blob: f9d75d1cf35fc4f4e6d29b438581ab5476c9b4fd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Tue, 4 Jun 2024 11:34:43 +0900
Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys
https://github.com/lepture/authlib/issues/654
---
authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
index 1db321a..44e1f72 100644
--- a/authlib/jose/rfc7518/oct_key.py
+++ b/authlib/jose/rfc7518/oct_key.py
@@ -6,6 +6,16 @@ from authlib.common.security import generate_token
from ..rfc7517 import Key
+POSSIBLE_UNSAFE_KEYS = (
+ b"-----BEGIN ",
+ b"---- BEGIN ",
+ b"ssh-rsa ",
+ b"ssh-dss ",
+ b"ssh-ed25519 ",
+ b"ecdsa-sha2-",
+)
+
+
class OctKey(Key):
"""Key class of the ``oct`` key type."""
@@ -65,6 +75,11 @@ class OctKey(Key):
key._dict_data = raw
else:
raw_key = to_bytes(raw)
+
+ # security check
+ if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
+ raise ValueError("This key may not be safe to import")
+
key = cls(raw_key=raw_key, options=options)
return key
--
2.33.0
|
