Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6579

Inflated tokens can be corrupted if compression ratio is greater than 2:1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 3.0.6, 2.7.17, 3.1.2
    • 3.1.3, 2.7.18, 3.0.7
    • Core, JAX-RS Security
    • None
    • Unknown

    Description

      DeflateEncoderDecoder/CompressionUtils inflate method assumes that the compression ratio will be 2:1. That assumption is not true for SAML tokens with many similar attribute statements. The inflated token will be corrupted with a portion of the token replaced with null characters.

      https://github.com/apache/cxf/blob/cxf-2.7.17/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java#L34
      https://github.com/apache/cxf/blob/cxf-3.0.6/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
      https://github.com/apache/cxf/blob/cxf-3.1.2/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41

          @Test
          public void testInflateDeflateWithTokenDuplication() throws Exception {
              String token = "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant";
      
              DeflateEncoderDecoder deflateEncoderDecoder = new DeflateEncoderDecoder();
              byte[] deflatedToken = deflateEncoderDecoder.deflateToken(token.getBytes());
      
              String cxfInflatedToken = IOUtils
                      .toString(deflateEncoderDecoder.inflateToken(deflatedToken));
      
              String streamInflatedToken = IOUtils.toString(
                      new InflaterInputStream(new ByteArrayInputStream(deflatedToken),
                              new Inflater(true)));
      
              assertThat(streamInflatedToken, is(token));
              assertThat(cxfInflatedToken, is(token));
          }
      

      The stream inflated token is correct but the CXF inflated token is invalid.

      java.lang.AssertionError: 
      Expected: is "valid_grant valid_grant valid_grant valid_grant valid_grant valid_grant"
           got: "t valid_grant valid_grant valid_grant"
      

      Attachments

        Activity

          People

            sergey_beryozkin Sergey Beryozkin
            pklinef Phillip Klinefelter
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: