Merge tag 'v1.3.1'

authlib/consts.py

@@ -1,5 +1,5 @@
 name = 'Authlib'
-version = '1.3.0'
+version = '1.3.1'
 author = 'Hsiaoming Yang <[email protected]>'
 homepage = 'https://authlib.org/'
 default_user_agent = f'{name}/{version} (+{homepage})'

authlib/jose/rfc7518/oct_key.py

@@ -6,6 +6,16 @@
 from ..rfc7517 import Key
 
 
+POSSIBLE_UNSAFE_KEYS = (
+    b"-----BEGIN ",
+    b"---- BEGIN ",
+    b"ssh-rsa ",
+    b"ssh-dss ",
+    b"ssh-ed25519 ",
+    b"ecdsa-sha2-",
+)
+
+
 class OctKey(Key):
     """Key class of the ``oct`` key type."""
 
@@ -65,6 +75,11 @@ def import_key(cls, raw, options=None):
             key._dict_data = raw
         else:
             raw_key = to_bytes(raw)
+
+            # security check
+            if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
+                raise ValueError("This key may not be safe to import")
+
             key = cls(raw_key=raw_key, options=options)
         return key
 

docs/changelog.rst

@@ -6,6 +6,14 @@ Changelog
 
 Here you can see the full list of changes between each Authlib release.
 
+Version 1.3.1
+-------------
+
+**Released on June 4, 2024**
+
+- Prevent ``OctKey`` to import ssh and PEM strings.
+
+
 Version 1.3.0
 -------------
 

docs/conf.py

@@ -36,7 +36,7 @@
 html_favicon = '_static/icon.svg'
 html_theme_options = {
     "accent_color": "blue",
-    "og_image_url": "https://authlib.org/logo.png",
+    "og_image_url": 'https://authlib.org/logo.png',
     "light_logo": "_static/light-logo.svg",
     "dark_logo": "_static/dark-logo.svg",
     "twitter_site": "authlib",

docs/requirements.txt

@@ -7,7 +7,7 @@ requests
 httpx>=0.18.2
 starlette
 
-sphinx==6.2.1
-sphinx-design==0.4.1
-sphinx-copybutton==0.5.2
+sphinx
+sphinx-design
+sphinx-copybutton
 shibuya