Add support for validating the max length of SAML 2.0 request/response.

Change samples to validate SAML 2.0 request/response.
Upgrade TestWebAppCoreNemLogin3Sp to .NET 7.

Author: Revsgaard

src/ITfoxtec.Identity.Saml2.Mvc/Extensions/HttpRequestExtensions.cs

@@ -1,4 +1,5 @@
-using System.Web;
+using ITfoxtec.Identity.Saml2.Schemas;
+using System.Web;
 using System;
 using System.IO;
 
@@ -12,16 +13,50 @@ public static class HttpRequestExtensions
         /// <summary>
         /// Converts a System.Web.HttpRequestBase to ITfoxtec.Identity.Saml2.Http.HttpRequest.
         /// </summary>
-        public static Http.HttpRequest ToGenericHttpRequest(this HttpRequestBase request, bool readBodyAsString = false)
+        public static Http.HttpRequest ToGenericHttpRequest(this HttpRequestBase request, bool readBodyAsString = false, bool validate = false)
         {
-            return new Http.HttpRequest
+            var samlHttpRequest = new Http.HttpRequest
             {
                 Method = request.HttpMethod,
                 QueryString = request.Url.Query,
                 Query = request.QueryString,
                 Form = "POST".Equals(request.HttpMethod, StringComparison.InvariantCultureIgnoreCase) ? request.Form : null,
                 Body = ReadBody(request, readBodyAsString)
             };
+
+            if (validate)
+            {
+                var length = 0;
+                if (!string.IsNullOrEmpty(samlHttpRequest.QueryString))
+                {
+                    length += samlHttpRequest.QueryString.Length;
+                }
+                if (readBodyAsString)
+                {
+                    if (!string.IsNullOrEmpty(samlHttpRequest.Body))
+                    {
+                        length += samlHttpRequest.Body.Length;
+                    }
+                }
+                else
+                {
+                    if (samlHttpRequest.Form != null)
+                    {
+                        foreach (string item in samlHttpRequest.Form)
+                        {
+                            if (!string.IsNullOrEmpty(item))
+                            {
+                                length += item.Length;
+                            }
+                        }
+                    }
+                }
+                if (length > Saml2Constants.RequestResponseMaxLength)
+                {
+                    throw new Saml2RequestException($"Invalid SAML 2.0 request/response with a length of {length}, max length {Saml2Constants.RequestResponseMaxLength}.");
+                }
+            }
+            return samlHttpRequest;
         }
 
         private static string ReadBody(HttpRequestBase request, bool readBodyAsString)

src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj

@@ -26,10 +26,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) and Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3 ASP.NET MVC</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.10.1.0</AssemblyVersion>
-    <FileVersion>4.10.1.0</FileVersion>
+    <AssemblyVersion>4.10.2.0</AssemblyVersion>
+    <FileVersion>4.10.2.0</FileVersion>
     <Copyright>Copyright © 2023</Copyright>
-    <Version>4.10.1</Version>
+    <Version>4.10.2</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

src/ITfoxtec.Identity.Saml2.MvcCore/Extensions/HttpRequestExtensions.cs

@@ -6,6 +6,7 @@
 using System;
 using System.IO;
 using System.Threading.Tasks;
+using ITfoxtec.Identity.Saml2.Schemas;
 
 namespace ITfoxtec.Identity.Saml2.MvcCore
 {
@@ -17,29 +18,66 @@ public static class HttpRequestExtensions
         /// <summary>
         /// Converts a Microsoft.AspNet.Http.HttpRequest to ITfoxtec.Identity.Saml2.Http.HttpRequest.
         /// </summary>
-        public static Http.HttpRequest ToGenericHttpRequest(this HttpRequest request)
+        public static Http.HttpRequest ToGenericHttpRequest(this HttpRequest request, bool validate = false)
         {
-            return new Http.HttpRequest
+            var samlHttpRequest = new Http.HttpRequest
             {
                 Method = request.Method,
                 QueryString = request.QueryString.Value,
                 Query = ToNameValueCollection(request.Query),
                 Form = "POST".Equals(request.Method, StringComparison.InvariantCultureIgnoreCase) ? ToNameValueCollection(request.Form) : null
             };
+
+            if (validate)
+            {
+                var length = 0;
+                if (!string.IsNullOrEmpty(samlHttpRequest.QueryString))
+                {
+                    length += samlHttpRequest.QueryString.Length;
+                }
+                if (samlHttpRequest.Form != null)
+                {
+                    foreach (string item in samlHttpRequest.Form)
+                    {
+                        if (!string.IsNullOrEmpty(item))
+                        {
+                            length += item.Length;
+                        }
+                    }
+                }
+                if (length > Saml2Constants.RequestResponseMaxLength)
+                {
+                    throw new Saml2RequestException($"Invalid SAML 2.0 request/response with a length of {length}, max length {Saml2Constants.RequestResponseMaxLength}.");
+                }
+            }
+            return samlHttpRequest;
         }
 
         /// <summary>
         /// Converts a Microsoft.AspNet.Http.HttpRequest to ITfoxtec.Identity.Saml2.Http.HttpRequest.
         /// </summary>
-        public static async Task<Http.HttpRequest> ToGenericHttpRequestAsync(this HttpRequest request, bool readBodyAsString = false)
+        public static async Task<Http.HttpRequest> ToGenericHttpRequestAsync(this HttpRequest request, bool readBodyAsString = false, bool validate = false)
         {
             if (readBodyAsString)
             {
-                return new Http.HttpRequest
+                var samlHttpRequest = new Http.HttpRequest
                 {
                     Method = request.Method,
                     Body = await ReadBodyStringAsync(request)
                 };
+
+                if (validate)
+                {
+                    if (!string.IsNullOrEmpty(samlHttpRequest.Body))
+                    {
+                        var length = samlHttpRequest.Body.Length;
+                        if (length > Saml2Constants.RequestResponseMaxLength)
+                        {
+                            throw new Saml2RequestException($"Invalid SAML 2.0 request/response with a length of {length}, max length {Saml2Constants.RequestResponseMaxLength}.");
+                        }
+                    }
+                }
+                return samlHttpRequest;
             }
             else
             {

src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj

@@ -30,10 +30,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3 ASP.NET MVC Core</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.10.1.0</AssemblyVersion>
-    <FileVersion>4.10.1.0</FileVersion>
+    <AssemblyVersion>4.10.2.0</AssemblyVersion>
+    <FileVersion>4.10.2.0</FileVersion>
     <Copyright>Copyright © 2023</Copyright>
-    <Version>4.10.1</Version>
+    <Version>4.10.2</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

src/ITfoxtec.Identity.Saml2/ITfoxtec.Identity.Saml2.csproj

@@ -31,10 +31,10 @@ Support the Danish NemLog-in 2 / OIOSAML 2 and NemLog-in 3 / OIOSAML 3.</Descrip
     <PackageTags>SAML SAML 2.0 SAML2.0 SAML2 SAML 2 SAML-P SAMLP SSO Identity Provider (IdP) Relying Party (RP) Authentication Metadata OIOSAML OIOSAML 2 OIOSAML 3 NemLogin NemLog-in 2 NemLog-in 3</PackageTags>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageIconUrl>https://itfoxtec.com/favicon.ico</PackageIconUrl>
-    <AssemblyVersion>4.10.1.0</AssemblyVersion>
-    <FileVersion>4.10.1.0</FileVersion>
+    <AssemblyVersion>4.10.2.0</AssemblyVersion>
+    <FileVersion>4.10.2.0</FileVersion>
     <Copyright>Copyright © 2023</Copyright>
-    <Version>4.10.1</Version>
+    <Version>4.10.2</Version>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>ITfoxtec.SAML2.snk</AssemblyOriginatorKeyFile>
     <DelaySign>false</DelaySign>

src/ITfoxtec.Identity.Saml2/Schemas/Saml2Constants.cs

@@ -5,6 +5,11 @@ namespace ITfoxtec.Identity.Saml2.Schemas
 {
     public static class Saml2Constants
     {
+        /// <summary>
+        /// SAML 2.0 request / response max length.
+        /// </summary>
+        public const int RequestResponseMaxLength = 100000;
+
         /// <summary>
         /// SAML 2.0 Authentication Type.
         /// </summary>

test/TestIdPCore/Controllers/AuthController.cs

@@ -47,7 +47,7 @@ public async Task<IActionResult> Login()
             var saml2AuthnRequest = new Saml2AuthnRequest(GetRpSaml2Configuration(relyingParty));
             try
             {
-                requestBinding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnRequest);
+                requestBinding.Unbind(Request.ToGenericHttpRequest(validate: true), saml2AuthnRequest);
 
                 // ****  Handle user login e.g. in GUI ****
                 // Test user with session index and claims
@@ -108,7 +108,7 @@ public async Task<IActionResult> Logout()
             var saml2LogoutRequest = new Saml2LogoutRequest(GetRpSaml2Configuration(relyingParty));
             try
             {
-                requestBinding.Unbind(Request.ToGenericHttpRequest(), saml2LogoutRequest);
+                requestBinding.Unbind(Request.ToGenericHttpRequest(validate: true), saml2LogoutRequest);
 
                 // **** Delete user session ****
 
@@ -125,12 +125,12 @@ public async Task<IActionResult> Logout()
 
         private string ReadRelyingPartyFromLoginRequest<T>(Saml2Binding<T> binding)
         {
-            return binding.ReadSamlRequest(Request.ToGenericHttpRequest(), new Saml2AuthnRequest(GetRpSaml2Configuration()))?.Issuer;
+            return binding.ReadSamlRequest(Request.ToGenericHttpRequest(validate: true), new Saml2AuthnRequest(GetRpSaml2Configuration()))?.Issuer;
         }
 
         private string ReadRelyingPartyFromLogoutRequest<T>(Saml2Binding<T> binding)
         {
-            return binding.ReadSamlRequest(Request.ToGenericHttpRequest(), new Saml2LogoutRequest(GetRpSaml2Configuration()))?.Issuer;
+            return binding.ReadSamlRequest(Request.ToGenericHttpRequest(validate: true), new Saml2LogoutRequest(GetRpSaml2Configuration()))?.Issuer;
         }
 
         private string ReadRelyingPartyFromSoapEnvelopeRequest<T>(ITfoxtec.Identity.Saml2.Http.HttpRequest httpRequest, Saml2Binding<T> binding)

test/TestWebApp/Controllers/AuthController.cs

@@ -45,12 +45,12 @@ public ActionResult AssertionConsumerService()
             var binding = new Saml2PostBinding();
             var saml2AuthnResponse = new Saml2AuthnResponse(config);
 
-            binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            binding.ReadSamlResponse(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
             if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
             {
                 throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
             }
-            binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            binding.Unbind(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
             saml2AuthnResponse.CreateSession(claimsAuthenticationManager: new DefaultClaimsAuthenticationManager());
 
             var relayStateQuery = binding.GetRelayStateQuery();
@@ -74,7 +74,7 @@ public ActionResult Logout()
         public ActionResult LoggedOut()
         {
             var binding = new Saml2PostBinding();
-            binding.Unbind(Request.ToGenericHttpRequest(), new Saml2LogoutResponse(config));
+            binding.Unbind(Request.ToGenericHttpRequest(validate: true), new Saml2LogoutResponse(config));
 
             FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
             FederatedAuthentication.SessionAuthenticationModule.SignOut();
@@ -89,7 +89,7 @@ public ActionResult SingleLogout()
             var logoutRequest = new Saml2LogoutRequest(config, ClaimsPrincipal.Current);
             try
             {
-                requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
+                requestBinding.Unbind(Request.ToGenericHttpRequest(validate: true), logoutRequest);
                 status = Saml2StatusCodes.Success;
                 logoutRequest.DeleteSession();
             }

test/TestWebAppCore/Controllers/AuthController.cs

@@ -50,12 +50,12 @@ public async Task<IActionResult> AssertionConsumerService()
             var binding = new Saml2PostBinding();
             var saml2AuthnResponse = new Saml2AuthnResponse(config);
 
-            binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            binding.ReadSamlResponse(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
             if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
             {
                 throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
             }
-            binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            binding.Unbind(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
             await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
 
             var relayStateQuery = binding.GetRelayStateQuery();
@@ -81,7 +81,7 @@ public async Task<IActionResult> Logout()
         public IActionResult LoggedOut()
         {
             var binding = new Saml2PostBinding();
-            binding.Unbind(Request.ToGenericHttpRequest(), new Saml2LogoutResponse(config));
+            binding.Unbind(Request.ToGenericHttpRequest(validate: true), new Saml2LogoutResponse(config));
 
             return Redirect(Url.Content("~/"));
         }
@@ -94,7 +94,7 @@ public async Task<IActionResult> SingleLogout()
             var logoutRequest = new Saml2LogoutRequest(config, User);
             try
             {
-                requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
+                requestBinding.Unbind(Request.ToGenericHttpRequest(validate: true), logoutRequest);
                 status = Saml2StatusCodes.Success;
                 await logoutRequest.DeleteSession(HttpContext);
             }

test/TestWebAppCoreAngularApi/Controllers/AuthController.cs

@@ -49,12 +49,12 @@ public async Task<IActionResult> AssertionConsumerService()
             var binding = new Saml2PostBinding();
             var saml2AuthnResponse = new Saml2AuthnResponse(config);
 
-            binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            binding.ReadSamlResponse(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
             if (saml2AuthnResponse.Status != Saml2StatusCodes.Success)
             {
                 throw new AuthenticationException($"SAML Response status: {saml2AuthnResponse.Status}");
             }
-            binding.Unbind(Request.ToGenericHttpRequest(), saml2AuthnResponse);
+            binding.Unbind(Request.ToGenericHttpRequest(validate: true), saml2AuthnResponse);
             await saml2AuthnResponse.CreateSession(HttpContext, claimsTransform: (claimsPrincipal) => ClaimsTransform.Transform(claimsPrincipal));
 
             var relayStateQuery = binding.GetRelayStateQuery();
@@ -80,7 +80,7 @@ public async Task<IActionResult> Logout()
         public IActionResult LoggedOut()
         {
             var binding = new Saml2PostBinding();
-            binding.Unbind(Request.ToGenericHttpRequest(), new Saml2LogoutResponse(config));
+            binding.Unbind(Request.ToGenericHttpRequest(validate: true), new Saml2LogoutResponse(config));
 
             return Redirect(Url.Content("~/"));
         }
@@ -93,7 +93,7 @@ public async Task<IActionResult> SingleLogout()
             var logoutRequest = new Saml2LogoutRequest(config, User);
             try
             {
-                requestBinding.Unbind(Request.ToGenericHttpRequest(), logoutRequest);
+                requestBinding.Unbind(Request.ToGenericHttpRequest(validate: true), logoutRequest);
                 status = Saml2StatusCodes.Success;
                 await logoutRequest.DeleteSession(HttpContext);
             }