1 files changed, 46 insertions, 0 deletions

diff --git a/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch b/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
new file mode 100644
index 0000000..f9d75d1
--- /dev/null
+++ b/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
@@ -0,0 +1,46 @@
+From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
+From: Hsiaoming Yang <me@lepture.com>
+Date: Tue, 4 Jun 2024 11:34:43 +0900
+Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys
+
+https://github.com/lepture/authlib/issues/654
+---
+ authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
+index 1db321a..44e1f72 100644
+--- a/authlib/jose/rfc7518/oct_key.py
++++ b/authlib/jose/rfc7518/oct_key.py
+@@ -6,6 +6,16 @@ from authlib.common.security import generate_token
+ from ..rfc7517 import Key
+ 
+ 
++POSSIBLE_UNSAFE_KEYS = (
++    b"-----BEGIN ",
++    b"---- BEGIN ",
++    b"ssh-rsa ",
++    b"ssh-dss ",
++    b"ssh-ed25519 ",
++    b"ecdsa-sha2-",
++)
++
++
+ class OctKey(Key):
+     """Key class of the ``oct`` key type."""
+ 
+@@ -65,6 +75,11 @@ class OctKey(Key):
+             key._dict_data = raw
+         else:
+             raw_key = to_bytes(raw)
++
++            # security check
++            if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
++                raise ValueError("This key may not be safe to import")
++
+             key = cls(raw_key=raw_key, options=options)
+         return key
+ 
+-- 
+2.33.0
+