Merge pull request #770 from SAML-Toolkits/prevent_dos_v2

pitbulk · web-flow · commit 38ef5dd1ce17 · 2025-07-29T23:55:58.000+02:00
Prevent DOS due large SAML Message. Fixes CVE-2025-54572
diff --git a/lib/ruby_saml/xml/decoder.rb b/lib/ruby_saml/xml/decoder.rb
@@ -15,14 +15,14 @@ module Decoder
       #   to prevent a possible DoS attack.
       # @return [String] The plain SAML Message
       def decode_message(message, max_bytesize = nil)
-        return message unless base64_encoded?(message)
-
         max_bytesize ||= DEFAULT_MAX_BYTESIZE
 
         if message.bytesize > max_bytesize # rubocop:disable Style/IfUnlessModifier
           raise ValidationError.new("Encoded SAML Message exceeds #{max_bytesize} bytes, so was rejected")
         end
 
+        return message unless base64_encoded?(message)
+
         message = try_inflate(base64_decode(message))
 
         if message.bytesize > max_bytesize # rubocop:disable Style/IfUnlessModifier
