From 1d8889bcbed84974b9c41eba3f0720847fcd0478 Mon Sep 17 00:00:00 2001 From: Brent Shaffer Date: Wed, 17 Sep 2025 08:57:24 -0700 Subject: [PATCH 1/4] docs: phpdoc warning for external credentials --- src/Credentials/ExternalAccountCredentials.php | 9 +++++++++ .../ImpersonatedServiceAccountCredentials.php | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/src/Credentials/ExternalAccountCredentials.php b/src/Credentials/ExternalAccountCredentials.php index c0306ee807..03e28d30e7 100644 --- a/src/Credentials/ExternalAccountCredentials.php +++ b/src/Credentials/ExternalAccountCredentials.php @@ -35,6 +35,15 @@ use GuzzleHttp\Psr7\Request; use InvalidArgumentException; +/** + * **IMPORTANT**: + * This class does not validate the credential configuration. A security + * risk occurs when a credential configuration configured with malicious urls + * is used. + * When the credential configuration is accepted from an + * untrusted source, you should validate it before using with this method. + * [documentation] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. + */ class ExternalAccountCredentials implements FetchAuthTokenInterface, UpdateMetadataInterface, diff --git a/src/Credentials/ImpersonatedServiceAccountCredentials.php b/src/Credentials/ImpersonatedServiceAccountCredentials.php index a44b113639..4d135568c2 100644 --- a/src/Credentials/ImpersonatedServiceAccountCredentials.php +++ b/src/Credentials/ImpersonatedServiceAccountCredentials.php @@ -30,6 +30,15 @@ use InvalidArgumentException; use LogicException; +/** + * **IMPORTANT**: + * This class does not validate the credential configuration. A security + * risk occurs when a credential configuration configured with malicious urls + * is used. + * When the credential configuration is accepted from an + * untrusted source, you should validate it before using with this method. + * [documentation] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. + */ class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface, GetUniverseDomainInterface From 9c530e21c45dd7c93ab590eeb0e2c6258df9a6ad Mon Sep 17 00:00:00 2001 From: Brent Shaffer Date: Mon, 29 Sep 2025 08:55:35 -0700 Subject: [PATCH 2/4] Update src/Credentials/ExternalAccountCredentials.php --- src/Credentials/ExternalAccountCredentials.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Credentials/ExternalAccountCredentials.php b/src/Credentials/ExternalAccountCredentials.php index 03e28d30e7..dfe9546f7e 100644 --- a/src/Credentials/ExternalAccountCredentials.php +++ b/src/Credentials/ExternalAccountCredentials.php @@ -41,7 +41,7 @@ * risk occurs when a credential configuration configured with malicious urls * is used. * When the credential configuration is accepted from an - * untrusted source, you should validate it before using with this method. + * untrusted source, you should validate it before creating this class. * [documentation] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. */ class ExternalAccountCredentials implements From d8a1f458d52715bdfd29ddff482078ce641e8e15 Mon Sep 17 00:00:00 2001 From: Brent Shaffer Date: Mon, 29 Sep 2025 08:55:54 -0700 Subject: [PATCH 3/4] Update src/Credentials/ImpersonatedServiceAccountCredentials.php --- src/Credentials/ImpersonatedServiceAccountCredentials.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Credentials/ImpersonatedServiceAccountCredentials.php b/src/Credentials/ImpersonatedServiceAccountCredentials.php index 4d135568c2..c438f731b8 100644 --- a/src/Credentials/ImpersonatedServiceAccountCredentials.php +++ b/src/Credentials/ImpersonatedServiceAccountCredentials.php @@ -36,7 +36,7 @@ * risk occurs when a credential configuration configured with malicious urls * is used. * When the credential configuration is accepted from an - * untrusted source, you should validate it before using with this method. + * untrusted source, you should validate it before creating this class. * [documentation] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. */ class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements From a0e5712ab4e288a22a2ef64a2138fd8e6c22ebd6 Mon Sep 17 00:00:00 2001 From: Brent Shaffer Date: Mon, 29 Sep 2025 09:21:22 -0700 Subject: [PATCH 4/4] Apply suggestions from code review --- src/Credentials/ExternalAccountCredentials.php | 2 +- src/Credentials/ImpersonatedServiceAccountCredentials.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Credentials/ExternalAccountCredentials.php b/src/Credentials/ExternalAccountCredentials.php index dfe9546f7e..afaf1ee3f8 100644 --- a/src/Credentials/ExternalAccountCredentials.php +++ b/src/Credentials/ExternalAccountCredentials.php @@ -42,7 +42,7 @@ * is used. * When the credential configuration is accepted from an * untrusted source, you should validate it before creating this class. - * [documentation] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. + * @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials */ class ExternalAccountCredentials implements FetchAuthTokenInterface, diff --git a/src/Credentials/ImpersonatedServiceAccountCredentials.php b/src/Credentials/ImpersonatedServiceAccountCredentials.php index c438f731b8..f473f8ebf3 100644 --- a/src/Credentials/ImpersonatedServiceAccountCredentials.php +++ b/src/Credentials/ImpersonatedServiceAccountCredentials.php @@ -37,7 +37,7 @@ * is used. * When the credential configuration is accepted from an * untrusted source, you should validate it before creating this class. - * [documentation] https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. + * @see https://cloud.google.com/docs/authentication/external/externally-sourced-credentials */ class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements SignBlobInterface,