fix(sec): warn users of unsafe credential generation methods

diegomarquezp · diegomarquezp · commit 286e1145590a · 2025-09-22T15:20:01.000-04:00
diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
@@ -197,42 +197,74 @@ public static GoogleCredential getApplicationDefault(
 
   /**
    * {@link Beta} <br>
-   * Return a credential defined by a Json file.
    *
-   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
-   * external source for authentication to Google Cloud Platform, you must validate it before
-   * providing it to any Google API or library. Providing an unvalidated credential configuration to
-   * Google APIs can compromise the security of your systems and data. For more information, refer
-   * to {@link <a
-   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   * <p>Important: This method does not validate the credential configuration. A security risk holds
+   * when a credential configuration is accepted from a source that is not under your control and
+   * used without validation on your side.
+   *
+   * <p>If you are loading your credential configuration from an untrusted source and have not
+   * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
+   * as possible to prevent security risks to your environment.
+   *
+   * <p>Regardless of the method used, it is always your responsibility to validate configurations
+   * received from external sources.
+   *
+   * <p>See the {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * for more details.
+   *
+   * <p>Returns credentials defined by a JSON file stream.
+   *
+   * <p>The stream can contain a Service Account key file in JSON format from the Google
+   *
+   * <p>Developers Console or a stored user credential using the format supported by the Cloud SDK.
    *
    * @param credentialStream the stream with the credential definition.
    * @return the credential defined by the credentialStream.
    * @throws IOException if the credential cannot be created from the stream.
+   * @deprecated
+   *     <p>This method is deprecated because of a potential security risk. Use the Builder instead.
+   *     <br>
    */
   @Beta
+  @Deprecated
   public static GoogleCredential fromStream(InputStream credentialStream) throws IOException {
     return fromStream(credentialStream, Utils.getDefaultTransport(), Utils.getDefaultJsonFactory());
   }
 
   /**
    * {@link Beta} <br>
-   * Return a credential defined by a Json file.
    *
-   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
-   * external source for authentication to Google Cloud Platform, you must validate it before
-   * providing it to any Google API or library. Providing an unvalidated credential configuration to
-   * Google APIs can compromise the security of your systems and data. For more information, refer
-   * to {@link <a
-   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   * <p>Important: This method does not validate the credential configuration. A security risk holds
+   * when a credential configuration is accepted from a source that is not under your control and
+   * used without validation on your side.
+   *
+   * <p>If you are loading your credential configuration from an untrusted source and have not
+   * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
+   * as possible to prevent security risks to your environment.
+   *
+   * <p>Regardless of the method used, it is always your responsibility to validate configurations
+   * received from external sources.
+   *
+   * <p>See the {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
+   * for more details.
+   *
+   * <p>Returns credentials defined by a JSON file stream.
+   *
+   * <p>The stream can contain a Service Account key file in JSON format from the Google
+   *
+   * <p>Developers Console or a stored user credential using the format supported by the Cloud SDK.
    *
    * @param credentialStream the stream with the credential definition.
-   * @param transport the transport for Http calls.
-   * @param jsonFactory the factory for Json parsing and formatting.
    * @return the credential defined by the credentialStream.
    * @throws IOException if the credential cannot be created from the stream.
+   * @deprecated
+   *     <p>This method is deprecated because of a potential security risk. Use the Builder instead.
+   *     <br>
    */
   @Beta
+  @Deprecated
   public static GoogleCredential fromStream(
       InputStream credentialStream, HttpTransport transport, JsonFactory jsonFactory)
       throws IOException {
