From 844b54087842d723b96958f3a84541f116827fd1 Mon Sep 17 00:00:00 2001
From: "j. mccann" <info@mrsdizzie.com>
Date: Sun, 3 Nov 2019 03:45:36 -0500
Subject: [PATCH] Fix SSH2 conditonal in key parsing code

Avoid out of bounds error by using strings.HasPrefix to check for
starting SSH2 text rather than assuming user input has at least 31
characters.

Add tests for bad input as well.

Fixes #8800
---
 models/ssh_key.go      |  2 +-
 models/ssh_key_test.go | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/models/ssh_key.go b/models/ssh_key.go
index 69699f24c1d9b..f441c3e42c0f5 100644
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -107,7 +107,7 @@ func parseKeyString(content string) (string, error) {
 
 	var keyType, keyContent, keyComment string
 
-	if content[:len(ssh2keyStart)] == ssh2keyStart {
+	if strings.HasPrefix(content, ssh2keyStart) {
 		// Parse SSH2 file format.
 
 		// Transform all legal line endings to a single "\n".
diff --git a/models/ssh_key_test.go b/models/ssh_key_test.go
index 4bb612a67176c..95cd4eeb1a2f8 100644
--- a/models/ssh_key_test.go
+++ b/models/ssh_key_test.go
@@ -131,6 +131,19 @@ AAAAC3NzaC1lZDI1NTE5AAAAICV0MGX/W9IvLA4FXpIuUcdDcbj5KX4syHgsTy7soVgf
 		_, err := CheckPublicKeyString(test.content)
 		assert.NoError(t, err)
 	}
+
+	for _, invalidKeys := range []struct {
+		content string
+	}{
+		{"test"},
+		{"---- NOT A REAL KEY ----"},
+		{"bad\nkey"},
+		{"\t\t:)\t\r\n"},
+		{"\r\ntest \r\ngitea\r\n\r\n"},
+	} {
+		_, err := CheckPublicKeyString(invalidKeys.content)
+		assert.Error(t, err)
+	}
 }
 
 func Test_calcFingerprint(t *testing.T) {