Merge pull request from GHSA-5mqj-xc49-246p

crewjam · web-flow · commit 8e9236867d17 · 2023-03-22T15:22:00.000-04:00
GHSA-5mqj-xc49-246p
diff --git a/flate.go b/flate.go
@@ -0,0 +1,31 @@
+package saml
+
+import (
+	"compress/flate"
+	"fmt"
+	"io"
+)
+
+const flateUncompressLimit = 10 * 1024 * 1024 // 10MB
+
+func newSaferFlateReader(r io.Reader) io.ReadCloser {
+	return &saferFlateReader{r: flate.NewReader(r)}
+}
+
+type saferFlateReader struct {
+	r     io.ReadCloser
+	count int
+}
+
+func (r *saferFlateReader) Read(p []byte) (n int, err error) {
+	if r.count+len(p) > flateUncompressLimit {
+		return 0, fmt.Errorf("flate: uncompress limit exceeded (%d bytes)", flateUncompressLimit)
+	}
+	n, err = r.r.Read(p)
+	r.count += n
+	return n, err
+}
+
+func (r *saferFlateReader) Close() error {
+	return r.r.Close()
+}
diff --git a/identity_provider.go b/identity_provider.go
@@ -2,7 +2,6 @@ package saml
 
 import (
 	"bytes"
-	"compress/flate"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
@@ -363,7 +362,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 		if err != nil {
 			return nil, fmt.Errorf("cannot decode request: %s", err)
 		}
-		req.RequestBuffer, err = ioutil.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
+		req.RequestBuffer, err = ioutil.ReadAll(newSaferFlateReader(bytes.NewReader(compressedRequest)))
 		if err != nil {
 			return nil, fmt.Errorf("cannot decompress request: %s", err)
 		}
diff --git a/identity_provider_test.go b/identity_provider_test.go
@@ -1,6 +1,8 @@
 package saml
 
 import (
+	"bytes"
+	"compress/flate"
 	"crypto"
 	"crypto/rsa"
 	"crypto/x509"
@@ -1013,3 +1015,29 @@ func TestIDPNoDestination(t *testing.T) {
 	err = req.MakeResponse()
 	assert.Check(t, err)
 }
+
+func TestIDPRejectDecompressionBomb(t *testing.T) {
+	test := NewIdentifyProviderTest(t)
+	test.IDP.SessionProvider = &mockSessionProvider{
+		GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
+			fmt.Fprintf(w, "RelayState: %s\nSAMLRequest: %s",
+				req.RelayState, req.RequestBuffer)
+			return nil
+		},
+	}
+
+	//w := httptest.NewRecorder()
+
+	data := bytes.Repeat([]byte("a"), 768*1024*1024)
+	var compressed bytes.Buffer
+	w, _ := flate.NewWriter(&compressed, flate.BestCompression)
+	w.Write(data)
+	w.Close()
+	encoded := base64.StdEncoding.EncodeToString(compressed.Bytes())
+
+	r, _ := http.NewRequest("GET", "/dontcare?"+url.Values{
+		"SAMLRequest": {encoded},
+	}.Encode(), nil)
+	_, err := NewIdpAuthnRequest(&test.IDP, r)
+	assert.Error(t, err, "cannot decompress request: flate: uncompress limit exceeded (10485760 bytes)")
+}
diff --git a/service_provider.go b/service_provider.go
@@ -1524,7 +1524,7 @@ func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData str
 	}
 	retErr.Response = string(rawResponseBuf)
 
-	gr, err := ioutil.ReadAll(flate.NewReader(bytes.NewBuffer(rawResponseBuf)))
+	gr, err := ioutil.ReadAll(newSaferFlateReader(bytes.NewBuffer(rawResponseBuf)))
 	if err != nil {
 		retErr.PrivateErr = err
 		return retErr

Original file line number	Diff line number	Diff line change
`@@ -1524,7 +1524,7 @@ func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData str`
`1524`	`1524`	`}`
`1525`	`1525`	`retErr.Response = string(rawResponseBuf)`
`1526`	`1526`
`1527`		`- gr, err := ioutil.ReadAll(flate.NewReader(bytes.NewBuffer(rawResponseBuf)))`
	`1527`	`+ gr, err := ioutil.ReadAll(newSaferFlateReader(bytes.NewBuffer(rawResponseBuf)))`
`1528`	`1528`	`if err != nil {`
`1529`	`1529`	`retErr.PrivateErr = err`
`1530`	`1530`	`return retErr`