Fix IDX10816 decompression failure for large JWE payloads in DeflateCompressionProvider (#3286)

* Initial plan

* Initial plan for fixing IDX10816 decompression issue

Co-authored-by: pmaytak <[email protected]>

* Fix IDX10816 decompression issue and add tests

Co-authored-by: pmaytak <[email protected]>

* Final verification and restore global.json

Co-authored-by: pmaytak <[email protected]>

* Change comparison to <= MaximumDeflateSize for clearer intent in loop condition

Co-authored-by: pmaytak <[email protected]>

* Addressing PR comments

Co-authored-by: pmaytak <[email protected]>

* Revert global.json to original state - only decompression changes needed

Co-authored-by: pmaytak <[email protected]>

* Update DeflateCompressionProviderTests to use Assert class instead of CompareContext/TestUtilities

Co-authored-by: pmaytak <[email protected]>

* Add test to reproduce issue #2516 scenario with large JWE payload decompression

Co-authored-by: pmaytak <[email protected]>

* Fix formatting, fix tests.

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: pmaytak <[email protected]>

Author: Copilot

src/Microsoft.IdentityModel.Tokens/DeflateCompressionProvider.cs

@@ -77,8 +77,16 @@ public byte[] Decompress(byte[] value)
                     {
                         using (var reader = new StreamReader(deflateStream, Encoding.UTF8))
                         {
+                            int totalCharsRead = 0;
+                            int charsRead;
+
+                            // Read from the stream until all data is consumed or max size is reached
+                            while (totalCharsRead <= MaximumDeflateSize && (charsRead = reader.Read(chars, totalCharsRead, MaximumDeflateSize - totalCharsRead)) > 0)
+                            {
+                                totalCharsRead += charsRead;
+                            }
+
                             // if there is one more char to read, then the token is too large.
-                            int bytesRead = reader.Read(chars, 0, MaximumDeflateSize);
                             if (reader.Peek() != -1)
                             {
                                 throw LogHelper.LogExceptionMessage(
@@ -88,7 +96,7 @@ public byte[] Decompress(byte[] value)
                                             LogHelper.MarkAsNonPII(MaximumDeflateSize))));
                             }
 
-                            return Encoding.UTF8.GetBytes(chars, 0, bytesRead);
+                            return Encoding.UTF8.GetBytes(chars, 0, totalCharsRead);
                         }
                     }
                 }

test/Microsoft.IdentityModel.Tokens.Tests/DeflateCompressionProviderTests.cs

@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Text;
+using Xunit;
+
+namespace Microsoft.IdentityModel.Tokens.Tests
+{
+    public class DeflateCompressionProviderTests
+    {
+        [Fact]
+        public void DecompressLargePayload_ShouldSucceed()
+        {
+            var largeData = CreateLargeTestData(50000);
+
+            var provider = new DeflateCompressionProvider();
+            provider.MaximumDeflateSize = 10000000;
+            var compressedData = provider.Compress(Encoding.UTF8.GetBytes(largeData));
+            var decompressedData = provider.Decompress(compressedData);
+            var result = Encoding.UTF8.GetString(decompressedData);
+
+            Assert.Equal(largeData, result);
+        }
+
+        [Fact]
+        public void DecompressLargePayload_ExceedsMaximumSize_ShouldThrow()
+        {
+            var data = CreateLargeTestData(1000);
+
+            var provider = new DeflateCompressionProvider();
+            provider.MaximumDeflateSize = 100; // Very small limit
+
+            var compressedData = provider.Compress(Encoding.UTF8.GetBytes(data));
+
+            var exception = Assert.Throws<SecurityTokenDecompressionFailedException>(() => provider.Decompress(compressedData));
+            Assert.Contains("IDX10816", exception.Message);
+        }
+
+        private string CreateLargeTestData(int itemCount)
+        {
+            var sb = new StringBuilder();
+            sb.Append('[');
+            for (int i = 0; i < itemCount; i++)
+            {
+                if (i > 0) sb.Append(',');
+                sb.Append($"{{\"Prop1\":\"TestValue{i}\",\"Prop2\":{i},\"Prop3\":\"SomeAdditionalDataToMakeItLarger{i}\"}}");
+            }
+            sb.Append(']');
+            return sb.ToString();
+        }
+    }
+}