Credential refresh endpoint override accepts arbitrary absolute URLs and forwards catalog auth context

[rdblue]

This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution.

Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them.

Summary

The GCS credential refresh endpoint accepts arbitrary absolute URLs
and sends catalog-authenticated requests to them, including plain
HTTP.

Affected Maven coordinates

• primary shipped client artifact: org.apache.iceberg:iceberg-gcp
• bundle artifact: org.apache.iceberg:iceberg-gcp-bundle

Attacker prerequisites

• control over the affected catalog response, configuration surface,
  or spec-consumed routing value
• a client or service that honors the affected configuration without
  an additional allow-list

Impact

• If the refresh endpoint is changed to another origin, Iceberg will
  send the catalog-authenticated request there.
• That enables SSRF-style behavior and can leak catalog auth headers
  or bearer tokens to an attacker-controlled endpoint.
• The issue is worse because absolute http:// URLs are also accepted.
• In REST catalog deployments, this can be table-scoped rather than
  just global config, because core/ merges table config into
  GCSFileIO properties before GCPProperties resolves the refresh
  endpoint.

Proof status

Source review only. The issue is visible directly from source.

Key source references

• org.apache.iceberg.gcp.GCPProperties
• org.apache.iceberg.rest.RESTUtil
• org.apache.iceberg.gcp.gcs.OAuth2RefreshCredentialsHandler

[rdblue]

This requires trusting a malicious catalog, which is not reasonable. If an attacker controls a trusted catalog, that attacker already has access to user identity tokens and can do much more than redirect those same tokens to another endpoint. In addition, the ability for the catalog to send the correct refresh endpoint to the client is an intended feature.

Looks like the GCS version of #16463. I closed that one for similar reasons.