Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent samples from leaking OAuth client ID + Secret to users #379

Merged
merged 1 commit into from
Jul 27, 2022
Merged

fix: prevent samples from leaking OAuth client ID + Secret to users #379

merged 1 commit into from
Jul 27, 2022

Conversation

AlnisS
Copy link
Contributor

@AlnisS AlnisS commented Jul 5, 2022
edited by jpoehnelt
Loading

Previously, the getService method was public in most of the samples, letting any user of any sample application execute the method using google.script.run to exfiltrate the OAuth Client ID and Secret from the server. Now, these methods are made private by appending an _ to their names, preventing this issue.

closes #378

@AlnisS
fix: prevent samples from leaking OAuth client ID + Secret to users
df86452 
Previously, the getService method was public in most of the samples, letting any user of any sample application execute the method using google.script.run to exfiltrate the OAuth Client ID and Secret from the server. Now, these methods are made private by appending an _ to their names, preventing this issue.
@AlnisS AlnisS mentioned this pull request Jul 5, 2022
Closed
@AlnisS
Copy link
Contributor Author

AlnisS commented Jul 5, 2022

Issue: #378

@AlnisS AlnisS mentioned this pull request Jul 5, 2022
Merged
@jpoehnelt jpoehnelt self-requested a review July 27, 2022 17:53
@jpoehnelt jpoehnelt merged commit a5480c1 into googleworkspace:master Jul 27, 2022
sqrrrl pushed a commit that referenced this pull request Aug 2, 2022
@AlnisS @sqrrrl
fix: prevent samples from leaking OAuth client ID + Secret to users (#…
120d7b1 
…379)

Previously, the getService method was public in most of the samples, letting any user of any sample application execute the method using google.script.run to exfiltrate the OAuth Client ID and Secret from the server. Now, these methods are made private by appending an _ to their names, preventing this issue.
@googleworkspace-bot googleworkspace-bot mentioned this pull request Aug 4, 2022
Merged
@googleworkspace-bot googleworkspace-bot mentioned this pull request Sep 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpoehnelt jpoehnelt jpoehnelt approved these changes

Assignees

@jpoehnelt jpoehnelt

Labels
javascript
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlnisS @jpoehnelt