Merge commit from fork

pitbulk · web-flow · commit bd265fca399a · 2025-07-29T20:41:30.000+02:00
Check message bytesize before Base64 validation
diff --git a/lib/onelogin/ruby-saml/saml_message.rb b/lib/onelogin/ruby-saml/saml_message.rb
@@ -84,13 +84,13 @@ def valid_saml?(document, soft = true, check_malformed_doc = true)
       # @return [String] The plain SAML Message
       #
       def decode_raw_saml(saml, settings = nil)
-        return saml unless base64_encoded?(saml)
-
         settings = OneLogin::RubySaml::Settings.new if settings.nil?
         if saml.bytesize > settings.message_max_bytesize
           raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
         end
 
+        return saml unless base64_encoded?(saml)
+
         decoded = decode(saml)
         begin
             message = inflate(decoded)
diff --git a/test/saml_message_test.rb b/test/saml_message_test.rb
@@ -82,5 +82,18 @@ class RubySamlTest < Minitest::Test
         end
       end
     end
+
+    describe "Prevent DOS attack via base64_encoded? validation" do
+      let(:large_saml_message) { "A" * (OneLogin::RubySaml::Settings::DEFAULTS[:message_max_bytesize] + 100) }
+
+      it "rejects oversized payloads before attempting Base64 validation" do
+        assert_raises(OneLogin::RubySaml::ValidationError, "Encoded SAML Message exceeds #{OneLogin::RubySaml::Settings::DEFAULTS[:message_max_bytesize]} bytes, so was rejected") do
+          saml_message = OneLogin::RubySaml::SamlMessage.new
+          saml_message.expects(:base64_encoded?).never
+
+          saml_message.send(:decode_raw_saml, large_saml_message)
+        end
+      end
+    end
   end
 end
