improve ssh key validation

simonLeary42 · simonLeary42 · commit 9022958590bf · 2025-04-19T13:32:00.000-04:00
diff --git a/resources/lib/UnitySite.php b/resources/lib/UnitySite.php
@@ -52,6 +52,20 @@ public static function getGithubKeys($username)
 
     public static function testValidSSHKey($key_str)
     {
+        $key_str = trim($key_str);
+        if ($key_str == "") {
+            return false;
+        }
+        // https://github.com/phpseclib/phpseclib/issues/2077
+        // key loader still throws exception, this just mutes a warning for phpunit
+        if (preg_match("/^[0-9]+$/", $key_str)) {
+            return false;
+        }
+        // https://github.com/phpseclib/phpseclib/issues/2076
+        // key loader still throws exception, this just mutes a warning for phpunit
+        if (!is_null(@json_decode($key_str))) {
+            return false;
+        }
         try {
             PublicKeyLoader::load($key_str);
             return true;
diff --git a/test/unit/AjaxSshValidateTest.php b/test/unit/AjaxSshValidateTest.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace UnityWebPortal\lib;
+
+use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\Attributes\DataProvider;
+
+class AjaxSshValidateTest extends TestCase
+{
+    public static function providerTestSshValidate()
+    {
+        // sanity check only, see UnitySiteTest for more comprehensive test cases
+        return [
+            [false, "foobar"],
+            // phpcs:disable
+            [true, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a"],
+            // phpcs:enable
+        ];
+    }
+
+    #[DataProvider("providerTestSshValidate")]
+    public function testSshValidate(bool $is_valid, string $pubkey)
+    {
+        $_SERVER["REQUEST_METHOD"] = "POST";
+        $_POST["key"] = $pubkey;
+        ob_start();
+        include __DIR__ . "/../../webroot/js/ajax/ssh_validate.php";
+        $output = ob_get_clean();
+        if ($is_valid) {
+            $this->assertEquals("true", $output);
+        } else {
+            $this->assertEquals("false", $output);
+        }
+    }
+}
diff --git a/webroot/js/ajax/ssh_validate.php b/webroot/js/ajax/ssh_validate.php
@@ -1,12 +1,6 @@
 <?php
 
-require "../../../resources/autoload.php";
+require_once __DIR__ . "/../../../resources/lib/UnitySite.php";
+use UnityWebPortal\lib\UnitySite;
 
-use phpseclib3\Crypt\PublicKeyLoader;
-
-try {
-    PublicKeyLoader::load($_POST['key'], $password = false);
-    echo "true";
-} catch (Exception $e) {
-    echo "false";
-}
+echo UnitySite::testValidSSHKey($_POST["key"]) ? "true" : "false";
