diff --git a/Gemfile b/Gemfile
index f5e479dcf215baa53e4b569969d09cbb2a1d5bb7..03e55fefd73d2122c0e676cd6237d973ebef8b8d 100644
--- a/Gemfile
+++ b/Gemfile
@@ -32,7 +32,7 @@ gem 'bcrypt', '~> 3.1', '>= 3.1.14'
gem 'doorkeeper', '~> 5.5.0.rc2'
gem 'doorkeeper-openid_connect', '~> 1.7.5'
gem 'rexml', '~> 3.2.5'
-gem 'ruby-saml', '~> 1.12.1'
+gem 'ruby-saml', '~> 1.13.0'
gem 'omniauth', '~> 1.8'
gem 'omniauth-auth0', '~> 2.0.0'
gem 'omniauth-azure-activedirectory-v2', '~> 1.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 8b8cd1691e0f2fffd58bd47b31d6e398f5759829..50f396a5743962db84392c1c0eee0b5a57d5be2a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1124,7 +1124,7 @@ GEM
mini_portile2 (~> 2.5.0)
ruby-prof (1.3.1)
ruby-progressbar (1.11.0)
- ruby-saml (1.12.1)
+ ruby-saml (1.13.0)
nokogiri (>= 1.10.5)
rexml
ruby-statistics (2.1.2)
@@ -1606,7 +1606,7 @@ DEPENDENCIES
ruby-magic (~> 0.4)
ruby-prof (~> 1.3.0)
ruby-progressbar (~> 1.10)
- ruby-saml (~> 1.12.1)
+ ruby-saml (~> 1.13.0)
ruby_parser (~> 3.15)
rubyzip (~> 2.0.0)
rugged (~> 1.1)
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index a5e3b8b24e7b3ebdd8e4a340cb7ae5a737fcee3f..a8881fd8a2ecf3d3e2b91d10a3f67210f957a45f 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -959,6 +959,11 @@ production: &base
# (default: false)
auto_link_saml_user: false
+ # CAUTION!
+ # Allows larger SAML messages to be received. Numeric value in bytes (default: 250000)
+ # Too high limits exposes instance to decompression DDoS attack type.
+ saml_message_max_byte_size: 250000
+
# Allow users with existing accounts to sign in and auto link their account via OmniAuth
# login, without having to do a manual login first and manually add OmniAuth. Links on email.
# Define the allowed providers using an array, e.g. ["saml", "twitter"], or as true/false to
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 34f8080ac23dcc19603689699f82cbd579177f8f..1c22216d442d5a3ad76a429b126185b57c61986c 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -95,6 +95,7 @@
Settings.omniauth['auto_link_ldap_user'] = false if Settings.omniauth['auto_link_ldap_user'].nil?
Settings.omniauth['auto_link_saml_user'] = false if Settings.omniauth['auto_link_saml_user'].nil?
Settings.omniauth['auto_link_user'] = false if Settings.omniauth['auto_link_user'].nil?
+Settings.omniauth['saml_message_max_byte_size'] = 250000 if Settings.omniauth['saml_message_max_byte_size'].nil?
Settings.omniauth['sync_profile_from_provider'] = false if Settings.omniauth['sync_profile_from_provider'].nil?
Settings.omniauth['sync_profile_attributes'] = ['email'] if Settings.omniauth['sync_profile_attributes'].nil?
diff --git a/ee/app/models/saml_provider.rb b/ee/app/models/saml_provider.rb
index 4a8e570843ea4d970ae651518987094bbd04ee17..88683620d41751fe9e866b38bcfe9f11fa9023ee 100644
--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -81,7 +81,8 @@ def to_h
assertion_consumer_service_url: assertion_consumer_service_url,
issuer: issuer,
name_identifier_format: name_identifier_format,
- idp_sso_target_url_runtime_params: { redirect_to: :RelayState }
+ idp_sso_target_url_runtime_params: { redirect_to: :RelayState },
+ message_max_bytesize: Gitlab.config.omniauth.saml_message_max_byte_size
}
end
end
diff --git a/ee/spec/models/saml_provider_spec.rb b/ee/spec/models/saml_provider_spec.rb
index ea8224ac3a6baf1ced614197bec99b25a63041b8..45ff0f68df005e8d9b90173b8def5804dc2ecd14 100644
--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -154,6 +154,16 @@
it 'includes SSO URL' do
expect(settings[:idp_sso_target_url]).to eq saml_provider.sso_url
end
+
+ context 'when saml_message_max_byte_size present in gitlab settings ' do
+ before do
+ stub_omniauth_setting(saml_message_max_byte_size: 1_000_000)
+ end
+
+ it 'includes saml_message_max_byte_size' do
+ expect(settings[:message_max_bytesize]).to eq 1_000_000
+ end
+ end
end
describe '#enforced_sso?' do