47 lines
1.2 KiB
Diff
47 lines
1.2 KiB
Diff
From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
|
|
From: Hsiaoming Yang <me@lepture.com>
|
|
Date: Tue, 4 Jun 2024 11:34:43 +0900
|
|
Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys
|
|
|
|
https://github.com/lepture/authlib/issues/654
|
|
---
|
|
authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
|
|
index 1db321a..44e1f72 100644
|
|
--- a/authlib/jose/rfc7518/oct_key.py
|
|
+++ b/authlib/jose/rfc7518/oct_key.py
|
|
@@ -6,6 +6,16 @@ from authlib.common.security import generate_token
|
|
from ..rfc7517 import Key
|
|
|
|
|
|
+POSSIBLE_UNSAFE_KEYS = (
|
|
+ b"-----BEGIN ",
|
|
+ b"---- BEGIN ",
|
|
+ b"ssh-rsa ",
|
|
+ b"ssh-dss ",
|
|
+ b"ssh-ed25519 ",
|
|
+ b"ecdsa-sha2-",
|
|
+)
|
|
+
|
|
+
|
|
class OctKey(Key):
|
|
"""Key class of the ``oct`` key type."""
|
|
|
|
@@ -65,6 +75,11 @@ class OctKey(Key):
|
|
key._dict_data = raw
|
|
else:
|
|
raw_key = to_bytes(raw)
|
|
+
|
|
+ # security check
|
|
+ if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
|
|
+ raise ValueError("This key may not be safe to import")
|
|
+
|
|
key = cls(raw_key=raw_key, options=options)
|
|
return key
|
|
|
|
--
|
|
2.33.0
|
|
|