Skip to content

Commit

Permalink
fix: prevent OctKey to import ssh/rsa/pem keys
Browse files Browse the repository at this point in the history 
#654
  • Loading branch information
@lepture
lepture committed Jun 4, 2024
1 parent a7d68b4 commit 3bea812
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions authlib/jose/rfc7518/oct_key.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,16 @@
from ..rfc7517 import Key


POSSIBLE_UNSAFE_KEYS = (
b"-----BEGIN ",
b"---- BEGIN ",
b"ssh-rsa ",
b"ssh-dss ",
b"ssh-ed25519 ",
b"ecdsa-sha2-",
)


class OctKey(Key):
"""Key class of the ``oct`` key type."""

Expand Down Expand Up @@ -65,6 +75,11 @@ def import_key(cls, raw, options=None):
key._dict_data = raw
else:
raw_key = to_bytes(raw)

# security check
if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
raise ValueError("This key may not be safe to import")

key = cls(raw_key=raw_key, options=options)
return key

Expand Down

0 comments on commit 3bea812

Please sign in to comment.