#44 Performance issues parsing long SSH public keys

Reviewed by: Cody Peter Mello <[email protected]>

Author: Alex Wilson

lib/formats/ssh.js

@@ -14,9 +14,9 @@ var PrivateKey = require('../private-key');
 var sshpriv = require('./ssh-private');
 
 /*JSSTYLED*/
-var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/;
+var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/;
 /*JSSTYLED*/
-var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/;
+var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/;
 
 function read(buf, options) {
 	if (typeof (buf) !== 'string') {
@@ -71,7 +71,7 @@ function read(buf, options) {
 		 * chars from the beginning up to this point in the the string.
 		 * Then offset in this and try to make up for missing = chars.
 		 */
-		var data = m[2] + m[3];
+		var data = m[2] + (m[3] ? m[3] : '');
 		var realOffset = Math.ceil(ret.consumed / 3) * 4;
 		data = data.slice(0, realOffset - 2). /*JSSTYLED*/
 		    replace(/[^a-zA-Z0-9+\/=]/g, '') +

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sshpk",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "description": "A library for finding and using SSH public keys",
   "main": "lib/index.js",
   "scripts": {

test/horrors.js

@@ -86,6 +86,30 @@ test('line continuations, key from hell', function (t) {
 	t.end();
 });
 
+var KEY_NO_COMMENT = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
+    'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
+    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c=';
+test('normal key, no comment', function (t) {
+	var k = sshpk.parseKey(KEY_NO_COMMENT, 'ssh');
+	t.strictEqual(k.type, 'ecdsa');
+	t.strictEqual(k.fingerprint('sha256').toString(),
+	    'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
+	t.strictEqual(k.comment, '(unnamed)');
+	t.end();
+});
+
+var KEY_COMMENT_EQ = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
+    'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
+    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c= abc=def=a\n';
+test('comment contains =, trailing newline', function (t) {
+	var k = sshpk.parseKey(KEY_COMMENT_EQ, 'ssh');
+	t.strictEqual(k.type, 'ecdsa');
+	t.strictEqual(k.fingerprint('sha256').toString(),
+	    'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
+	t.strictEqual(k.comment, 'abc=def=a');
+	t.end();
+});
+
 var KEY_BREAK = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' +
     'HAyNTYAAABBBK9+hFGVZ9RT61pg8t7\nEGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xypHOH' +
     'Bz0WikK5hYcwTM5YMvnNxuU0h4+c=';