- Extract RubySaml::XML::Decoder

johnnyshields · johnnyshields · commit 7cf0d87d091f · 2025-03-16T15:29:46.000+09:00
- Use Base64.strict_encode64 everywhere
diff --git a/lib/ruby_saml/authrequest.rb b/lib/ruby_saml/authrequest.rb
@@ -51,8 +51,7 @@ def create_params(settings, params={})
 
       Logging.debug "Created AuthnRequest: #{request}"
 
-      request = deflate(request) if binding_redirect
-      base64_request = encode(request)
+      base64_request = RubySaml::XML::Decoder.encode_message(request, compress: binding_redirect)
       request_params = {"SAMLRequest" => base64_request}
       sp_signing_key = settings.get_sp_signing_key
 
@@ -66,7 +65,7 @@ def create_params(settings, params={})
         )
         sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
-        params['Signature'] = encode(signature)
+        params['Signature'] = Base64.strict_encode64(signature)
       end
 
       params.each_pair do |key, value|
diff --git a/lib/ruby_saml/logoutrequest.rb b/lib/ruby_saml/logoutrequest.rb
@@ -51,8 +51,7 @@ def create_params(settings, params={})
 
       Logging.debug "Created SLO Logout Request: #{request}"
 
-      request = deflate(request) if binding_redirect
-      base64_request = encode(request)
+      base64_request = RubySaml::XML::Decoder.encode_message(request, compress: binding_redirect)
       request_params = {"SAMLRequest" => base64_request}
       sp_signing_key = settings.get_sp_signing_key
 
@@ -66,7 +65,7 @@ def create_params(settings, params={})
         )
         sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
-        params['Signature'] = encode(signature)
+        params['Signature'] = Base64.strict_encode64(signature)
       end
 
       params.each_pair do |key, value|
diff --git a/lib/ruby_saml/logoutresponse.rb b/lib/ruby_saml/logoutresponse.rb
@@ -40,7 +40,7 @@ def initialize(response, settings = nil, options = {})
       end
 
       @options = options
-      @response = decode_raw_saml(response, settings)
+      @response = RubySaml::XML::Decoder.decode_message(response, @settings&.message_max_bytesize)
       @document = RubySaml::XML::SignedDocument.new(@response)
       super()
     end
diff --git a/lib/ruby_saml/metadata.rb b/lib/ruby_saml/metadata.rb
@@ -149,7 +149,7 @@ def output_xml(meta_doc, pretty_print)
     private
 
     def add_certificate_element(xml, cert, use)
-      cert_text = Base64.encode64(cert.to_der).delete("\n")
+      cert_text = Base64.strict_encode64(cert.to_der)
       xml['md'].KeyDescriptor('use' => use.to_s) do
         xml['ds'].KeyInfo('xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#') do
           xml['ds'].X509Data do
diff --git a/lib/ruby_saml/response.rb b/lib/ruby_saml/response.rb
@@ -61,7 +61,7 @@ def initialize(response, options = {})
         end
       end
 
-      @response = decode_raw_saml(response, settings)
+      @response = RubySaml::XML::Decoder.decode_message(response, @settings&.message_max_bytesize)
       @document = RubySaml::XML::SignedDocument.new(@response, @errors)
 
       if assertion_encrypted?
diff --git a/lib/ruby_saml/saml_message.rb b/lib/ruby_saml/saml_message.rb
@@ -10,7 +10,6 @@
 module RubySaml
   # SAML2 Message
   class SamlMessage
-    BASE64_FORMAT = %r{\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z}
 
     # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
     #
@@ -75,91 +74,6 @@ def valid_saml?(document, soft = true, check_malformed_doc: true)
 
     private
 
-    # Base64 decode and try also to inflate a SAML Message
-    # @param saml [String] The deflated and encoded SAML Message
-    # @param settings [RubySaml::Settings|nil] Toolkit settings
-    # @return [String] The plain SAML Message
-    #
-    def decode_raw_saml(saml, settings = nil)
-      return saml unless base64_encoded?(saml)
-
-      settings ||= RubySaml::Settings.new
-      if saml.bytesize > settings.message_max_bytesize
-        raise ValidationError.new("Encoded SAML Message exceeds #{settings.message_max_bytesize} bytes, so was rejected")
-      end
-
-      decoded = decode(saml)
-      message = begin
-        inflate(decoded)
-      rescue StandardError
-        decoded
-      end
-
-      if message.bytesize > settings.message_max_bytesize
-        raise ValidationError.new("SAML Message exceeds #{settings.message_max_bytesize} bytes, so was rejected")
-      end
-
-      message
-    end
-
-    # Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
-    # @param saml [String] The plain SAML Message
-    # @param settings_or_compress [true|false|RubySaml::Settings|nil] Whether or not the SAML should be deflated.
-    #   The usage of RubySaml::Settings here is deprecated.
-    # @return [String] The deflated and encoded SAML Message (encoded if the compression is requested)
-    def encode_raw_saml(saml, settings_or_compress = false)
-      if settings_or_compress.is_a?(TrueClass)
-        saml = deflate(saml)
-      elsif settings_or_compress.respond_to?(:compress_request)
-        Logging.deprecate('Please change the second argument of `encode_raw_saml_message` to a boolean ' \
-                          'indicating whether or not to use compression. Using a boolean will be required ' \
-                          'in RubySaml 2.1.0.')
-        saml = deflate(saml) if settings_or_compress.compress_request
-      end
-
-      CGI.escape(encode(saml))
-    end
-
-    # Base 64 decode method
-    # @param string [String] The string message
-    # @return [String] The decoded string
-    #
-    def decode(string)
-      Base64.decode64(string)
-    end
-
-    # Base 64 encode method
-    # @param string [String] The string
-    # @return [String] The encoded string
-    #
-    def encode(string)
-      Base64.strict_encode64(string)
-    end
-
-    # Check if a string is base64 encoded
-    # @param string [String] string to check the encoding of
-    # @return [true, false] whether or not the string is base64 encoded
-    #
-    def base64_encoded?(string)
-      !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)
-    end
-
-    # Inflate method
-    # @param deflated [String] The string
-    # @return [String] The inflated string
-    #
-    def inflate(deflated)
-      Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
-    end
-
-    # Deflate method
-    # @param inflated [String] The string
-    # @return [String] The deflated string
-    #
-    def deflate(inflated)
-      Zlib::Deflate.deflate(inflated, Zlib::BEST_COMPRESSION)[2..-5]
-    end
-
     def check_malformed_doc?(settings)
       default_value = RubySaml::Settings::DEFAULTS[:check_malformed_doc]
 
diff --git a/lib/ruby_saml/settings.rb b/lib/ruby_saml/settings.rb
@@ -225,7 +225,7 @@ def get_binding(value)
       assertion_consumer_service_binding: Utils::BINDINGS[:post],
       single_logout_service_binding: Utils::BINDINGS[:redirect],
       idp_cert_fingerprint_algorithm: RubySaml::XML::SHA256,
-      message_max_bytesize: 250_000,
+      message_max_bytesize: RubySaml::XML::Decoder::DEFAULT_MAX_BYTESIZE,
       soft: true,
       check_malformed_doc: true,
       security: {
diff --git a/lib/ruby_saml/slo_logoutrequest.rb b/lib/ruby_saml/slo_logoutrequest.rb
@@ -39,7 +39,7 @@ def initialize(request, options = {})
         @soft = @settings.soft unless @settings.soft.nil?
       end
 
-      @request = decode_raw_saml(request, settings)
+      @request = RubySaml::XML::Decoder.decode_message(request, @settings&.message_max_bytesize)
       @document = REXML::Document.new(@request)
       super()
     end
diff --git a/lib/ruby_saml/slo_logoutresponse.rb b/lib/ruby_saml/slo_logoutresponse.rb
@@ -59,8 +59,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
 
       Logging.debug "Created SLO Logout Response: #{response}"
 
-      response = deflate(response) if binding_redirect
-      base64_response = encode(response)
+      base64_response = RubySaml::XML::Decoder.encode_message(response, compress: binding_redirect)
       response_params = { 'SAMLResponse' => base64_response }
       sp_signing_key = settings.get_sp_signing_key
 
@@ -74,7 +73,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
         )
         sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
-        params['Signature'] = encode(signature)
+        params['Signature'] = Base64.strict_encode64(signature)
       end
 
       params.each_pair do |key, value|
diff --git a/lib/ruby_saml/xml.rb b/lib/ruby_saml/xml.rb
@@ -141,7 +141,8 @@ def get_algorithm_attr(element)
   end
 end
 
-require 'ruby_saml/xml/document_signer'
+require 'ruby_saml/xml/decoder'
 require 'ruby_saml/xml/decryptor'
+require 'ruby_saml/xml/document_signer'
 require 'ruby_saml/xml/signed_document'
 require 'ruby_saml/xml/deprecated'
diff --git a/lib/ruby_saml/xml/decoder.rb b/lib/ruby_saml/xml/decoder.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module RubySaml
+  module XML
+    # Module for handling base64 and deflate encoding.
+    module Decoder
+      extend self
+
+      DEFAULT_MAX_BYTESIZE = 250_000
+      BASE64_FORMAT = %r{\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z}
+
+      # Base64 decode and try also to inflate a SAML Message
+      # @param message [String] The deflated and encoded SAML Message
+      # @param max_bytesize [Integer] The maximum allowed size of the SAML Message,
+      #   to prevent a possible DoS attack.
+      # @return [String] The plain SAML Message
+      def decode_message(message, max_bytesize = nil)
+        return message unless base64_encoded?(message)
+
+        max_bytesize ||= DEFAULT_MAX_BYTESIZE
+
+        if message.bytesize > max_bytesize # rubocop:disable Style/IfUnlessModifier
+          raise ValidationError.new("Encoded SAML Message exceeds #{max_bytesize} bytes, so was rejected")
+        end
+
+        message = try_inflate(base64_decode(message))
+
+        if message.bytesize > max_bytesize # rubocop:disable Style/IfUnlessModifier
+          raise ValidationError.new("SAML Message exceeds #{max_bytesize} bytes, so was rejected")
+        end
+
+        message
+      end
+
+      # Deflate, base64 encode and url-encode a SAML Message. Used in the HTTP-redirect binding.
+      # @param message [String] The plain SAML Message
+      # @option :compress [true|false] Whether or not the SAML message should be deflated.
+      # @return [String] The deflated and encoded SAML Message (encoded if the compression is requested)
+      def encode_message(message, compress: false)
+        message = deflate(message) if compress
+        base64_encode(message)
+      end
+
+      private
+
+      # Base 64 decode method.
+      # @param string [String] The string message
+      # @return [String] The decoded string
+      def base64_decode(string)
+        Base64.decode64(string)
+      end
+
+      # Base 64 encode method.
+      # @param string [String] The string
+      # @return [String] The encoded string
+      def base64_encode(string)
+        Base64.strict_encode64(string)
+      end
+
+      # Check if a string is base64 encoded.
+      # @param string [String] string to check the encoding of
+      # @return [true, false] whether or not the string is base64 encoded
+      def base64_encoded?(string)
+        string.gsub(/[\s\r\n]|\\r|\\n/, '').match?(BASE64_FORMAT)
+      end
+
+      # Attempt inflating a string, if it fails, return the original string.
+      # @param data [String] The string
+      # @return [String] The inflated or original string
+      def try_inflate(data)
+        inflate(data)
+      rescue Zlib::Error
+        data
+      end
+
+      # Inflate method.
+      # @param deflated [String] The string
+      # @return [String] The inflated string
+      def inflate(deflated)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
+      end
+
+      # Deflate method.
+      # @param inflated [String] The string
+      # @return [String] The deflated string
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, Zlib::BEST_COMPRESSION)[2..-5]
+      end
+    end
+  end
+end
diff --git a/lib/ruby_saml/xml/decryptor.rb b/lib/ruby_saml/xml/decryptor.rb
@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-require 'ruby_saml/error_handling'
-require 'nokogiri'
-
 module RubySaml
   module XML
     # Module for handling document decryption
diff --git a/lib/ruby_saml/xml/document_signer.rb b/lib/ruby_saml/xml/document_signer.rb
@@ -90,20 +90,20 @@ def digest_value(document, digest_method)
         hash_algorithm = RubySaml::XML.hash_algorithm(digest_method)
 
         canon_doc = document.canonicalize(canon_algorithm, inclusive_namespaces)
-        Base64.encode64(hash_algorithm.digest(canon_doc)).strip
+        Base64.strict_encode64(hash_algorithm.digest(canon_doc))
       end
 
       def signature_value(signed_info_element, private_key, signature_method)
         canon_algorithm = RubySaml::XML.canon_algorithm(RubySaml::XML::C14N)
         hash_algorithm = RubySaml::XML.hash_algorithm(signature_method).new
 
         canon_string = signed_info_element.canonicalize(canon_algorithm)
-        Base64.encode64(private_key.sign(hash_algorithm, canon_string)).delete("\n")
+        Base64.strict_encode64(private_key.sign(hash_algorithm, canon_string))
       end
 
       def certificate_value(certificate)
         certificate = OpenSSL::X509::Certificate.new(certificate) if certificate.is_a?(String)
-        Base64.encode64(certificate.to_der).delete("\n")
+        Base64.strict_encode64(certificate.to_der)
       end
     end
   end
diff --git a/lib/ruby_saml/xml/signed_document.rb b/lib/ruby_saml/xml/signed_document.rb
@@ -65,9 +65,9 @@ def validate_document(idp_cert_fingerprint, soft = true, options = {})
             return append_error('Fingerprint mismatch', soft)
           end
 
-          base64_cert = Base64.encode64(cert.to_der)
+          base64_cert = Base64.strict_encode64(cert.to_der)
         elsif options[:cert]
-          base64_cert = Base64.encode64(options[:cert].to_pem)
+          base64_cert = Base64.strict_encode64(options[:cert].to_pem)
         elsif soft
           return false
         else
@@ -100,7 +100,7 @@ def validate_document_with_cert(idp_cert, soft = true)
           end
         end
 
-        encoded_idp_cert = Base64.encode64(idp_cert.to_pem)
+        encoded_idp_cert = Base64.strict_encode64(idp_cert.to_pem)
         validate_signature(encoded_idp_cert, true)
       end
 
diff --git a/test/logoutresponse_test.rb b/test/logoutresponse_test.rb
@@ -316,7 +316,7 @@ class RubySamlTest < Minitest::Test
             # Make normalised signature based on our modified params.
             hash_algorithm = RubySaml::XML.hash_algorithm(settings.security[:signature_method])
             signature = settings.get_sp_signing_key.sign(hash_algorithm.new, query)
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+            params['Signature'] = Base64.strict_encode64(signature)
             # Re-create the Logoutresponse based on these modified parameters,
             # and ask it to validate the signature. It will do it incorrectly,
             # because it will compute it based on re-encoded query parameters,
@@ -352,7 +352,7 @@ class RubySamlTest < Minitest::Test
             # Make normalised signature based on our modified params.
             hash_algorithm = RubySaml::XML.hash_algorithm(settings.security[:signature_method])
             signature = settings.get_sp_signing_key.sign(hash_algorithm.new, query)
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+            params['Signature'] = Base64.strict_encode64(signature)
 
             # Re-create the Logoutresponse based on these modified parameters,
             # and ask it to validate the signature. Provide the altered parameter
diff --git a/test/response_test.rb b/test/response_test.rb
@@ -233,7 +233,7 @@ def generate_audience_error(expected, actual)
 
         it "validate SAML 2.0 XML structure" do
           resp_xml = Base64.decode64(response_document_unsigned).gsub(/emailAddress/,'test')
-          response_unsigned_mod = RubySaml::Response.new(Base64.encode64(resp_xml))
+          response_unsigned_mod = RubySaml::Response.new(Base64.strict_encode64(resp_xml))
           response_unsigned_mod.stubs(:conditions).returns(nil)
           settings.idp_cert_fingerprint = signature_fingerprint_1
           response_unsigned_mod.settings = settings
@@ -396,7 +396,7 @@ def generate_audience_error(expected, actual)
 
         it "validate SAML 2.0 XML structure" do
           resp_xml = Base64.decode64(response_document_unsigned).gsub(/emailAddress/,'test')
-          response_unsigned_mod = RubySaml::Response.new(Base64.encode64(resp_xml))
+          response_unsigned_mod = RubySaml::Response.new(Base64.strict_encode64(resp_xml))
           response_unsigned_mod.stubs(:conditions).returns(nil)
           settings.idp_cert_fingerprint = signature_fingerprint_1
           response_unsigned_mod.settings = settings
diff --git a/test/saml_message_test.rb b/test/saml_message_test.rb
diff --git a/test/slo_logoutrequest_test.rb b/test/slo_logoutrequest_test.rb
diff --git a/test/test_helper.rb b/test/test_helper.rb
diff --git a/test/xml/decoder_test.rb b/test/xml/decoder_test.rb
diff --git a/test/xml/decryptor_test.rb b/test/xml/decryptor_test.rb
