Skip to content

Add safer parsing of dynamic SAML urls (LG-8837) #8166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zachmargolis merged 4 commits into from
Apr 10, 2023
Merged

Add safer parsing of dynamic SAML urls (LG-8837) #8166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b592a34
Add safer parsing of dynamic SAML urls (LG-8837)
zachmargolis Apr 10, 2023
b8c312f
Merge remote-tracking branch 'origin/main' into margolis-remove-path-…
zachmargolis Apr 10, 2023
a0f7d9e
Add additional spec coverage
zachmargolis Apr 10, 2023
b0e632f
remove sneaky "and" keyword
zachmargolis Apr 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 17 additions & 3 deletions app/controllers/saml_post_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,27 @@ class SamlPostController < ApplicationController
skip_before_action :verify_authenticity_token

def auth
path_year = request.path[-4..-1]
path_method = "api_saml_authpost#{path_year}_url"
action_url = Rails.application.routes.url_helpers.send(path_method)
action_url = build_action_url(request.path)
if !action_url
render_not_found
return
end

form_params = params.permit(:SAMLRequest, :RelayState, :SigAlg, :Signature)

render 'shared/saml_post_form', locals: { action_url: action_url, form_params: form_params },
layout: false
end

private

def build_action_url(path)
path_year = path[-4..-1]
path = "/api/saml/authpost#{path_year}"
recognized_path = Rails.application.routes.recognize_path(path, method: :post)

if recognized_path[:controller] == 'saml_idp' && recognized_path[:action] == 'auth'
Rails.application.routes.url_for(**recognized_path)
end
end
end
17 changes: 17 additions & 0 deletions spec/controllers/saml_completion_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,23 @@
end
end

context 'with an invalid year in the path' do
let(:path_year) { SamlEndpoint.suffixes.last.to_i + 1 }

before do
expect(controller).to receive(:sp_session).at_least(:once).and_return(
{
request_url: "https://example.gov/api/saml/finalauthpost#{path_year}",
},
)
end

it 'renders 404 not found' do
get :index
expect(response).to be_not_found
end
end

context 'with a nil service provider request session' do
before { expect(controller).to receive(:sp_from_sp_session).and_return nil }

Expand Down
23 changes: 23 additions & 0 deletions spec/controllers/saml_post_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,28 @@

expect(response.body).not_to match(hidden_field_tag('Foo', 'bar'))
end

context 'with an invalid year in the path' do
let(:path_year) { SamlEndpoint.suffixes.last.to_i + 2 }

before do
allow(controller).to receive(:request).and_wrap_original do |impl|
req = impl.call
req.path = "https://example.gov/api/saml/auth#{path_year}"
req
end
end

it 'renders 404 not found' do
post :auth, params: {
'SAMLRequest' => saml_request,
'RelayState' => relay_state,
'SigAlg' => sig_alg,
'Signature' => signature,
}

expect(response).to be_not_found
end
end
end
end