Merge pull request #85 from d0ge/infinity-loop-at-decompression-fix

Infinity loop at compression fix

Author: tobiashort

BappManifest.bmf

@@ -2,12 +2,12 @@ Uuid: c61cfa893bb14db4b01775554f7b802e
 ExtensionType: 1
 Name: SAML Raider
 RepoName: saml-raider
-ScreenVersion: 2.1.0
-SerialVersion: 18
+ScreenVersion: 2.1.1
+SerialVersion: 19
 MinPlatformVersion: 0
 ProOnly: False
 Author: Roland Bischofberger / Emanuel Duss / Tobias Hort-Giess
 ShortDescription: Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.
-EntryPoint: build/libs/saml-raider-2.1.0.jar
+EntryPoint: build/libs/saml-raider-2.1.1.jar
 BuildCommand: ./gradlew jar
 SupportedProducts: Pro, Community

README.md

@@ -79,7 +79,7 @@ Don't forget to rate our extension with as many stars you like :smile:.
 ### Manual Installation
 
 First, download the latest SAML Raider version:
-[saml-raider-2.1.0.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.1.0/saml-raider-2.1.0.jar).
+[saml-raider-2.1.1.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.1.1/saml-raider-2.1.1.jar).
 Then, start Burp Suite and click in the `Extensions` tab on `Add`. Choose the
 SAML Raider JAR file to install it and you are ready to go.
 

build.gradle

@@ -2,7 +2,7 @@ plugins {
 	id "java-library"
 }
 
-version = "2.1.0"
+version = "2.1.1"
 
 repositories {
 	mavenCentral()

src/main/java/application/SamlMessageDecoder.java

@@ -32,20 +32,23 @@ public static DecodedSAMLMessage getDecodedSAMLMessage(String message, boolean i
         boolean isInflated = true;
         boolean isGZip = true;
 
-       var httpHelpers = new HTTPHelpers();
-
-        try {
-            byte[] inflated = httpHelpers.decompress(base64Decoded, true);
-            return new DecodedSAMLMessage(new String(inflated, StandardCharsets.UTF_8), isInflated, isGZip);
-        } catch (DataFormatException e) {
-            isGZip = false;
-        }
-
-        try {
-            byte[] inflated = httpHelpers.decompress(base64Decoded, false);
-            return new DecodedSAMLMessage(new String(inflated, StandardCharsets.UTF_8), isInflated, isGZip);
-        } catch (DataFormatException e) {
+        if (base64Decoded.length == 0) {
             isInflated = false;
+            isGZip = false;
+        } else {
+            var httpHelpers = new HTTPHelpers();
+            try {
+                byte[] inflated = httpHelpers.decompress(base64Decoded, true);
+                return new DecodedSAMLMessage(new String(inflated, StandardCharsets.UTF_8), isInflated, isGZip);
+            } catch (DataFormatException e) {
+                isGZip = false;
+            }
+            try {
+                byte[] inflated = httpHelpers.decompress(base64Decoded, false);
+                return new DecodedSAMLMessage(new String(inflated, StandardCharsets.UTF_8), isInflated, isGZip);
+            } catch (DataFormatException e) {
+                isInflated = false;
+            }
         }
 
         return new DecodedSAMLMessage(new String(base64Decoded, StandardCharsets.UTF_8), isInflated, isGZip);

src/main/java/helpers/HTTPHelpers.java

@@ -9,10 +9,10 @@
 
 public class HTTPHelpers {
 
-    /**
-     * <a href="http://qupera.blogspot.ch/2013/02/howto-compress-and-uncompress-java-byte.html">Source</a>
-     */
     public byte[] decompress(byte[] data, boolean gzip) throws DataFormatException {
+        if (data.length == 0) {
+            return new byte[0];
+        }
         try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length)) {
             Inflater inflater = new Inflater(gzip);
             inflater.setInput(data);
@@ -29,10 +29,10 @@ public byte[] decompress(byte[] data, boolean gzip) throws DataFormatException {
         }
     }
 
-    /**
-     * <a href="http://qupera.blogspot.ch/2013/02/howto-compress-and-uncompress-java-byte.html">Source</a>
-     */
     public byte[] compress(byte[] data, boolean gzip) {
+        if (data.length == 0) {
+            return new byte[0];
+        }
         try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length)) {
             Deflater deflater = new Deflater(5, gzip);
             deflater.setInput(data);

src/test/java/application/HTTPHelpersTest.java

@@ -6,10 +6,11 @@
 import java.util.zip.DataFormatException;
 import org.junit.jupiter.api.Test;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.*;
 
 
 public class HTTPHelpersTest {
+
     HTTPHelpers helpers = new HTTPHelpers();
 
     String compressed = "fVLLasMwEPwVo3siWXb8EI6hNJdAemlCDr0UPdaNwZaEV4J+fh2H0gRKTmJ3NLOzIzUox8GLg/tyMbwDemcRku9xsCgWaEviZIWT2KOwcgQUQYvjy9tB8DUTfnLBaTeQO8pzhkSEKfTOkmS/25LPQmpV6jwtOYNu0zGmc53xrmBpoVVWm7JLNatlVVUkOcOEM3NLZqGZjhhhbzFIG+YWSzcrVq7S+pRmIssF4x8k2QGG3sqwsC4heEHp1WOEAT3FfvQDXGs6OhMHWPuLX3CKt5OvhiWZBTDQyTiEFfp5uP0N6+TmLWpeVEqV3DCjeJ5DV9baZGxub8CAUgagLE2t6oq0zVVYLO6n9tFTb3xD7+Hm9jzHIEPEx+rVGUjOcqY9DxyX2+IYtQZEQtvbhD9R+t8XaH8A";
@@ -29,4 +30,20 @@ public void testDeflate() throws IOException {
         assertEquals(compressed, result);
     }
 
+    @Test
+    public void testEmptyInflate() throws Exception {
+        byte[] emptyInput = new byte[0];
+        byte[] decompressed = helpers.decompress(emptyInput, true);
+        assertNotNull(decompressed, "Decompressed output should not be null");
+        assertEquals(0, decompressed.length, "Deompressed output of empty input should be empty");
+    }
+
+    @Test
+    public void testEmptyDeflate() {
+        byte[] emptyInput = new byte[0];
+        byte[] compressed = helpers.compress(emptyInput, true);
+        assertNotNull(compressed, "Compressed output should not be null");
+        assertEquals(0, compressed.length, "Compressed output of empty input should be empty");
+    }
+
 }