18F · mitchellhenke · Apr 29, 2022 · Apr 28, 2022
diff --git a/app/controllers/saml_idp_controller.rb b/app/controllers/saml_idp_controller.rb
@@ -69,6 +69,16 @@ def remotelogout
     handle_valid_sp_remote_logout_request(user_id)
   end
 
+  def external_saml_request?
+    return true if request.path.start_with?('/api/saml/authpost')
+
+    begin
+      URI(request.referer).host != request.host
+    rescue ArgumentError, URI::Error
+      false
+    end
+  end
+
   private
 
   def confirm_user_is_authenticated_with_fresh_mfa
@@ -118,11 +128,6 @@ def log_external_saml_auth_request
     )
   end
 
-  def external_saml_request?
-    (!request.referer.nil? && URI(request.referer).host != request.host) ||
-      request.path.start_with?('/api/saml/authpost')
-  end
-
   def handle_successful_handoff
     track_events
     delete_branded_experience

diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb
@@ -1802,4 +1802,15 @@ def stub_requested_attributes
       )
     end
   end
+
+  describe '#external_saml_request' do
+    it 'returns false for malformed referer' do
+      request.env['HTTP_REFERER'] = '{{<script>console.log()</script>'
+      expect(subject.external_saml_request?).to eq false
+    end
+
+    it 'returns false for empty referer' do
+      expect(subject.external_saml_request?).to eq false
+    end
+  end
 end