fix #3845 #3847
fix #3845 #3847
Conversation
Summary of ChangesHello @guillaumeblaquiere, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical security concern by implementing a robust system to prevent the leakage of client secrets. It centralizes the secure, in-memory storage of these secrets, redacts them from configuration objects, and only exposes them transiently during necessary authentication flows, significantly enhancing the overall security posture of the system's authentication handling. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
adk-bot
added
the
core
|
Response from ADK Triaging Agent Hello @guillaumeblaquiere, thank you for your contribution! To help the reviewers better understand and verify this important security fix, could you please provide logs or a screenshot demonstrating that the This will help speed up the review process. Thanks! |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to prevent a client secret leak by redacting it and storing it in memory. While the approach is generally correct, the implementation introduces a critical security vulnerability where a secret could be left un-redacted if an error occurs during an OAuth token exchange. Additionally, there's a high-severity issue where sensitive access tokens are leaked to stderr for debugging. I've also included several medium-severity comments to improve code quality, efficiency, and maintainability. It is crucial to address the security flaws before merging.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request addresses a critical security vulnerability by preventing client secrets from being leaked. The approach of redacting the secret and storing it in memory on the server-side is sound. The changes are extensive and include new logic in CredentialManager and AuthHandler, as well as new tests to cover the secret handling.
My review focuses on ensuring the new logic is correct, robust, and maintainable. I've identified a critical bug in the secret re-redaction logic, some code duplication that should be addressed, and issues in the new tests that could lead to flakiness. Please see my detailed comments below.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request aims to fix a critical security issue where the client_secret was being leaked. The approach of redacting the secret upon CredentialManager initialization and using a context manager (restore_client_secret) to temporarily restore it for API calls is excellent. The addition of new unit tests to cover this new secret handling logic is also a great improvement. However, I've identified a critical security vulnerability in the new fallback logic within the _exchange_credential method. This logic could lead to using a secret for one client with another client's ID, which must be fixed. My review includes a specific comment with a suggested fix for this issue.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
Hi @guillaumeblaquiere , Thank you for your work on this pull request. We appreciate the effort you've invested. Can you please fix the failing unit tests. |
ryanaiagent
added
the
request clarification
|
@ryanaiagent done. |
ryanaiagent
removed
the
request clarification
|
@guillaumeblaquiere ,Your PR has been received by the team and is currently under review. We will provide feedback as soon as we have an update to share. |
|
Hi @seanzhou1023 , can you please review this. |
ryanaiagent
added
request clarification
|
Hi @guillaumeblaquiere , we appreciate your patience and support. Can you please fix the failing unit tests and formatting errors. |
|
@ryanaiagent unit test fixed |
|
Hi @guillaumeblaquiere , pls fix the formatting error as well. |
|
@ryanaiagent pyink ok |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a robust client secret management mechanism by redacting client secrets from AuthConfig objects and storing them securely in memory within the CredentialManager. A context manager, restore_client_secret, is implemented to temporarily expose these secrets for operations like token exchange and URI generation, ensuring they are re-redacted afterwards. New unit tests have been added to validate this security enhancement and the stability of credential keys. Additionally, minor import cleanups and updates to test mocks have been performed across several files.
|
Hi @guillaumeblaquiere , can you please address the suggestions. |
|
@ryanaiagent I'm travelling the next 2 days. I will fix this then. |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a robust mechanism for handling client secrets by redacting them from configuration objects and storing them securely in memory, which is a significant security improvement. The changes are comprehensive, affecting core authentication logic and updating numerous tests to align with the new behavior. My review has identified a critical bug in the credential_manager, a suggestion for simplification in auth_handler, and a couple of issues within the new tests that should be addressed.
| # Copyright 2025 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. |
There was a problem hiding this comment.
There is a duplicated license header in this file. It should be removed to maintain code cleanliness.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a robust mechanism for securely handling client_secret in OAuth2 flows, effectively preventing it from being leaked. The core of the solution involves redacting the secret from credential objects and storing it in an in-memory CredentialManager, only restoring it temporarily within a context manager when required for API calls. This is a significant security enhancement, supported by a comprehensive set of new unit tests that validate the new behavior and ensure key stability. While the implementation is strong, I have identified a potential logic issue regarding credential refreshing and a minor point on code duplication. Overall, this is a valuable contribution to improving the security of the authentication process.
| with self.restore_client_secret(credential): | ||
| exchanged_credential = await exchanger.exchange( | ||
| credential, self._auth_config.auth_scheme | ||
| ) | ||
| return exchanged_credential.credential, True |
There was a problem hiding this comment.
Hardcoding was_exchanged to True here alters the credential processing logic. The previous implementation relied on the value returned by the exchanger to determine whether to attempt a refresh. With this change, a refresh will never be attempted after an exchange. If an exchanger is called with a credential that doesn't require an exchange (e.g., it already has a valid access token), was_exchanged would have been False, allowing a refresh to be attempted if necessary. This change prevents that, which could result in using an expiring token that should have been refreshed. It would be safer to use the was_exchanged value from the ExchangeResult.
| with self.restore_client_secret(credential): | |
| exchanged_credential = await exchanger.exchange( | |
| credential, self._auth_config.auth_scheme | |
| ) | |
| return exchanged_credential.credential, True | |
| with self.restore_client_secret(credential): | |
| exchange_result = await exchanger.exchange( | |
| credential, self._auth_config.auth_scheme | |
| ) | |
| return exchange_result.credential, exchange_result.was_exchanged |
| if not exchanger: | ||
| return credential, False | ||
|
|
||
| from ..tools.openapi_tool.auth.credential_exchangers.service_account_exchanger import ServiceAccountCredentialExchanger |
There was a problem hiding this comment.
This local import of ServiceAccountCredentialExchanger is also present in the __init__ method. To avoid duplication, you could import it once at the top of the file. If a top-level import is not feasible due to circular dependencies (which the TODO comment about moving the module seems to hint at), it would be beneficial to add a comment explaining why the duplicated local imports are necessary for future maintainability.
4 participants
Link to Issue or Description of Change
1. Link to an existing issue (if applicable):
Problem:
The client_secret was leaked and shared with the client
Solution:
I was unable to solve the issue myself. I vibe coded it with Antigravity.
I checked the code, it looks good to me.
Testing Plan
Unit Tests:
Manual End-to-End (E2E) Tests:
Manual test is OK