Skip to content

Cherry-pick #47463: Improve SAMLResponse validation in SSO callbacks#47511

Merged
lucasmrod merged 1 commit into
rc-minor-fleet-v4.87.0from
lucasmrod/saml-response-validation-cp
Jun 12, 2026
Merged

Cherry-pick #47463: Improve SAMLResponse validation in SSO callbacks#47511
lucasmrod merged 1 commit into
rc-minor-fleet-v4.87.0from
lucasmrod/saml-response-validation-cp

Conversation

@lucasmrod

@lucasmrod lucasmrod commented Jun 12, 2026

Copy link
Copy Markdown
Member

Cherry-pick of #47463 into the RC branch.

@lucasmrod
Improve SAMLResponse validation in SSO callbacks (#47463)
427607d 
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [X] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Security Enhancements**
* Enforced strict size limits for SAMLResponse payloads and rejected
overly large submissions.
* Added protections against deeply nested or excessively large SAML XML
documents.
* Applied rate limiting to SSO/authentication callback endpoints
(configurable via Auth settings).
* **Tests**
* Added tests verifying SAMLResponse size and XML shape validation
behavior.
* **Documentation**
* Noted these SSO validation and rate-limiting changes in the changelog.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@lucasmrod lucasmrod requested a review from a team as a code owner June 12, 2026 13:58
@lucasmrod lucasmrod merged commit 480a6b9 into rc-minor-fleet-v4.87.0 Jun 12, 2026
22 checks passed
@lucasmrod lucasmrod deleted the lucasmrod/saml-response-validation-cp branch June 12, 2026 14:13
@codecov

codecov Bot commented Jun 12, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 78.00000% with 11 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (rc-minor-fleet-v4.87.0@c6b75af). Learn more about missing BASE report.

Files with missing lines Patch % Lines
server/service/handler.go 63.15% 5 Missing and 2 partials ⚠️
cmd/fleet/serve.go 0.00% 2 Missing ⚠️
server/sso/authorization_response.go 90.90% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@                    Coverage Diff                    @@
##             rc-minor-fleet-v4.87.0   #47511   +/-   ##
=========================================================
  Coverage                          ?   67.18%           
=========================================================
  Files                             ?     2914           
  Lines                             ?   226770           
  Branches                          ?    11823           
=========================================================
  Hits                              ?   152355           
  Misses                            ?    60629           
  Partials                          ?    13786
Flag Coverage Δ
backend 68.82% <78.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@georgekarrv georgekarrv georgekarrv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lucasmrod @georgekarrv