SAML Response with UTF-8 encoded characters not supported
Summary
When a SAML Response has characters that are UTF-8 encoded (not ASCII), the POST call for the response causes an error.
The bug might be caused by the base64 encoding and decoding process having an ASCII-8BIT default encoding.
Issue reported in customer ticket --> https://gitlab.zendesk.com/agent/tickets/143692 (internal use only)
You can test the base 64 encoding and decoding in the rails console (sudo gitlab-rails console
) with a Hebrew name:
irb(main):001:0> require "base64"
=> false
irb(main):002:0> string_encoding = Base64.encode64("ישראל")
=> "15nXqdeo15DXnA==\n"
irb(main):003:0> string_decoding = Base64.decode64(string_encoding)
=> "\xD7\x99\xD7\xA9\xD7\xA8\xD7\x90\xD7\x9C"
irb(main):004:0> encode_type = Base64.decode64(string_encoding).encoding
=> #<Encoding:ASCII-8BIT>
irb(main):005:0> forced_encoding = Base64.decode64(string_encoding).force_encoding('UTF-8').encode
=> "ישראל"
Steps to reproduce
- Pass a SAML Response to GitLab that contains a UTF-8 encoded character. For example, here is the attribute statement for a SAML Response with Hebrew names:
<saml:AttributeStatement>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">example@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xsd:string">ישראלי ישראל</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xsd:string">ישראל</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xsd:string">ישראלי</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
-
Get a
NoMethodError (undefined method '[]' for nil:NilClass
for thePOST "/users/auth/saml/callback"
call -
Change the names in the SAML Response to English, and the Response does not throw an error, and the user can log in successfully.
What is the current bug behavior?
UTF-8 encoded characters are not supported in the SAML integration
What is the expected correct behavior?
UTF-8 encoded characters should be supported in the SAML integration
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
There is an open issue in the third party gem that may be related: https://github.com/omniauth/omniauth-saml/issues/57