Skip to content

Commit 286e114

Browse files
committed
fix(sec): warn users of unsafe credential generation methods
1 parent 665acbe commit 286e114

File tree

1 file changed

+48
-16
lines changed

1 file changed

+48
-16
lines changed

google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java

Lines changed: 48 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -197,42 +197,74 @@ public static GoogleCredential getApplicationDefault(
197197

198198
/**
199199
* {@link Beta} <br>
200-
* Return a credential defined by a Json file.
201200
*
202-
* <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
203-
* external source for authentication to Google Cloud Platform, you must validate it before
204-
* providing it to any Google API or library. Providing an unvalidated credential configuration to
205-
* Google APIs can compromise the security of your systems and data. For more information, refer
206-
* to {@link <a
207-
* href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
201+
* <p>Important: This method does not validate the credential configuration. A security risk holds
202+
* when a credential configuration is accepted from a source that is not under your control and
203+
* used without validation on your side.
204+
*
205+
* <p>If you are loading your credential configuration from an untrusted source and have not
206+
* mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
207+
* as possible to prevent security risks to your environment.
208+
*
209+
* <p>Regardless of the method used, it is always your responsibility to validate configurations
210+
* received from external sources.
211+
*
212+
* <p>See the {@link <a
213+
* href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
214+
* for more details.
215+
*
216+
* <p>Returns credentials defined by a JSON file stream.
217+
*
218+
* <p>The stream can contain a Service Account key file in JSON format from the Google
219+
*
220+
* <p>Developers Console or a stored user credential using the format supported by the Cloud SDK.
208221
*
209222
* @param credentialStream the stream with the credential definition.
210223
* @return the credential defined by the credentialStream.
211224
* @throws IOException if the credential cannot be created from the stream.
225+
* @deprecated
226+
* <p>This method is deprecated because of a potential security risk. Use the Builder instead.
227+
* <br>
212228
*/
213229
@Beta
230+
@Deprecated
214231
public static GoogleCredential fromStream(InputStream credentialStream) throws IOException {
215232
return fromStream(credentialStream, Utils.getDefaultTransport(), Utils.getDefaultJsonFactory());
216233
}
217234

218235
/**
219236
* {@link Beta} <br>
220-
* Return a credential defined by a Json file.
221237
*
222-
* <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
223-
* external source for authentication to Google Cloud Platform, you must validate it before
224-
* providing it to any Google API or library. Providing an unvalidated credential configuration to
225-
* Google APIs can compromise the security of your systems and data. For more information, refer
226-
* to {@link <a
227-
* href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
238+
* <p>Important: This method does not validate the credential configuration. A security risk holds
239+
* when a credential configuration is accepted from a source that is not under your control and
240+
* used without validation on your side.
241+
*
242+
* <p>If you are loading your credential configuration from an untrusted source and have not
243+
* mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon
244+
* as possible to prevent security risks to your environment.
245+
*
246+
* <p>Regardless of the method used, it is always your responsibility to validate configurations
247+
* received from external sources.
248+
*
249+
* <p>See the {@link <a
250+
* href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}
251+
* for more details.
252+
*
253+
* <p>Returns credentials defined by a JSON file stream.
254+
*
255+
* <p>The stream can contain a Service Account key file in JSON format from the Google
256+
*
257+
* <p>Developers Console or a stored user credential using the format supported by the Cloud SDK.
228258
*
229259
* @param credentialStream the stream with the credential definition.
230-
* @param transport the transport for Http calls.
231-
* @param jsonFactory the factory for Json parsing and formatting.
232260
* @return the credential defined by the credentialStream.
233261
* @throws IOException if the credential cannot be created from the stream.
262+
* @deprecated
263+
* <p>This method is deprecated because of a potential security risk. Use the Builder instead.
264+
* <br>
234265
*/
235266
@Beta
267+
@Deprecated
236268
public static GoogleCredential fromStream(
237269
InputStream credentialStream, HttpTransport transport, JsonFactory jsonFactory)
238270
throws IOException {

0 commit comments

Comments
 (0)