From 165ef7889719d2b757f1903613fbb8794e27c286 Mon Sep 17 00:00:00 2001
From: renovate <renovate-bot@autistici.org>
Date: Wed, 22 Mar 2023 19:30:14 +0000
Subject: [PATCH] Update module github.com/crewjam/saml to v0.4.13

---
 go.mod                                        |  2 +-
 go.sum                                        |  2 ++
 vendor/github.com/crewjam/saml/README.md      |  2 +-
 vendor/github.com/crewjam/saml/flate.go       | 31 +++++++++++++++++++
 .../crewjam/saml/identity_provider.go         |  3 +-
 .../crewjam/saml/service_provider.go          |  2 +-
 vendor/modules.txt                            |  2 +-
 7 files changed, 38 insertions(+), 6 deletions(-)
 create mode 100644 vendor/github.com/crewjam/saml/flate.go

diff --git a/go.mod b/go.mod
index f5e54525..bb3f4b91 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
 	git.autistici.org/id/go-sso v0.0.0-20221216110623-a98dfc78fec5
 	git.autistici.org/id/keystore v0.0.0-20221220085250-90031d0af976
 	git.autistici.org/id/usermetadb v0.0.0-20221125171152-3bbb63732147
-	github.com/crewjam/saml v0.4.12
+	github.com/crewjam/saml v0.4.13
 	github.com/duo-labs/webauthn v0.0.0-20220330035159-03696f3d4499
 	github.com/elazarl/go-bindata-assetfs v1.0.1
 	github.com/gorilla/csrf v1.7.1
diff --git a/go.sum b/go.sum
index 36944d1a..3f9d5c85 100644
--- a/go.sum
+++ b/go.sum
@@ -224,6 +224,8 @@ github.com/crewjam/saml v0.4.10 h1:Rjs6x4s/aQFXiaPjw3uhB4VdxRqoxHXOJrrj4BsMn9o=
 github.com/crewjam/saml v0.4.10/go.mod h1:9Zh6dWPtB3MSzTRt8fIFH60Z351QQ+s7hCU3J/tTlA4=
 github.com/crewjam/saml v0.4.12 h1:66Gsd+9iA/8ZGl8W+7DDTlJGWe3RneBFo+Uu/gvlB0w=
 github.com/crewjam/saml v0.4.12/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
+github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
+github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
 github.com/daaku/go.zipexe v1.0.0/go.mod h1:z8IiR6TsVLEYKwXAoE/I+8ys/sDkgTzSL0CLnGVd57E=
 github.com/daaku/go.zipexe v1.0.1/go.mod h1:5xWogtqlYnfBXkSB1o9xysukNP9GTvaNkqzUZbt3Bw8=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/vendor/github.com/crewjam/saml/README.md b/vendor/github.com/crewjam/saml/README.md
index 71f24786..c0b98058 100644
--- a/vendor/github.com/crewjam/saml/README.md
+++ b/vendor/github.com/crewjam/saml/README.md
@@ -58,7 +58,7 @@ import (
 )
 
 func hello(w http.ResponseWriter, r *http.Request) {
-	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "cn"))
+	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "displayName"))
 }
 
 func main() {
diff --git a/vendor/github.com/crewjam/saml/flate.go b/vendor/github.com/crewjam/saml/flate.go
new file mode 100644
index 00000000..4d14e780
--- /dev/null
+++ b/vendor/github.com/crewjam/saml/flate.go
@@ -0,0 +1,31 @@
+package saml
+
+import (
+	"compress/flate"
+	"fmt"
+	"io"
+)
+
+const flateUncompressLimit = 10 * 1024 * 1024 // 10MB
+
+func newSaferFlateReader(r io.Reader) io.ReadCloser {
+	return &saferFlateReader{r: flate.NewReader(r)}
+}
+
+type saferFlateReader struct {
+	r     io.ReadCloser
+	count int
+}
+
+func (r *saferFlateReader) Read(p []byte) (n int, err error) {
+	if r.count+len(p) > flateUncompressLimit {
+		return 0, fmt.Errorf("flate: uncompress limit exceeded (%d bytes)", flateUncompressLimit)
+	}
+	n, err = r.r.Read(p)
+	r.count += n
+	return n, err
+}
+
+func (r *saferFlateReader) Close() error {
+	return r.r.Close()
+}
diff --git a/vendor/github.com/crewjam/saml/identity_provider.go b/vendor/github.com/crewjam/saml/identity_provider.go
index 47052916..bcea5828 100644
--- a/vendor/github.com/crewjam/saml/identity_provider.go
+++ b/vendor/github.com/crewjam/saml/identity_provider.go
@@ -2,7 +2,6 @@ package saml
 
 import (
 	"bytes"
-	"compress/flate"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
@@ -363,7 +362,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 		if err != nil {
 			return nil, fmt.Errorf("cannot decode request: %s", err)
 		}
-		req.RequestBuffer, err = ioutil.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
+		req.RequestBuffer, err = ioutil.ReadAll(newSaferFlateReader(bytes.NewReader(compressedRequest)))
 		if err != nil {
 			return nil, fmt.Errorf("cannot decompress request: %s", err)
 		}
diff --git a/vendor/github.com/crewjam/saml/service_provider.go b/vendor/github.com/crewjam/saml/service_provider.go
index 3eac33f7..6f6e7f4f 100644
--- a/vendor/github.com/crewjam/saml/service_provider.go
+++ b/vendor/github.com/crewjam/saml/service_provider.go
@@ -1524,7 +1524,7 @@ func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData str
 	}
 	retErr.Response = string(rawResponseBuf)
 
-	gr, err := ioutil.ReadAll(flate.NewReader(bytes.NewBuffer(rawResponseBuf)))
+	gr, err := ioutil.ReadAll(newSaferFlateReader(bytes.NewBuffer(rawResponseBuf)))
 	if err != nil {
 		retErr.PrivateErr = err
 		return retErr
diff --git a/vendor/modules.txt b/vendor/modules.txt
index c0024372..4a28708e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -57,7 +57,7 @@ github.com/coreos/go-systemd/v22/daemon
 github.com/coreos/go-systemd/v22/journal
 # github.com/cpuguy83/go-md2man/v2 v2.0.0
 github.com/cpuguy83/go-md2man/v2/md2man
-# github.com/crewjam/saml v0.4.12
+# github.com/crewjam/saml v0.4.13
 ## explicit
 github.com/crewjam/saml
 github.com/crewjam/saml/logger
-- 
GitLab