Minimize Zlib deflate decompression bomb. See #383

pitbulk · pitbulk · commit 533c84ebfc40 · 2021-01-26T00:04:48.000+01:00
diff --git a/lib/onelogin/ruby-saml/saml_message.rb b/lib/onelogin/ruby-saml/saml_message.rb
@@ -22,6 +22,8 @@ class SamlMessage
       BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
       @@mutex = Mutex.new
 
+      MAX_BYTE_SIZE = 250000
+
       # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
       #
       def self.schema
@@ -89,6 +91,10 @@ def valid_saml?(document, soft = true)
       def decode_raw_saml(saml)
         return saml unless base64_encoded?(saml)
 
+        if saml.bytesize > MAX_BYTE_SIZE
+          raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
+        end
+
         decoded = decode(saml)
         begin
           inflate(decoded)
diff --git a/test/saml_message_test.rb b/test/saml_message_test.rb
@@ -52,5 +52,23 @@ class RubySamlTest < Minitest::Test
       decoded_inflated = saml_message.send(:inflate, decoded)
       assert response_document_xml, decoded_inflated
     end
+
+    describe "Prevent Zlib bomb attack" do
+      it "raises error when SAML Message exceed the allowed bytes" do
+        prefix= """<?xml version='1.0' encoding='UTF-8'?>
+                   <samlp:LogoutRequest xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' ID='ONELOGIN_21df91a89767879fc0f7df6a1490c6000c81644d' Version='2.0' IssueInstant='2014-07-18T01:13:06Z' Destination='http://idp.example.com/SingleLogoutService.php'>
+                   <saml:Issuer>"""
+        suffix= """</saml:Issuer>
+                   <saml:NameID SPNameQualifier='http://sp.example.com/demo1/metadata.php' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'>ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>
+                </samlp:LogoutRequest>"""
+
+        data = prefix + "A" * (200000 * 1024) + suffix
+        bomb = Base64.encode64(Zlib::Deflate.deflate(data, 9)[2..-5])
+        assert_raises(OneLogin::RubySaml::ValidationError, "Encoded SAML Message exceeds " + OneLogin::RubySaml::SamlMessage::MAX_BYTE_SIZE.to_s + " bytes, so was rejected") do
+            saml_message = OneLogin::RubySaml::SamlMessage.new
+            saml_message.send(:decode_raw_saml, bomb)
+        end
+      end
+    end
   end
 end
