fix: indicate non-validated external credentials in generic methods (#1798)

diegomarquezp · web-flow · commit e7d4380ce94b · 2025-09-04T17:03:14.000-04:00
diff --git a/README.md b/README.md
@@ -1521,6 +1521,35 @@ To run the tests you will need:
 $ mvn test
 ```
 
+## Versioning
+
+This library follows [Semantic Versioning](http://semver.org/), but with some
+additional qualifications:
+
+1. Components marked with `@ObsoleteApi` are stable for usage in the current major version,
+   but will be marked with `@Deprecated` in a future major version.
+   **NOTE**: We reserve the right to mark anything as `@Deprecated` and introduce breaking
+   changes in a minor version to fix any ***critical bugs and
+   vulnerabilities***.
+
+1. Components marked with `@InternalApi` are technically public, but are only
+   public for technical reasons, because of the limitations of Java's access
+   modifiers. For the purposes of semver, they should be considered private.
+
+1. Components marked with `@InternalExtensionOnly` are stable for usage, but
+   not for extension. Thus, methods will not be removed from interfaces marked
+   with this annotation, but methods can be added, thus breaking any
+   code implementing the interface. See the javadocs for more details on other
+   consequences of this annotation.
+
+1. Components marked with `@BetaApi` are considered to be "0.x" features inside
+   a "1.x" library. This means they can change between minor and patch releases
+   in incompatible ways. These features should not be used by any library "B"
+   that itself has consumers, unless the components of library B that use
+   `@BetaApi` features are also marked with `@BetaApi`. Features marked as
+   `@BetaApi` are on a path to eventually become "1.x" features with the marker
+   removed.
+   
 ## License
 
 BSD 3-Clause - See [LICENSE](LICENSE) for more information.
diff --git a/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ExternalAccountCredentials.java
@@ -404,6 +404,13 @@ public static ExternalAccountCredentials fromStream(
   /**
    * Returns external account credentials defined by JSON using the format generated by gCloud.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param json a map from the JSON representing the credentials
    * @param transportFactory HTTP transport factory, creates the transport used to get access tokens
    * @return the credentials defined by the JSON
diff --git a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
@@ -35,6 +35,7 @@
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.JsonObjectParser;
 import com.google.api.client.util.Preconditions;
+import com.google.api.core.ObsoleteApi;
 import com.google.auth.Credentials;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.VisibleForTesting;
@@ -208,6 +209,8 @@ public static GoogleCredentials getApplicationDefault(HttpTransportFactory trans
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
    */
+  @ObsoleteApi(
+      "This method is obsolete because of a potential security risk. Use the credential specific load method instead")
   public static GoogleCredentials fromStream(InputStream credentialsStream) throws IOException {
     return fromStream(credentialsStream, OAuth2Utils.HTTP_TRANSPORT_FACTORY);
   }
@@ -231,6 +234,8 @@ public static GoogleCredentials fromStream(InputStream credentialsStream) throws
    * @return the credential defined by the credentialsStream.
    * @throws IOException if the credential cannot be created from the stream.
    */
+  @ObsoleteApi(
+      "This method is obsolete because of a potential security risk. Use the credential specific load method instead")
   public static GoogleCredentials fromStream(
       InputStream credentialsStream, HttpTransportFactory transportFactory) throws IOException {
     Preconditions.checkNotNull(credentialsStream);
diff --git a/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
@@ -365,6 +365,13 @@ public byte[] sign(byte[] toSign) {
    * The source credentials in the JSON should be either user account credentials or service account
    * credentials.
    *
+   * <p>Important: If you accept a credential configuration (credential JSON/File/Stream) from an
+   * external source for authentication to Google Cloud Platform, you must validate it before
+   * providing it to any Google API or library. Providing an unvalidated credential configuration to
+   * Google APIs can compromise the security of your systems and data. For more information, refer
+   * to {@link <a
+   * href="https://cloud.google.com/docs/authentication/external/externally-sourced-credentials">documentation</a>}.
+   *
    * @param json a map from the JSON representing the credentials
    * @param transportFactory HTTP transport factory, creates the transport used to get access tokens
    * @return the credentials defined by the JSON
diff --git a/oauth2_http/pom.xml b/oauth2_http/pom.xml
@@ -325,6 +325,10 @@
       <artifactId>error_prone_annotations</artifactId>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>com.google.api</groupId>
+      <artifactId>api-common</artifactId>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
diff --git a/pom.xml b/pom.xml
@@ -80,12 +80,13 @@
     <project.appengine.version>2.0.33</project.appengine.version>
     <project.findbugs.version>3.0.2</project.findbugs.version>
     <deploy.autorelease>false</deploy.autorelease>
-    <project.error-prone.version>2.37.0</project.error-prone.version>
+    <project.error-prone.version>2.38.0</project.error-prone.version>
     <project.protobuf.version>3.25.5</project.protobuf.version>
     <project.cel.version>0.9.0-proto3</project.cel.version>
     <project.tink.version>1.15.0</project.tink.version>
     <project.slf4j.version>2.0.17</project.slf4j.version>
     <project.gson.version>2.12.1</project.gson.version>
+    <project.api-common.version>2.53.0</project.api-common.version>
   </properties>
 
   <dependencyManagement>
@@ -195,6 +196,17 @@
           </exclusion>
         </exclusions>
       </dependency>
+      <dependency>
+        <groupId>com.google.api</groupId>
+        <artifactId>api-common</artifactId>
+        <version>${project.api-common.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
