Headline
CVE-2023-28119: Merge pull request from GHSA-5mqj-xc49-246p · crewjam/saml@8e92368
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package’s use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.
@@ -1,6 +1,8 @@
package saml
import (
“bytes”
“compress/flate”
“crypto”
“crypto/rsa”
“crypto/x509”
@@ -1013,3 +1015,29 @@ func TestIDPNoDestination(t *testing.T) {
err = req.MakeResponse()
assert.Check(t, err)
}
func TestIDPRejectDecompressionBomb(t *testing.T) {
test := NewIdentifyProviderTest(t)
test.IDP.SessionProvider = &mockSessionProvider{
GetSessionFunc: func(w http.ResponseWriter, r *http.Request, req *IdpAuthnRequest) *Session {
fmt.Fprintf(w, "RelayState: %s\nSAMLRequest: %s",
req.RelayState, req.RequestBuffer)
return nil
},
}
//w := httptest.NewRecorder()
data := bytes.Repeat([]byte(“a”), 768*1024*1024)
var compressed bytes.Buffer
w, _ := flate.NewWriter(&compressed, flate.BestCompression)
w.Write(data)
w.Close()
encoded := base64.StdEncoding.EncodeToString(compressed.Bytes())
r, _ := http.NewRequest("GET", "/dontcare?"+url.Values{
"SAMLRequest": {encoded},
}.Encode(), nil)
_, err := NewIdpAuthnRequest(&test.IDP, r)
assert.Error(t, err, "cannot decompress request: flate: uncompress limit exceeded (10485760 bytes)")
}
Related news
Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.