Skip to content
This repository was archived by the owner on Nov 20, 2025. It is now read-only.

chore: deprecate unsafe loads & client options, add warnings to risky methods#2134

Merged
GautamSharda merged 8 commits intomainfrom
windy-eagle
Sep 25, 2025
Merged

chore: deprecate unsafe loads & client options, add warnings to risky methods#2134
GautamSharda merged 8 commits intomainfrom
windy-eagle

Conversation

@GautamSharda
Copy link
Copy Markdown
Contributor

@GautamSharda GautamSharda commented Sep 20, 2025
edited
Loading

Description

This change applies a vulnerability mitigation (b/437993913).

The core issue is that generic credential loading methods like fromJSON() and fromStream() can be exploited. If an application accepts a credential configuration from an untrusted source, an attacker can craft a malicious JSON payload (e.g., with type: 'external_account'). This could cause the library to load a credential type that can exfiltrate data or tokens by interacting with attacker-controlled URLs.

To mitigate this, this PR:

  1. Deprecates fromJSON() and fromStream() in GoogleAuth: These methods are now marked as deprecated, with detailed JSDoc comments explaining the security risk.
  2. Guides Users to Safer Alternatives: The deprecation messages and README now guide users to use credential-specific constructors, such as new JWT(...) for service accounts. This approach is safer because it requires the developer to be explicit about the credential type they intend to use, preventing the library from dynamically loading a potentially malicious type based on external input.
  3. Adds Warnings to High-Risk Credentials: Explicit warnings have been added to the constructors of ExternalAccountClient and Impersonated to ensure users are aware of the risks when using these credential types with externally sourced configurations.
  4. Deprecates Unsafe Constructor Options: The keyFilename and credentials options in the GoogleAuth constructor are now deprecated. These options promote an unsafe API pattern by allowing the library to implicitly determine the credential type from a generic file or object. Deprecating them enforces the recommended, more secure practice of explicitly creating a credential object of a specific type first before passing it to a client.

Impact

This is a non-breaking security enhancement. Existing code will continue to function, but users of the deprecated methods will see warnings encouraging them to adopt safer credential loading practices. This change hardens the library against potential credential mis-configuration attacks.

Testing

The changes primarily involve adding deprecation tags, JSDoc comments, and updating documentation. No core logic was altered. The existing test suite was run to ensure that all functionality remains intact and no regressions were introduced. All tests continue to pass.

Checklist

  • b/437993913
  • Ensure the tests and linter pass
  • Code coverage does not decrease
  • Appropriate docs were updated
  • Appropriate comments were added, particularly in complex areas or
    places that require background
  • No new warnings or issues will be generated from this change

Fixes b/437993913

@GautamSharda GautamSharda requested a review from a team September 20, 2025 00:28
@GautamSharda GautamSharda requested a review from a team as a code owner September 20, 2025 00:28
@product-auto-label product-auto-label bot added the size: m Pull request size is medium. label Sep 20, 2025
@generated-files-bot
Copy link
Copy Markdown

generated-files-bot bot commented Sep 20, 2025

Warning: This pull request is touching the following templated files:

@GautamSharda GautamSharda added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 20, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 20, 2025
@GautamSharda
fix(docs): update README with secure credential loading example
46e7366 
Updates .readme-partials.yaml with the secure JWT constructor
example for loading credentials from environment variables. This
resolves a Windy Eagle vulnerability mitigation concern and adheres
to the synthtool workflow for documentation.
@GautamSharda
Merge branch 'windy-eagle' of github.com:googleapis/google-auth-libra…
78aa79b 
…ry-nodejs into windy-eagle
@GautamSharda GautamSharda added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 23, 2025
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 23, 2025
@GautamSharda GautamSharda changed the title chore: deprecate unsafe loads & add warnings to risky methods chore: deprecate unsafe loads & client options, add warnings to risky methods Sep 23, 2025
@GautamSharda GautamSharda merged commit dc9f5cd into main Sep 25, 2025
20 of 21 checks passed
@GautamSharda GautamSharda deleted the windy-eagle branch September 25, 2025 20:27
@GautamSharda GautamSharda added the release-please:force-run To run release-please label Sep 30, 2025
@release-please release-please bot removed the release-please:force-run To run release-please label Sep 30, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@miguelvelezsa miguelvelezsa miguelvelezsa approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size: m Pull request size is medium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GautamSharda @miguelvelezsa @yoshi-kokoro