File _service:obs_scm:backport-fix-prevent-OctKey-to... of Package python-Authlib

File _service:obs_scm:backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch of Package python-Authlib

From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Tue, 4 Jun 2024 11:34:43 +0900
Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys

https://github.com/lepture/authlib/issues/654
---
 authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
index 1db321a..44e1f72 100644
--- a/authlib/jose/rfc7518/oct_key.py
+++ b/authlib/jose/rfc7518/oct_key.py
@@ -6,6 +6,16 @@ from authlib.common.security import generate_token
 from ..rfc7517 import Key
 
 
+POSSIBLE_UNSAFE_KEYS = (
+    b"-----BEGIN ",
+    b"---- BEGIN ",
+    b"ssh-rsa ",
+    b"ssh-dss ",
+    b"ssh-ed25519 ",
+    b"ecdsa-sha2-",
+)
+
+
 class OctKey(Key):
     """Key class of the ``oct`` key type."""
 
@@ -65,6 +75,11 @@ class OctKey(Key):
             key._dict_data = raw
         else:
             raw_key = to_bytes(raw)
+
+            # security check
+            if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
+                raise ValueError("This key may not be safe to import")
+
             key = cls(raw_key=raw_key, options=options)
         return key
 
-- 
2.33.0