Google Cloud Functions Security Review

Generated: 2025-01-25 16:00 UTC
Status: Complete
Verified:
Updated: 2025-01-25 16:30 UTC - Post-remediation update

Executive Summary

This security review examines the Google Cloud Functions deployment for the Convert to Markdown service. The initial review identified critical security vulnerabilities with standalone unauthenticated functions creating a backdoor to the commercial API.

Update: As of 2025-01-25 16:30 UTC, the standalone functions have been removed from the codebase. All functionality has been consolidated into the unified API which implements proper authentication, rate limiting, and usage tracking. The service now uses domain mapping at https://api.convert-to-markdown.knowcode.tech for professional presentation.

Review Scope

Components Analyzed

1. Cloud Functions Deployment Configuration (deploy.sh)
2. Function Entry Points (index.js)
3. Converter Functions (src/ directory)
4. Deployment Scripts (deploy-gcp/ directory)
5. Environment Configuration
6. IAM and Access Controls

Functions Reviewed

Initial State (REMOVED):

• xlsx-converter - Excel to JSON conversion
• xlsx-to-md - Excel to Markdown conversion
• pdf-to-md - PDF to Markdown conversion
• docx-to-html - Word to HTML conversion
• docx-to-md - Word to Markdown conversion
• free-tier-signup - User registration

Current State:

• convert-api - Unified API with authentication
  • Deployed with domain mapping: https://api.convert-to-markdown.knowcode.tech
  • All conversion endpoints under /v1/*
  • Proper API key authentication via Firestore
  • Usage tracking and quota enforcement

Critical Security Findings

1. Mixed Authentication Model RESOLVED

Severity: HIGH RESOLVED
Location: Deployment architecture

Original Issue: The system had two deployment models - authenticated unified API and unauthenticated standalone functions.

Resolution Implemented:

• All standalone functions have been deleted from the codebase
• Root deploy.sh and index.js removed
• /src/ directory with function wrappers deleted
• Package.json updated to remove deployment scripts
• Created delete-old-functions.sh to remove functions from GCP

Current State:

# Only one deployment now - Unified API with AUTH
gcloud functions deploy convert-api \
  --trigger-http \
  --allow-unauthenticated  # Function allows HTTP, but app requires auth
  
# App-level authentication enforced
app.post('/v1/convert/excel-to-json', 
  handleFileUpload('file'), 
  authenticate,  // ✅ Authentication middleware
  trackUsage,    // ✅ Usage tracking
  excelToJsonHandler
);

Domain Mapping:

• Function accessible via https://api.convert-to-markdown.knowcode.tech
• Professional presentation without exposing GCP infrastructure

2. Exposed Email Configuration

Severity: HIGH
Location: deploy.sh:9, environment variables

GMAIL_SENDER="lindsay@knowcode.tech"
--set-env-vars="GMAIL_SENDER_EMAIL=$GMAIL_SENDER,PROJECT_ID=$PROJECT_ID"

Risk:

• Personal email exposed in deployment scripts
• Email address becomes public through function configuration
• Potential for email harvesting and phishing attacks

3. Service Account Key File References

Severity: HIGH
Location: Multiple files

Hard-coded service account paths:

path.join(__dirname, '../../deploy-gcp/keys/gmail-service-account.json')

Risk:

• Predictable file paths for sensitive credentials
• Service account keys stored in filesystem
• Risk of credential exposure if function is compromised

4. No Input Validation on Function Level

Severity: MEDIUM
Location: Function entry points

While individual converters have validation, the Cloud Function layer lacks:

• Request rate limiting
• IP-based restrictions
• Request size validation at ingress
• Authentication checks

5. Missing Security Headers

Severity: MEDIUM
Location: All function responses

Functions set only basic CORS headers:

res.set('Access-Control-Allow-Origin', '*');

Missing headers:

• X-Content-Type-Options
• X-Frame-Options
• Strict-Transport-Security
• X-XSS-Protection

6. Project ID and Configuration Exposure

Severity: MEDIUM
Location: Deployment scripts, function URLs

PROJECT_ID="convert-to-markdown-us-east4"
echo "https://$REGION-$PROJECT_ID.cloudfunctions.net/xlsx-converter"

Risk:

• Exposes internal project structure
• Makes it easier to enumerate other GCP resources
• Provides information for targeted attacks

7. No Function-Level Monitoring

Severity: MEDIUM
Location: Deployment configuration

Functions lack:

• Custom monitoring alerts
• Anomaly detection
• Usage tracking per IP/user
• Security event logging

8. Insecure CORS Configuration

Severity: MEDIUM
Location: All converter functions

res.set('Access-Control-Allow-Origin', '*');

Risk:

• Allows requests from any origin
• No CORS preflight validation
• Potential for CSRF attacks

Positive Security Implementations

1. File Size Limits: 10MB limit enforced in unified API
2. MIME Type Validation: Proper file type checking
3. Memory Limits: Functions have appropriate memory constraints
4. Timeout Configuration: 30-60 second timeouts prevent hanging
5. Error Handling: No stack traces exposed in production
6. Domain Mapping: Professional URL without exposing GCP infrastructure
   • Public URL: https://api.convert-to-markdown.knowcode.tech
   • Hides underlying: https://us-east4-convert-to-markdown-us-east4.cloudfunctions.net
7. API Key Management: Secure key generation and validation via Firestore
8. Usage Analytics: Comprehensive tracking for billing and monitoring

Remediation Status

Completed Actions

1. Removed Standalone Functions

   • Deleted all source code for standalone functions
   • Created delete-old-functions.sh script
   • Updated all deployment configurations
   • Status: COMPLETE

2. Consolidated to Single API

   • All traffic now goes through authenticated unified API
   • Domain mapping active at https://api.convert-to-markdown.knowcode.tech
   • Documentation updated to reference only /v1/* endpoints
   • Status: COMPLETE

Remaining Actions

3. Secure Email Configuration
   • Current: Email still in .env.prod file
   • Recommended: Move to Google Secret Manager
   • Use generic no-reply address instead of personal email

High Priority - Week 1

4. Secure Service Account Management

   # Use Secret Manager instead of files
   gcloud secrets create gmail-service-account \
     --data-file=service-account.json
   

5. Implement Cloud Armor

   • Add DDoS protection
   • Configure rate limiting rules
   • Set up IP allowlisting if needed

6. Add Security Headers

   function setSecurityHeaders(res) {
     res.set('X-Content-Type-Options', 'nosniff');
     res.set('X-Frame-Options', 'DENY');
     res.set('X-XSS-Protection', '1; mode=block');
     res.set('Strict-Transport-Security', 'max-age=31536000');
   }
   

Medium Priority - Week 2-3

7. Implement Monitoring

   • Set up Cloud Monitoring alerts
   • Configure anomaly detection
   • Create security dashboards
   • Set up budget alerts

8. Add VPC Service Controls

   • Create VPC perimeter
   • Restrict function access
   • Implement private endpoints

9. Security Scanning

   • Enable vulnerability scanning
   • Set up dependency checking
   • Implement security policies

Recommended Architecture

Secure Function Deployment

# Secure deployment example
gcloud functions deploy xlsx-converter \
  --gen2 \
  --runtime=nodejs20 \
  --region=$REGION \
  --trigger-http \
  --no-allow-unauthenticated \
  --ingress-settings=internal-and-gclb \
  --vpc-connector=projects/$PROJECT/locations/$REGION/connectors/$CONNECTOR \
  --set-secrets="GMAIL_KEY=gmail-service-account:latest" \
  --service-account=converter-function@$PROJECT.iam.gserviceaccount.com

API Gateway Configuration

swagger: '2.0'
info:
  title: Convert to Markdown API
  version: 1.0.0
securityDefinitions:
  api_key:
    type: apiKey
    name: x-api-key
    in: header
x-google-endpoints:
  - name: convert-api.endpoints.$PROJECT.cloud.goog
    allowCors: true
security:
  - api_key: []

Security Best Practices

1. Function-Level Security

• Use least-privilege service accounts
• Enable audit logging
• Implement request validation
• Use VPC Service Controls

2. Data Protection

• Encrypt data in transit (HTTPS only)
• Don't store user data
• Implement secure file handling
• Clear buffers after processing

3. Access Control

• Require authentication for all endpoints
• Implement API key rotation
• Use Cloud IAM for fine-grained control
• Monitor and alert on suspicious activity

4. Deployment Security

• Use Cloud Build for deployments
• Implement CI/CD security scanning
• Version control deployment configs
• Use infrastructure as code

Compliance Considerations

1. GDPR: Current public access may violate data protection requirements
2. Security Standards: Does not meet basic security standards for commercial services
3. Industry Best Practices: Falls short of OWASP recommendations

Updated Conclusion

As of 2025-01-25 16:30 UTC, the Convert to Markdown service has successfully addressed its most critical security vulnerability. The standalone unauthenticated functions that created a backdoor to the commercial API have been completely removed from the codebase.

Current Security Posture:

• Single unified API with proper authentication
• All endpoints require API keys validated against Firestore
• Usage tracking and quota enforcement active
• Professional domain mapping hides GCP infrastructure
• Rate limiting based on user plans (50/month free, 10,000/month pro)

Remaining Security Improvements:

• Move service account keys to Google Secret Manager
• Replace personal email with generic no-reply address
• Add security headers (CSP, X-Frame-Options, etc.)
• Implement Cloud Armor for DDoS protection

The service is now architecturally sound from a security perspective. The remaining items are important but do not represent critical vulnerabilities. The system is ready for commercial use with the understanding that the remaining security enhancements should be implemented as part of ongoing security hygiene.