rejects.toThrow(
+      `Invalid taskId: ${maliciousTaskId}`,
+    );
+  });
 });
 
 describe('NoOpTaskStore', () => {