Skip to content

Commit

Permalink
Fix SSH2 conditonal in key parsing code (#8806) (#8810)
Browse files Browse the repository at this point in the history
Avoid out of bounds error by using strings.HasPrefix to check for
starting SSH2 text rather than assuming user input has at least 31
characters.

Add tests for bad input as well.

Fixes #8800
  • Loading branch information
6543 authored and lunny committed Nov 3, 2019
1 parent b040a87 commit c5e5063
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 1 deletion.
2 changes: 1 addition & 1 deletion models/ssh_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ func parseKeyString(content string) (string, error) {

var keyType, keyContent, keyComment string

if content[:len(ssh2keyStart)] == ssh2keyStart {
if strings.HasPrefix(content, ssh2keyStart) {
// Parse SSH2 file format.

// Transform all legal line endings to a single "\n".
Expand Down
13 changes: 13 additions & 0 deletions models/ssh_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,19 @@ AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf
_, err := CheckPublicKeyString(test.content)
assert.NoError(t, err)
}

for _, invalidKeys := range []struct {
content string
}{
{"test"},
{"---- NOT A REAL KEY ----"},
{"bad\nkey"},
{"\t\t:)\t\r\n"},
{"\r\ntest \r\ngitea\r\n\r\n"},
} {
_, err := CheckPublicKeyString(invalidKeys.content)
assert.Error(t, err)
}
}

func Test_calcFingerprint(t *testing.T) {
Expand Down

0 comments on commit c5e5063

Please sign in to comment.