From 286e1145590ad8fe403e8f5224d6d6b3e4b1ad37 Mon Sep 17 00:00:00 2001 From: Diego Alonso Marquez Palacios Date: Mon, 22 Sep 2025 15:20:01 -0400 Subject: [PATCH 1/5] fix(sec): warn users of unsafe credential generation methods --- .../auth/oauth2/GoogleCredential.java | 64 ++++++++++++++----- 1 file changed, 48 insertions(+), 16 deletions(-) diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java index 590a422e2..1b7efcf46 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java @@ -197,42 +197,74 @@ public static GoogleCredential getApplicationDefault( /** * {@link Beta}
- * Return a credential defined by a Json file. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. + *

Important: This method does not validate the credential configuration. A security risk holds + * when a credential configuration is accepted from a source that is not under your control and + * used without validation on your side. + * + *

If you are loading your credential configuration from an untrusted source and have not + * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon + * as possible to prevent security risks to your environment. + * + *

Regardless of the method used, it is always your responsibility to validate configurations + * received from external sources. + * + *

See the {@link documentation} + * for more details. + * + *

Returns credentials defined by a JSON file stream. + * + *

The stream can contain a Service Account key file in JSON format from the Google + * + *

Developers Console or a stored user credential using the format supported by the Cloud SDK. * * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. + * @deprecated + *

This method is deprecated because of a potential security risk. Use the Builder instead. + *
*/ @Beta + @Deprecated public static GoogleCredential fromStream(InputStream credentialStream) throws IOException { return fromStream(credentialStream, Utils.getDefaultTransport(), Utils.getDefaultJsonFactory()); } /** * {@link Beta}
- * Return a credential defined by a Json file. * - *

Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. + *

Important: This method does not validate the credential configuration. A security risk holds + * when a credential configuration is accepted from a source that is not under your control and + * used without validation on your side. + * + *

If you are loading your credential configuration from an untrusted source and have not + * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon + * as possible to prevent security risks to your environment. + * + *

Regardless of the method used, it is always your responsibility to validate configurations + * received from external sources. + * + *

See the {@link documentation} + * for more details. + * + *

Returns credentials defined by a JSON file stream. + * + *

The stream can contain a Service Account key file in JSON format from the Google + * + *

Developers Console or a stored user credential using the format supported by the Cloud SDK. * * @param credentialStream the stream with the credential definition. - * @param transport the transport for Http calls. - * @param jsonFactory the factory for Json parsing and formatting. * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. + * @deprecated + *

This method is deprecated because of a potential security risk. Use the Builder instead. + *
*/ @Beta + @Deprecated public static GoogleCredential fromStream( InputStream credentialStream, HttpTransport transport, JsonFactory jsonFactory) throws IOException { From fff31d86d18399c76ce1114b83b0f94f95395bb0 Mon Sep 17 00:00:00 2001 From: Diego Alonso Marquez Palacios Date: Mon, 22 Sep 2025 15:24:44 -0400 Subject: [PATCH 2/5] chore: repeat class level deprecation message --- .../googleapis/auth/oauth2/GoogleCredential.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java index 1b7efcf46..acfcc51e2 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java @@ -222,9 +222,9 @@ public static GoogleCredential getApplicationDefault( * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. - * @deprecated - *

This method is deprecated because of a potential security risk. Use the Builder instead. - *
+ * @deprecated Please use + * google-auth-library for handling Application Default Credentials and other non-OAuth2 + * based authentication. */ @Beta @Deprecated @@ -259,9 +259,9 @@ public static GoogleCredential fromStream(InputStream credentialStream) throws I * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. - * @deprecated - *

This method is deprecated because of a potential security risk. Use the Builder instead. - *
+ * @deprecated Please use + * google-auth-library for handling Application Default Credentials and other non-OAuth2 + * based authentication. */ @Beta @Deprecated From ade0ee08a344d501630a4251e852d59ba6c7e490 Mon Sep 17 00:00:00 2001 From: Diego Alonso Marquez Palacios Date: Mon, 22 Sep 2025 16:23:20 -0400 Subject: [PATCH 3/5] docs: match deprecated message with guidance --- .../client/googleapis/auth/oauth2/GoogleCredential.java | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java index acfcc51e2..2f2084478 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java @@ -222,9 +222,7 @@ public static GoogleCredential getApplicationDefault( * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. - * @deprecated Please use - * google-auth-library for handling Application Default Credentials and other non-OAuth2 - * based authentication. + * @deprecated This method is being deprecated because of a potential security risk. */ @Beta @Deprecated @@ -259,9 +257,7 @@ public static GoogleCredential fromStream(InputStream credentialStream) throws I * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. - * @deprecated Please use - * google-auth-library for handling Application Default Credentials and other non-OAuth2 - * based authentication. + * @deprecated This method is being deprecated because of a potential security risk. */ @Beta @Deprecated From b15e31ec325db9053aa6ec7983ada5221ece1539 Mon Sep 17 00:00:00 2001 From: Diego Alonso Marquez Palacios Date: Mon, 22 Sep 2025 16:25:07 -0400 Subject: [PATCH 4/5] chore: remove unnecessary comment section --- .../googleapis/auth/oauth2/GoogleCredential.java | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java index 2f2084478..df77d2f93 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java @@ -213,11 +213,7 @@ public static GoogleCredential getApplicationDefault( * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation} * for more details. * - *

Returns credentials defined by a JSON file stream. - * - *

The stream can contain a Service Account key file in JSON format from the Google - * - *

Developers Console or a stored user credential using the format supported by the Cloud SDK. + *

Returns a credential defined by a Json file. * * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. @@ -248,11 +244,7 @@ public static GoogleCredential fromStream(InputStream credentialStream) throws I * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation} * for more details. * - *

Returns credentials defined by a JSON file stream. - * - *

The stream can contain a Service Account key file in JSON format from the Google - * - *

Developers Console or a stored user credential using the format supported by the Cloud SDK. + *

Returns a credential defined by a Json file. * * @param credentialStream the stream with the credential definition. * @return the credential defined by the credentialStream. From bcecc5a777e2d4e317b387a8f28080e840d0c962 Mon Sep 17 00:00:00 2001 From: Diego Alonso Marquez Palacios Date: Mon, 22 Sep 2025 16:28:02 -0400 Subject: [PATCH 5/5] chore: suggest new credentials class with link --- .../api/client/googleapis/auth/oauth2/GoogleCredential.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java index df77d2f93..80353273d 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java @@ -219,6 +219,7 @@ public static GoogleCredential getApplicationDefault( * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. * @deprecated This method is being deprecated because of a potential security risk. + * Please use {@link GoogleCredentials instead. */ @Beta @Deprecated @@ -250,6 +251,7 @@ public static GoogleCredential fromStream(InputStream credentialStream) throws I * @return the credential defined by the credentialStream. * @throws IOException if the credential cannot be created from the stream. * @deprecated This method is being deprecated because of a potential security risk. + * Please use {@link GoogleCredentials instead. */ @Beta @Deprecated