]> source.dussan.org Git - gitea.git/commitdiff
projects / gitea.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 022d2d8)
Fix SSH2 conditonal in key parsing code (#8806) 7349/head
authormrsdizzie <info@mrsdizzie.com>
Sun, 3 Nov 2019 11:08:18 +0000 (06:08 -0500)
committerLunny Xiao <xiaolunwen@gmail.com>
Sun, 3 Nov 2019 11:08:18 +0000 (19:08 +0800)
Avoid out of bounds error by using strings.HasPrefix to check for
starting SSH2 text rather than assuming user input has at least 31
characters.

Add tests for bad input as well.

Fixes #8800

models/ssh_key.go patch | blob | history
models/ssh_key_test.go patch | blob | history

diff --git a/models/ssh_key.go b/models/ssh_key.go
index 69699f24c1d9bd4a5e638f6bc3eb6f6332403315..f441c3e42c0f50c52d6c48d0a74b31081e622852 100644 (file)
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -107,7 +107,7 @@ func parseKeyString(content string) (string, error) {
 
        var keyType, keyContent, keyComment string
 
-       if content[:len(ssh2keyStart)] == ssh2keyStart {
+       if strings.HasPrefix(content, ssh2keyStart) {
                // Parse SSH2 file format.
 
                // Transform all legal line endings to a single "\n".
diff --git a/models/ssh_key_test.go b/models/ssh_key_test.go
index 4bb612a67176c0dd659241310d2eff4bcc252f0d..95cd4eeb1a2f890437a95237f121d132a6711446 100644 (file)
--- a/models/ssh_key_test.go
+++ b/models/ssh_key_test.go
@@ -131,6 +131,19 @@ AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf
                _, err := CheckPublicKeyString(test.content)
                assert.NoError(t, err)
        }
+
+       for _, invalidKeys := range []struct {
+               content string
+       }{
+               {"test"},
+               {"---- NOT A REAL KEY ----"},
+               {"bad\nkey"},
+               {"\t\t:)\t\r\n"},
+               {"\r\ntest \r\ngitea\r\n\r\n"},
+       } {
+               _, err := CheckPublicKeyString(invalidKeys.content)
+               assert.Error(t, err)
+       }
 }
 
 func Test_calcFingerprint(t *testing.T) {
Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea