Do not freeze while parsing a wrong authorized key

yast · Sep 5, 2017 · ae6f537 · ae6f537
1 parent 1b5061a
commit ae6f537
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 7 deletions.
diff --git a/src/lib/users/ssh_authorized_keys_file.rb b/src/lib/users/ssh_authorized_keys_file.rb
@@ -61,10 +61,6 @@ def keys
         @keys
       end
 
-      # https://github.com/jordansissel/ruby-sshkeyauth/commit/12c9bb34399babf4040337e5695f3f453cd6745e#diff-4d8f3d488c1e25a30942c0e90f4e6ce4R14
-      AUTHORIZED_KEYS_REGEX =
-        /\A((?:[A-Za-z0-9-]+(?:="[^"]+")?,?)+)? *((?:ssh|ecdsa)-[^ ]+) *([^ ]+) *(.+)?\z/
-
       # Validate and add a key to the keyring
       #
       # The key is validated before adding it to the keyring.
@@ -98,7 +94,10 @@ def keys=(new_keys)
         keys
       end
 
-      # Determines is a string qualifies like a valid keys
+      # https://github.com/puppetlabs/puppet/blob/master/lib/puppet/type/ssh_authorized_key.rb#L138
+      AUTHORIZED_KEYS_REGEX = /\A(?<env>(.+)\s+)?(?<type>(ssh|ecdsa)-\S+)\s+(?<key>[^ ]+)\s*(?<comment>.*)\z/
+
+      # Determine is a string qualifies like a valid key
       #
       # @param key [String] SSH authorized keys
       # @return [Boolean] +true+ if it's valid; +false+ otherwise

diff --git a/test/fixtures/home/user1/.ssh/authorized_keys b/test/fixtures/home/user1/.ssh/authorized_keys
@@ -1,2 +1,8 @@
+# valid key with environment and comment
 environment="PATH=/usr/local/bin:$PATH",command="/srv/logon.sh $USER" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpZC8ctjmn90B/MxLOdSjYM3Yl3qd+BhTWYdBNgO3B1fJ1JSegTgCpDM0krMHqd/OAslW5H3MRED7g7g9WkKZh5xTMGvH56yRitJySfSiK8uSxCu6Jg7NM11kqOs5/RwycHO8955QrEYyiWOx80unD+CBJxGEZCOu/DH3ca4yEigAt2HSuC8NPicmRJWua6IbDa+VSICvdOTdFTM8izScSd5WBFH1ULz0bBfLnyi/pIiMjuHB69AN4gsUGYgKjzUsnufKli+DmzACgVWTdQ3Ukax/4/wgXFMr3KsDNpTbn7ZZOKzPpIXpzlP9AwbHQdym6J2NAPYV+DDY3Kcr/vql9 dummy1@example.net
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZXHfWaMch5VrgbogbW8lVuuwYCxQrgh00fF0V+GBBc0F6sux+WFlIENRLDNDSGBWol1X9LnbpgElzgM/PDX/3Uj+p+LVkt7sTk4k3tQQqFkrHEC+1TFnRk22AB4Xcw5KQ/bQnw1Cu0IfA/8c3c3Eh56WNiNi6F/bUeYKsdLLueGC/wKO/dCjM5xsLy/tXALrH0Y4NKbIZauM4BcEnZ7Cl6Wzl1AT/Mg+UK7bD8onufNd1l2w0rC0+BEy8VtBBobicp/Wv3nKkumKpNzP6jvpFE8CKiGx/fYzH/pLfe7bxEfBkKyR7A4gGWv6GHUaCYV+T+nac2ctWLLne1uQhRZcj dummy2@example.net
+# valid key with comment
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZXHfWaMch5VrgbogbW8lVuuwYCxQrgh00fF0V+GBBc0F6sux+WFlIENRLDNDSGBWol1X9LnbpgElzgM/PDX/3Uj+p+LVkt7sTk4k3tQQqFkrHEC+1TFnRk22AB4Xcw5KQ/bQnw1Cu0IfA/8c3c3Eh56WNiNi6F/bUeYKsdLLueGC/wKO/dCjM5xsLy/tXALrH0Y4NKbIZauM4BcEnZ7Cl6Wzl1AT/Mg+UK7bD8onufNd1l2w0rC0+BEy8VtBBobicp/Wv3nKkumKpNzP6jvpFE8CKiGx/fYzH/pLfe7bxEfBkKyR7A4gGWv6GHUaCYV+T+nac2ctWLLne1uQhRZcj dummy2@example.net
+# minimal key
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZXHfWaMch5VrgbogbW8lVuuwYCxQrgh00fF0V+GBBc0F6sux+WFlIENRLDNDSGBWol1X9LnbpgElzgM/PDX/3Uj+p+LVkt7sTk4k3tQQqFkrHEC+1TFnRk22AB4Xcw5KQ/bQnw1Cu0IfA/8c3c3Eh56WNiNi6F/bUeYKsdLLueGC/wKO/dCjM5xsLy/tXALrH0Y4NKbIZauM4BcEnZ7Cl6Wzl1AT/Mg+UK7bD8onufNd1l2w0rC0+BEy8VtBBobicp/Wv3nKkumKpNzP6jvpFE8CKiGx/fYzH/pLfe7bxEfBkKyR7A4gGWv6GHUaCYV+T+nac2ctWLLne1uQhRZcj
+# not valid key
+AAAAB3NzaC1yc2EAAAADAQABAAABAQCZXHfWaMch5VrgbogbW8lVuuwYCxQrgh00fF0V+GBBc0F6sux+WFlIENRLDNDSGBWol1X9LnbpgElzgM/PDX/3Uj+p+LVkt7sTk4k3tQQqFkrHEC+1TFnRk22AB4Xcw5KQ/bQnw1Cu0IfA/8c3c3Eh56WNiNi6F/bUeYKsdLLueGC/wKO/dCjM5xsLy/tXALrH0Y4NKbIZauM4BcEnZ7Cl6Wzl1AT/Mg+UK7bD8onufNd1l2w0rC0+BEy8VtBBobicp/Wv3nKkumKpNzP6jvpFE8CKiGx/fYzH/pLfe7bxEfBkKyR7A4gGWv6GHUaCYV+T+nac2ctWLLne1uQhRZcj dummy2@example.net
diff --git a/test/lib/users/ssh_authorized_keys_file_test.rb b/test/lib/users/ssh_authorized_keys_file_test.rb
@@ -36,9 +36,10 @@
       let(:path) { FIXTURES_PATH.join("home", "user1", ".ssh", "authorized_keys") }
 
       it "returns the keys that are present in the file" do
-        first, second = subject.keys
+        first, second, third = subject.keys
         expect(first).to match(/environment=.+/)
         expect(second).to match(/ssh-rsa/)
+        expect(third).to match(/ssh-rsa/)
       end
     end