Skip to content

fix(sec): warn users of unsafe credential generation methods #2604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 24, 2025
Merged

fix(sec): warn users of unsafe credential generation methods #2604

merged 5 commits into from
Sep 24, 2025

Conversation

diegomarquezp
Copy link
Contributor

@diegomarquezp diegomarquezp commented Sep 22, 2025
edited
Loading

Unlike the efforts in the current non-deprecated auth library googleapis/google-auth-library-java#1802 and googleapis/google-auth-library-java#1798, this library is deprecated and promotes usage of google-auth-library-java.

However, we also add a comment with notice of the unsafety of the fromStream() methods, repeating the existing note of class deprecation (the GoogleCredential is already deprecated).

This library does not have subclasses for credentials (e.g. service account credentials).
@product-auto-label product-auto-label bot added the size: m Pull request size is medium. label Sep 22, 2025
@diegomarquezp diegomarquezp marked this pull request as ready for review September 22, 2025 19:25
@diegomarquezp diegomarquezp requested a review from a team as a code owner September 22, 2025 19:25
lqiu96
lqiu96 approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@lqiu96 lqiu96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
lqiu96
lqiu96 reviewed Sep 22, 2025
View reviewed changes
...-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
* @return the credential defined by the credentialStream.
* @throws IOException if the credential cannot be created from the stream.
* @deprecated This method is being deprecated because of a potential security risk.
* Please use {@link <a href="https://javadoc.io/doc/com.google.auth/google-auth-library-oauth2-http/latest/com/google/auth/oauth2/GoogleCredentials.html">GoogleCredentials</a> instead.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you link to cloud rad instead of javadoc?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will raise a separate PR
@diegomarquezp diegomarquezp merged commit d4c0a33 into main Sep 24, 2025
16 checks passed
@diegomarquezp diegomarquezp deleted the unsafe-credentials-method-warning branch September 24, 2025 14:39
@release-please release-please bot mentioned this pull request Sep 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: m Pull request size is medium.

2 participants

@diegomarquezp @lqiu96