From 428e397d78256c22da387f345d355cb1fe59fc28 Mon Sep 17 00:00:00 2001 From: soartec-lab Date: Tue, 29 Dec 2020 19:44:49 +0900 Subject: [PATCH] Add invalid params error handling for `Saml::Bindings::HTTPPost.receive_message` --- lib/saml.rb | 2 ++ lib/saml/bindings/http_post.rb | 7 ++++++- spec/lib/saml/bindings/http_post_spec.rb | 9 +++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/saml.rb b/lib/saml.rb index 1913472..827a2cc 100644 --- a/lib/saml.rb +++ b/lib/saml.rb @@ -34,6 +34,8 @@ class InvalidProvider < SamlError end class UnparseableMessage < SamlError end + class InvalidParams < SamlError + end class MetadataDownloadFailed < SamlError end class InvalidStore < SamlError diff --git a/lib/saml/bindings/http_post.rb b/lib/saml/bindings/http_post.rb index 3dab0cb..57ab141 100644 --- a/lib/saml/bindings/http_post.rb +++ b/lib/saml/bindings/http_post.rb @@ -20,7 +20,12 @@ def create_form_attributes(message, options = {}) end def receive_message(request, type) - message = Saml::Encoding.decode_64(request.params["SAMLRequest"] || request.params["SAMLResponse"]) + receive_xml = request.params["SAMLRequest"] || request.params["SAMLResponse"] + if receive_xml.nil? + raise Saml::Errors::InvalidParams, 'require params `SAMLRequest` or `SAMLResponse`' + end + + message = Saml::Encoding.decode_64(receive_xml) notify('receive_message', message) request_or_response = Saml.parse_message(message, type) diff --git a/spec/lib/saml/bindings/http_post_spec.rb b/spec/lib/saml/bindings/http_post_spec.rb index 907b2de..92bfbd0 100644 --- a/spec/lib/saml/bindings/http_post_spec.rb +++ b/spec/lib/saml/bindings/http_post_spec.rb @@ -69,5 +69,14 @@ message }.to notify_with('receive_message') end + + context 'When both `SAMLRequest` and `SAMLResponse` is nil in request params' do + let(:request) { double(:request, params: {}, url: "https://sp.example.com/sso") } + let(:message) { described_class.receive_message(request, :response) } + + it 'Raise Saml::Errors::InvalidParams' do + expect { message }.to raise_error(Saml::Errors::InvalidParams, 'require params `SAMLRequest` or `SAMLResponse`') + end + end end end