From 4ccd767abf45df909c43e93d8898096236c99e3d Mon Sep 17 00:00:00 2001
From: Zeger-Jan van de Weg <mail@zjvandeweg.nl>
Date: Fri, 19 Jun 2015 19:17:34 +0200
Subject: [PATCH] Only publish ssh key-type and key

---
 CHANGELOG                                        | 13 ++++++++-----
 app/models/key.rb                                |  5 +++++
 app/models/user.rb                               |  2 +-
 spec/controllers/profile_keys_controller_spec.rb | 11 +++++++++++
 spec/factories.rb                                |  2 +-
 spec/models/key_spec.rb                          |  7 +++++++
 6 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 8a24bf412d2..09a74cda9a9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -29,6 +29,7 @@ v 7.14.0 (unreleased)
   - Disabled autocapitalize and autocorrect on login field (Daryl Chan)
   - Mention group and project name in creation, update and deletion notices (Achilleas Pipinellis)
   - Remove redis-store TTL monkey patch
+  - Remove comments and email addresses when publicly exposing ssh keys (Zeger-Jan van de Weg)
 
 v 7.13.2
   - Fix randomly failed spec
@@ -54,6 +55,8 @@ v 7.13.1
 v 7.13.0
   - Remove repository graph log to fix slow cache updates after push event (Stan Hu)
   - Return comments in created order in merge request API (Stan Hu)
+
+v 7.13.0 (unreleased)
   - Only enable HSTS header for HTTPS and port 443 (Stan Hu)
   - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
   - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
@@ -80,15 +83,15 @@ v 7.13.0
   - Update ssl_ciphers in Nginx example to remove DHE settings. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8
   - Admin can edit and remove user identities
   - Convert CRLF newlines to LF when committing using the web editor.
-  - API request /projects/:project_id/merge_requests?state=closed will return only closed merge requests without merged one. If you need ones that were merged - use state=merged.  
+  - API request /projects/:project_id/merge_requests?state=closed will return only closed merge requests without merged one. If you need ones that were merged - use state=merged.
   - Allow Administrators to filter the user list by those with or without Two-factor Authentication enabled.
   - Show a user's Two-factor Authentication status in the administration area.
   - Explicit error when commit not found in the CI
-  - Improve performance for issue and merge request pages 
+  - Improve performance for issue and merge request pages
   - Users with guest access level can not set assignee, labels or milestones for issue and merge request
   - Reporter role can manage issue tracker now: edit any issue, set assignee or milestone and manage labels
   - Better performance for pages with events list, issues list and commits list
-  - Faster automerge check and merge itself when source and target branches are in same repository 
+  - Faster automerge check and merge itself when source and target branches are in same repository
   - Correctly show anonymous authorized applications under Profile > Applications.
   - Query Optimization in MySQL.
   - Allow users to be blocked and unblocked via the API
@@ -96,7 +99,7 @@ v 7.13.0
   - Redesign project page. Show README as default instead of activity. Move project activity to separate page
   - Make left menu more hierarchical and less contextual by adding back item at top
   - A fork can’t have a visibility level that is greater than the original project.
-  - Faster code search in repository and wiki. Fixes search page timeout for big repositories 
+  - Faster code search in repository and wiki. Fixes search page timeout for big repositories
   - Allow administrators to disable 2FA for a specific user
   - Add error message for SSH key linebreaks
   - Store commits count in database (will populate with valid values only after first push)
@@ -115,7 +118,7 @@ v 7.12.1
   - Add SAML to list of social_provider (Matt Firtion)
   - Fix merge requests API scope to keep compatibility in 7.12.x patch release (Dmitriy Zaporozhets)
   - Fix closed merge request scope at milestone page (Dmitriy Zaporozhets)
-  - Revert merge request states renaming 
+  - Revert merge request states renaming
   - Fix hooks for web based events with external issue references (Daniel Gerhardt)
   - Improve performance for issue and merge request pages
   - Compress database dumps to reduce backup size
diff --git a/app/models/key.rb b/app/models/key.rb
index 2dcae059c0e..406a1257b5d 100644
--- a/app/models/key.rb
+++ b/app/models/key.rb
@@ -39,6 +39,11 @@ class Key < ActiveRecord::Base
     self.key = key.strip unless key.blank?
   end
 
+  def publishable_key
+    #Removes anything beyond the keytype and key itself
+    self.key.split[0..1].join(' ')
+  end
+
   # projects that has this key
   def projects
     user.authorized_projects
diff --git a/app/models/user.rb b/app/models/user.rb
index 2beefb1d614..57145cc6b6e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -619,7 +619,7 @@ class User < ActiveRecord::Base
   end
 
   def all_ssh_keys
-    keys.map(&:key)
+    keys.map(&:publishable_key)
   end
 
   def temp_oauth_email?
diff --git a/spec/controllers/profile_keys_controller_spec.rb b/spec/controllers/profile_keys_controller_spec.rb
index 593d3e9eb56..b6573f105dc 100644
--- a/spec/controllers/profile_keys_controller_spec.rb
+++ b/spec/controllers/profile_keys_controller_spec.rb
@@ -48,6 +48,17 @@ describe Profiles::KeysController do
 
         expect(response.body).not_to eq("")
         expect(response.body).to eq(user.all_ssh_keys.join("\n"))
+
+        # Unique part of key 1
+        expect(response.body).to match(/PWx6WM4lhHNedGfBpPJNPpZ/)
+        # Key 2
+        expect(response.body).to match(/AQDmTillFzNTrrGgwaCKaSj/)
+      end
+
+      it "should not render the comment of the key" do
+        get :get_keys, username: user.username
+
+        expect(response.body).not_to match(/dummy@gitlab.com/)
       end
 
       it "should respond with text/plain content type" do
diff --git a/spec/factories.rb b/spec/factories.rb
index 05e3211d551..200f18f660d 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -100,7 +100,7 @@ FactoryGirl.define do
   factory :key do
     title
     key do
-      "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0= dummy@gitlab.com"
     end
 
     factory :deploy_key, class: 'DeployKey' do
diff --git a/spec/models/key_spec.rb b/spec/models/key_spec.rb
index 456bf221d62..2f819f60cbb 100644
--- a/spec/models/key_spec.rb
+++ b/spec/models/key_spec.rb
@@ -32,6 +32,13 @@ describe Key do
 
   describe "Methods" do
     it { is_expected.to respond_to :projects }
+    it { is_expected.to respond_to :publishable_key }
+
+    describe "#publishable_keys" do
+      it 'strips all personal information' do
+        expect(build(:key).publishable_key).not_to match(/dummy@gitlab/)
+      end
+    end
   end
 
   context "validation of uniqueness" do