Merge branch...

Merge branch '329053-ruby-saml-security-update-breaks-handling-of-large-saml-responses' into 'master' Introduce max saml message size setting See merge request gitlab-org/gitlab!69647

Merge branch...
Merge branch '329053-ruby-saml-security-update-breaks-handling-of-large-saml-responses' into 'master' Introduce max saml message size setting See merge request gitlab-org/gitlab!69647
07259586 · Alex Kalderimis · 05542e90 · 93d46378 · 07259586 · 07259586
Commit 07259586 authored Sep 13, 2021 by Alex Kalderimis
6 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -32,7 +32,7 @@ gem 'bcrypt', '~> 3.1', '>= 3.1.14'
 gem 'doorkeeper', '~> 5.5.0.rc2'
 gem 'doorkeeper-openid_connect', '~> 1.7.5'
 gem 'rexml', '~> 3.2.5'
-gem 'ruby-saml', '~> 1.12.1'
+gem 'ruby-saml', '~> 1.13.0'
 gem 'omniauth', '~> 1.8'
 gem 'omniauth-auth0', '~> 2.0.0'
 gem 'omniauth-azure-activedirectory-v2', '~> 1.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1124,7 +1124,7 @@ GEM
      mini_portile2 (~> 2.5.0)
    ruby-prof (1.3.1)
    ruby-progressbar (1.11.0)
-    ruby-saml (1.12.1)
+    ruby-saml (1.13.0)
      nokogiri (>= 1.10.5)
      rexml
    ruby-statistics (2.1.2)
@@ -1606,7 +1606,7 @@ DEPENDENCIES
  ruby-magic (~> 0.4)
  ruby-prof (~> 1.3.0)
  ruby-progressbar (~> 1.10)
-  ruby-saml (~> 1.12.1)
+  ruby-saml (~> 1.13.0)
  ruby_parser (~> 3.15)
  rubyzip (~> 2.0.0)
  rugged (~> 1.1)

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -959,6 +959,11 @@ production: &base
    # (default: false)
    auto_link_saml_user: false

+    # CAUTION!
+    # Allows larger SAML messages to be received. Numeric value in bytes (default: 250000)
+    # Too high limits exposes instance to decompression DDoS attack type.
+    saml_message_max_byte_size: 250000
+
    # Allow users with existing accounts to sign in and auto link their account via OmniAuth
    # login, without having to do a manual login first and manually add OmniAuth. Links on email.
    # Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -95,6 +95,7 @@ Settings.omniauth['block_auto_created_users'] = true if Settings.omniauth['block
 Settings.omniauth['auto_link_ldap_user'] = false if Settings.omniauth['auto_link_ldap_user'].nil?
 Settings.omniauth['auto_link_saml_user'] = false if Settings.omniauth['auto_link_saml_user'].nil?
 Settings.omniauth['auto_link_user'] = false if Settings.omniauth['auto_link_user'].nil?
+Settings.omniauth['saml_message_max_byte_size'] = 250000 if Settings.omniauth['saml_message_max_byte_size'].nil?

 Settings.omniauth['sync_profile_from_provider'] = false if Settings.omniauth['sync_profile_from_provider'].nil?
 Settings.omniauth['sync_profile_attributes'] = ['email'] if Settings.omniauth['sync_profile_attributes'].nil?

--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -81,7 +81,8 @@ class SamlProvider < ApplicationRecord
        assertion_consumer_service_url: assertion_consumer_service_url,
        issuer: issuer,
        name_identifier_format: name_identifier_format,
-        idp_sso_target_url_runtime_params: { redirect_to: :RelayState }
+        idp_sso_target_url_runtime_params: { redirect_to: :RelayState },
+        message_max_bytesize: Gitlab.config.omniauth.saml_message_max_byte_size
      }
    end
  end

--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -154,6 +154,16 @@ RSpec.describe SamlProvider do
    it 'includes SSO URL' do
      expect(settings[:idp_sso_target_url]).to eq saml_provider.sso_url
    end
+
+    context 'when saml_message_max_byte_size present in gitlab settings ' do
+      before do
+        stub_omniauth_setting(saml_message_max_byte_size: 1_000_000)
+      end
+
+      it 'includes saml_message_max_byte_size' do
+        expect(settings[:message_max_bytesize]).to eq 1_000_000
+      end
+    end
  end

  describe '#enforced_sso?' do