From 46065d38a5e6d1bccf86d3efb2fb83c14e3f9957 Mon Sep 17 00:00:00 2001
From: Alex Wilson <alex.wilson@joyent.com>
Date: Mon, 12 Mar 2018 15:54:08 -0700
Subject: [PATCH] joyent/node-sshpk#44 Performance issues parsing long SSH
 public keys Reviewed by: Cody Peter Mello <cody.mello@joyent.com>

---
 lib/formats/ssh.js |  6 +++---
 package.json       |  2 +-
 test/horrors.js    | 24 ++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/lib/formats/ssh.js b/lib/formats/ssh.js
index 655c9ea..7f88ceb 100644
--- a/lib/formats/ssh.js
+++ b/lib/formats/ssh.js
@@ -14,9 +14,9 @@ var PrivateKey = require('../private-key');
 var sshpriv = require('./ssh-private');
 
 /*JSSTYLED*/
-var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/;
+var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/;
 /*JSSTYLED*/
-var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/;
+var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/;
 
 function read(buf, options) {
 	if (typeof (buf) !== 'string') {
@@ -71,7 +71,7 @@ function read(buf, options) {
 		 * chars from the beginning up to this point in the the string.
 		 * Then offset in this and try to make up for missing = chars.
 		 */
-		var data = m[2] + m[3];
+		var data = m[2] + (m[3] ? m[3] : '');
 		var realOffset = Math.ceil(ret.consumed / 3) * 4;
 		data = data.slice(0, realOffset - 2). /*JSSTYLED*/
 		    replace(/[^a-zA-Z0-9+\/=]/g, '') +
diff --git a/package.json b/package.json
index a553c66..8ff671d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sshpk",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "description": "A library for finding and using SSH public keys",
   "main": "lib/index.js",
   "scripts": {
diff --git a/test/horrors.js b/test/horrors.js
index f1eaaef..e983d6c 100644
--- a/test/horrors.js
+++ b/test/horrors.js
@@ -86,6 +86,30 @@ test('line continuations, key from hell', function (t) {
 	t.end();
 });
 
+var KEY_NO_COMMENT = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
+    'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
+    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c=';
+test('normal key, no comment', function (t) {
+	var k = sshpk.parseKey(KEY_NO_COMMENT, 'ssh');
+	t.strictEqual(k.type, 'ecdsa');
+	t.strictEqual(k.fingerprint('sha256').toString(),
+	    'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
+	t.strictEqual(k.comment, '(unnamed)');
+	t.end();
+});
+
+var KEY_COMMENT_EQ = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
+    'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
+    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c= abc=def=a\n';
+test('comment contains =, trailing newline', function (t) {
+	var k = sshpk.parseKey(KEY_COMMENT_EQ, 'ssh');
+	t.strictEqual(k.type, 'ecdsa');
+	t.strictEqual(k.fingerprint('sha256').toString(),
+	    'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
+	t.strictEqual(k.comment, 'abc=def=a');
+	t.end();
+});
+
 var KEY_BREAK = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' +
     'HAyNTYAAABBBK9+hFGVZ9RT61pg8t7\nEGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xypHOH' +
     'Bz0WikK5hYcwTM5YMvnNxuU0h4+c=';