Skip to content

fix: prevent samples from leaking OAuth client ID + Secret to users #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 27, 2022
Merged

fix: prevent samples from leaking OAuth client ID + Secret to users #54

merged 2 commits into from
Jul 27, 2022

Conversation

AlnisS
Copy link
Contributor

@AlnisS AlnisS commented Jul 5, 2022
edited by jpoehnelt
Loading

This mirrors the same PR in the OAuth2 library: googleworkspace/apps-script-oauth2#379

Previously, the getService method was public in most of the samples, letting any user of any sample application execute the method using google.script.run to exfiltrate the OAuth Client ID and Secret from the server.
Now, these methods are made private by appending an _ to their names, preventing this issue.
See also similar issue in the OAuth2 library: googleworkspace/apps-script-oauth2#378

closes #53

@AlnisS
fix: prevent samples from leaking OAuth client ID + Secret to users
c6397d4 
Previously, the getService method was public in most of the samples, letting any user of any sample application execute the method using google.script.run to exfiltrate the OAuth Client ID and Secret from the server.
Now, these methods are made private by appending an _ to their names, preventing this issue.
See also similar issue in the OAuth2 library: googleworkspace/apps-script-oauth2#378
@AlnisS
Copy link
Contributor Author

AlnisS commented Jul 5, 2022

Issue: #53

@AlnisS AlnisS mentioned this pull request Jul 5, 2022
Closed
@jpoehnelt jpoehnelt assigned jpoehnelt and unassigned davidharcombe Jul 27, 2022
@jpoehnelt jpoehnelt merged commit 0673b8a into googleworkspace:master Jul 27, 2022
@github-actions github-actions bot mentioned this pull request Aug 2, 2022
Closed
@googleworkspace-bot googleworkspace-bot mentioned this pull request Aug 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jpoehnelt jpoehnelt

Labels
javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security: OAuth Client ID and Secret are accessible to any user of an Apps Script in almost all samples
3 participants
@AlnisS @davidharcombe @jpoehnelt