Fix inconsistent results with using regex matches in decode_raw_saml

subfusc · subfusc · commit dea4f52dd65c · 2015-02-19T12:37:42.000+01:00
After running SAML code in production against a Norwegian IdP in a similar library
, it was found by Jørgen Fjeld &lt;jorgen at veridit.no&gt; that it is unreliable to
check for /^&lt;/. This is because the ^ matches any line and not just the first one.
It does not help replacing it with \A (Which is the beginning of the string) as
the zlib compressed data may start with a "&lt;".

The Solution implemented in this patch is to check that the current string is Base64
complient. Because XML can't be Base64 compliant, we check if the string is
base64 encoded and if it isn't we return the string with the assumption that it
is the XML. If it is we try and decode + inflate. This make the function
idempotent and decode_raw_saml(decode_raw_saml(Response)) will yield the correct
result.
diff --git a/lib/onelogin/ruby-saml/saml_message.rb b/lib/onelogin/ruby-saml/saml_message.rb
@@ -37,16 +37,23 @@ def validation_error(message)
 
       private
 
+      ##
+      # Take a SAML object provided by +saml+, determine its status and return
+      # a decoded XML as a String.
+      #
+      # Since SAML decided to use the RFC1951 and therefor has no zlib markers,
+      # the only reliable method of deciding whether we have a zlib stream or not
+      # is to try and inflate it and fall back to the base64 decoded string if
+      # the stream contains errors.
       def decode_raw_saml(saml)
-        if saml =~ /^</
-          return saml
-        elsif (decoded  = decode(saml)) =~ /^</
-          return decoded
-        elsif (inflated = inflate(decoded)) =~ /^</
-          return inflated
-        end
+        return saml unless is_base64?(saml)
 
-        return nil
+        decoded = decode(saml)
+        begin
+          inflate(decoded)
+        rescue
+          decoded
+        end
       end
 
       def encode_raw_saml(saml, settings)
@@ -63,6 +70,15 @@ def encode(encoded)
         Base64.encode64(encoded).gsub(/\n/, "")
       end
 
+      ##
+      # Check if +string+ is base64 encoded
+      #
+      # The function is not strict and does allow newline. This is because some SAML implementations
+      # uses newline in the base64-encoded data, even if they shouldn't have (RFC4648).
+      def is_base64?(string)
+        string.match(%r{\A(([A-Za-z0-9+/]{4})|\n)*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)\Z})
+      end
+
       def escape(unescaped)
         CGI.escape(unescaped)
       end
