fix: Include security warning in ExternalAccount and ImpersonatedServiceAccount credentials (#551)

Author: aandreassa

lib/googleauth/external_account.rb

@@ -40,6 +40,15 @@ class Credentials
 
         # Create a ExternalAccount::Credentials
         #
+        # @note Warning:
+        # This method does not validate the credential configuration. A security
+        # risk occurs when a credential configuration configured with malicious urls
+        # is used.
+        # When the credential configuration is accepted from an
+        # untrusted source, you should validate it before using with this method.
+        # See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+        # for more details.
+        #
         # @param options [Hash] Options for creating credentials
         # @option options [IO] :json_key_io (required) An IO object containing the JSON key
         # @option options [String,Array,nil] :scope The scope(s) to access

lib/googleauth/impersonated_service_account.rb

@@ -72,6 +72,15 @@ class ImpersonatedServiceAccountCredentials
       # and request short-lived credentials for a service account
       # that has the authorization that your use case requires.
       #
+      # @note Warning:
+      # This method does not validate the credential configuration. A security
+      # risk occurs when a credential configuration configured with malicious urls
+      # is used.
+      # When the credential configuration is accepted from an
+      # untrusted source, you should validate it before using with this method.
+      # See https://cloud.google.com/docs/authentication/external/externally-sourced-credentials
+      # for more details.
+      #
       # @param options [Hash] A hash of options to configure the credentials.
       # @option options [Object] :base_credentials (required) The authenticated principal.
       #   It will be used as following: