fix: DOS security risks (#1668)

googleapis · Oct 12, 2023 · b25d4f5 · b25d4f5
1 parent 311d6a1
commit b25d4f5
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/src/auth/baseexternalclient.ts b/src/auth/baseexternalclient.ts
@@ -238,6 +238,16 @@ export abstract class BaseExternalAccountClient extends AuthClient {
   /** The service account email to be impersonated, if available. */
   getServiceAccountEmail(): string | null {
     if (this.serviceAccountImpersonationUrl) {
+      if (this.serviceAccountImpersonationUrl.length > 256) {
+        /**
+         * Prevents DOS attacks.
+         * @see {@link https://github.com/googleapis/google-auth-library-nodejs/security/code-scanning/84}
+         **/
+        throw new RangeError(
+          `URL is too long: ${this.serviceAccountImpersonationUrl}`
+        );
+      }
+
       // Parse email from URL. The formal looks as follows:
       // https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/name@project-id.iam.gserviceaccount.com:generateAccessToken
       const re = /serviceAccounts\/(?<email>[^:]+):generateAccessToken$/;

diff --git a/src/auth/googleauth.ts b/src/auth/googleauth.ts
@@ -569,6 +569,16 @@ export class GoogleAuth<T extends AuthClient = JSONClient> {
       json.source_credentials.refresh_token
     );
 
+    if (json.service_account_impersonation_url?.length > 256) {
+      /**
+       * Prevents DOS attacks.
+       * @see {@link https://github.com/googleapis/google-auth-library-nodejs/security/code-scanning/85}
+       **/
+      throw new RangeError(
+        `Target principal is too long: ${json.service_account_impersonation_url}`
+      );
+    }
+
     // Extreact service account from service_account_impersonation_url
     const targetPrincipal = /(?<target>[^/]+):generateAccessToken$/.exec(
       json.service_account_impersonation_url