I've noticed that our GoogleAppEngine app has some XXE vunerabilites in it. However, it seems that you'd have to know the exact path to files to read them, e.g.
/base/data/home/apps/s~<app-name>/<version-id>.<somenumber>/appengine_config.py
I'm not sure how AppEngine comes up with <somenumber>, but how confident should I be
that <version-id> and <somenumber> are not exposed anywhere?
I had wondered where that number comes from, and after some searching and experimenting I have found that it is in fact an obfuscated version of the timestamp from when the app was updated.
version_id = self.request.environ["CURRENT_VERSION_ID"].split('.')[1]
timestamp = long(version_id) / pow(2,28)
timestamp = datetime.datetime.fromtimestamp(timestamp).strftime("%d/%m/%y %X")
logging.info("Timestamp=" + timestamp)
For example the most recent version of my app, uploaded about 5 minutes ago is live.375065912366661170, which when ran through the code above comes out as 11/04/14 15:16:44 which is the upload time (in UTC). As it is based on the time, and not your specific app, this value would be shared across all App Engine app versions that were updated at that exact point in time.
This SO answer https://stackoverflow.com/a/3949530/2018227 is my source.
So in answer to your original question, whilst the <somenumber> part is not exposed anywhere publicly accessible, that I know of, it is not secret. Someone could, if they really wanted to, generate all of the possible values for all timestamps over a period of time that they suspect you last updated your app, and try all of the possible paths.