Skip to content

feat: Deprecate unsafe credential loading methods and options (Windy Eagle Mitigation)#3043

Merged
robertvoinescu-work merged 3 commits intogoogleapis:mainfrom
robertvoinescu-work:users/robertvoinescu/windy-eagle-mitigation
Oct 6, 2025
Merged

feat: Deprecate unsafe credential loading methods and options (Windy Eagle Mitigation)#3043
robertvoinescu-work merged 3 commits intogoogleapis:mainfrom
robertvoinescu-work:users/robertvoinescu/windy-eagle-mitigation

Conversation

@robertvoinescu-work
Copy link
Contributor

@robertvoinescu-work robertvoinescu-work commented Sep 15, 2025
edited
Loading

Mitigating the "Windy Eagle" Credential Vulnerability

Services accepting external credential configurations with our auth libraries are vulnerable to malicious configurations that allow an attacker to exfiltrate data. This critical vulnerability exposes services and their host machines to data and token theft, undermining our security posture. This pull request mitigates the risk by deprecating unsafe loading methods and introducing a strict CredentialFactory that requires developers to explicitly define the expected credential type. Adopting this new pattern closes the credential exfiltration attack vector and provides a clear, secure standard for all developers.

Key Changes

  • New CredentialFactory: A secure, type-safe way to create credentials.
  • Deprecated Unsafe Methods: FromJson, FromFile, FromStream, and FromJsonParameters are now obsolete.
  • Refactored Internals: All internal code and tests now use the new CredentialFactory.

@robertvoinescu-work robertvoinescu-work requested a review from a team September 15, 2025 22:18
amanda-tarafa
amanda-tarafa requested changes Sep 16, 2025
View reviewed changes
@amanda-tarafa amanda-tarafa mentioned this pull request Sep 17, 2025
Closed
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch 2 times, most recently from 518d25a to 9351a40 Compare September 17, 2025 21:03
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch 3 times, most recently from 42a6560 to 7160ca2 Compare September 17, 2025 21:47
robertvoinescu-work
robertvoinescu-work commented Sep 18, 2025
View reviewed changes
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch from 7160ca2 to 0a05b66 Compare September 19, 2025 17:50
amanda-tarafa
amanda-tarafa requested changes Sep 23, 2025
View reviewed changes
Copy link
Contributor

@amanda-tarafa amanda-tarafa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly name changes and a little bit more of simplification. Thanks!

@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch 3 times, most recently from eeec372 to 5e2d08a Compare September 23, 2025 20:59
amanda-tarafa
amanda-tarafa requested changes Sep 24, 2025
View reviewed changes
Copy link
Contributor

@amanda-tarafa amanda-tarafa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment on removing duplicate methods.

@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch from 5e2d08a to 72332ca Compare September 25, 2025 18:06
amanda-tarafa
amanda-tarafa requested changes Sep 29, 2025
View reviewed changes
Copy link
Contributor

@amanda-tarafa amanda-tarafa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few more tweaks but looking great.

@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch 7 times, most recently from 2cde44e to 98b17cf Compare September 30, 2025 22:56
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch from 98b17cf to 4c7e591 Compare September 30, 2025 23:14
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch 4 times, most recently from aaa6477 to 26b6c29 Compare September 30, 2025 23:38
amanda-tarafa
amanda-tarafa requested changes Oct 2, 2025
View reviewed changes
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch 2 times, most recently from c39bb24 to 2947315 Compare October 3, 2025 17:16
amanda-tarafa
amanda-tarafa previously approved these changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@amanda-tarafa amanda-tarafa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a few styling nits.

Src/Support/Google.Apis.Auth/OAuth2/CredentialFactory.cs Outdated
Comment on lines 69 to 79
JsonCredentialParameters credentialParameters;
try
{
credentialParameters = await NewtonsoftJsonSerializer.Instance.DeserializeAsync<JsonCredentialParameters>(stream, cancellationToken).ConfigureAwait(false);
}
catch (Exception e)
{
throw new InvalidOperationException("Error deserializing JSON credential data.", e);
}

return FromJsonParameters<T>(credentialParameters);
Copy link
Contributor

@amanda-tarafa amanda-tarafa Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
JsonCredentialParameters credentialParameters;
try
{
credentialParameters = await NewtonsoftJsonSerializer.Instance.DeserializeAsync<JsonCredentialParameters>(stream, cancellationToken).ConfigureAwait(false);
}
catch (Exception e)
{
throw new InvalidOperationException("Error deserializing JSON credential data.", e);
}
return FromJsonParameters<T>(credentialParameters);
try
{
return await NewtonsoftJsonSerializer.Instance.DeserializeAsync<JsonCredentialParameters>(stream, cancellationToken).ConfigureAwait(false);
}
catch (Exception e)
{
throw new InvalidOperationException("Error deserializing JSON credential data.", e);
}

Copy link
Contributor Author

@robertvoinescu-work robertvoinescu-work Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've merged all into one line as suggested.

Src/Support/Google.Apis.Auth/OAuth2/CredentialFactory.cs
Comment on lines 189 to 191
}

CheckCompatibility(targetType, typeof(UserCredential));
Copy link
Contributor

@amanda-tarafa amanda-tarafa Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
CheckCompatibility(targetType, typeof(UserCredential));
}
CheckCompatibility(targetType, typeof(UserCredential));

But also, there's a lot of blank lines after. I think this may be your editor configuration, but it makes the code look longer than it actually is.

(This all can be done in a separate PR).

Copy link
Contributor Author

@robertvoinescu-work robertvoinescu-work Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made sure to remove the extra space introduced around check compatibility.

@robertvoinescu-work
feat(Auth): Add CredentialFactory for strongly-typed credential creation
cd89aa7 
Introduces `CredentialFactory` to enable the safe creation of specific `IGoogleCredential` types (e.g., `UserCredential`, `ServiceAccountCredential`) from various sources.
@robertvoinescu-work
feat(Auth): add ToGoogleCredential method
ae88117
@robertvoinescu-work
fix(Auth): Mark FromJson, FromFile, FromStream, and FromJsonParameter…
4a7d0b3 
…s as obsolete and add warnings to XML docs and incorporate CredentialFactory.
@robertvoinescu-work robertvoinescu-work force-pushed the users/robertvoinescu/windy-eagle-mitigation branch from 2947315 to 4a7d0b3 Compare October 4, 2025 02:36
amanda-tarafa
amanda-tarafa approved these changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@amanda-tarafa amanda-tarafa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@robertvoinescu-work robertvoinescu-work merged commit d6fed4a into googleapis:main Oct 6, 2025
4 checks passed
@robertvoinescu-work robertvoinescu-work deleted the users/robertvoinescu/windy-eagle-mitigation branch October 6, 2025 17:16
amanda-tarafa added a commit to amanda-tarafa/google-api-dotnet-client that referenced this pull request Oct 6, 2025
@amanda-tarafa
chore: Update version 1.71.0 -> 1.72.0
94bf94f 
Security related fix:

- googleapis#3043 Depracate vulnerable credential loading mechanisms. See https://cloud.google.com/docs/authentication/client-libraries#external-credentials for more information.
@amanda-tarafa amanda-tarafa mentioned this pull request Oct 6, 2025
Merged
amanda-tarafa added a commit that referenced this pull request Oct 6, 2025
@amanda-tarafa
chore: Update version 1.71.0 -> 1.72.0
b019889 
Security related fix:

- #3043 Depracate vulnerable credential loading mechanisms. See https://cloud.google.com/docs/authentication/client-libraries#external-credentials for more information.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanda-tarafa amanda-tarafa amanda-tarafa approved these changes

Assignees

@amanda-tarafa amanda-tarafa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robertvoinescu-work @amanda-tarafa