From 154ee89b67c7234780ecd1a75221eccafef423b1 Mon Sep 17 00:00:00 2001
From: Mauricio Guevara <mauricio.guevara@niceincontact.com>
Date: Wed, 20 Nov 2024 10:01:36 -0400
Subject: [PATCH 1/2] added relay state validation to match site base uri

---
 .../Exception/SamlInvalidRelayStateUri.php    | 20 +++++++++++++++++++
 .../Saml/RelayStateAuthFlowServiceTrait.php   | 17 +++++++++++++---
 .../Saml/SamlConfigurationInterface.php       |  5 +++++
 3 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php

diff --git a/src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php b/src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php
new file mode 100644
index 0000000..75ce690
--- /dev/null
+++ b/src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php
@@ -0,0 +1,20 @@
+<?php declare(strict_types=1);
+/**
+ * AuthForge
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+namespace modethirteen\AuthForge\ServiceProvider\Saml\Exception;
+
+class SamlInvalidRelayStateUri extends SamlException {
+}
diff --git a/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php b/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
index 6e86702..db6f983 100644
--- a/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
+++ b/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
@@ -18,6 +18,7 @@
 
 use modethirteen\AuthForge\Common\Exception\ServerRequestInterfaceParsedBodyException;
 use modethirteen\AuthForge\Common\Http\ServerRequestEx;
+use modethirteen\AuthForge\ServiceProvider\Saml\Exception\SamlInvalidRelayStateUri;
 use modethirteen\AuthForge\ServiceProvider\Saml\Http\HttpMessageInterface;
 use modethirteen\Http\Exception\MalformedPathQueryFragmentException;
 use modethirteen\Http\Exception\MalformedUriException;
@@ -45,9 +46,14 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
         if(!StringEx::isNullOrEmpty($relayState)) {
             $logger->debug('Found RelayState', ['RelayState' => $relayState]);
             try {
-                return XUri::isAbsoluteUrl($relayState)
-                    ? XUri::newFromString($relayState)
-                    : $saml->getRelayStateBaseUri()->atPath($relayState);
+                if(XUri::isAbsoluteUrl($relayState)) {
+                    if(!$saml->isValidRelayStateUri($relayState)) {
+                        throw new SamlInvalidRelayStateUri();
+                    }
+                    return XUri::newFromString($relayState);
+                } else {
+                    return $saml->getRelayStateBaseUri()->atPath($relayState);
+                }
             } catch(MalformedPathQueryFragmentException $e) {
                 $this->logger->warning('Could not append relative RelayState to service provider base URI, {{Error}}', [
                     'Error' => $e->getMessage()
@@ -57,6 +63,11 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
                     'Error' => $e->getMessage()
                 ]);
             }
+            catch(SamlInvalidRelayStateUri $e) {
+                $this->logger->warning('RelayState URI does not match the site base URI, {{Uri}}', [
+                    'Uri' => $e->getMessage()
+                ]);
+            }
         }
         return $saml->getDefaultReturnUri();
     }
diff --git a/src/ServiceProvider/Saml/SamlConfigurationInterface.php b/src/ServiceProvider/Saml/SamlConfigurationInterface.php
index 9b7c2e1..25dd271 100644
--- a/src/ServiceProvider/Saml/SamlConfigurationInterface.php
+++ b/src/ServiceProvider/Saml/SamlConfigurationInterface.php
@@ -170,4 +170,9 @@ public function isNameIdFormatEnforcementEnabled() : bool;
      * @return bool
      */
     public function isStrictValidationRequired() : bool;
+
+    /**
+     * @return bool
+     */
+    public function isValidRelayStateUri(string $uri) : bool;
 }

From b32dbf63b70ae68f1a646926588c9b80b2ddfccd Mon Sep 17 00:00:00 2001
From: Mauricio Guevara <mauricio.guevara@niceincontact.com>
Date: Wed, 20 Nov 2024 10:09:16 -0400
Subject: [PATCH 2/2] updated message

---
 src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php b/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
index db6f983..5ccc6ee 100644
--- a/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
+++ b/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
@@ -64,7 +64,7 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
                 ]);
             }
             catch(SamlInvalidRelayStateUri $e) {
-                $this->logger->warning('RelayState URI does not match the site base URI, {{Uri}}', [
+                $this->logger->warning('RelayState URI does not match service provider base URI, {{Uri}}', [
                     'Uri' => $e->getMessage()
                 ]);
             }