Security: address CodeQL remarks

Author: guimard

packages/auth-kerberos/src/index.ts

@@ -165,12 +165,32 @@ export class KerberosAuth {
    */
   extractToken(req: Request): string | null {
     const authHeader = req.headers.authorization;
-    if (!authHeader) {
+    // Limit header length to prevent potential issues with very long inputs
+    if (!authHeader || authHeader.length > 8192) {
       return null;
     }
 
-    const match = authHeader.match(/^Negotiate\s+(.+)$/i);
-    return match ? match[1] : null;
+    // Use case-insensitive prefix check and manual whitespace handling
+    // to avoid regex that might trigger ReDoS warnings
+    const headerLower = authHeader.toLowerCase();
+    if (!headerLower.startsWith("negotiate")) {
+      return null;
+    }
+
+    // Skip "negotiate" (9 chars) and whitespace
+    let pos = 9;
+    while (pos < authHeader.length) {
+      const c = authHeader[pos];
+      if (c !== " " && c !== "\t") break;
+      pos++;
+    }
+
+    // Must have at least one whitespace after "negotiate"
+    if (pos === 9 || pos >= authHeader.length) {
+      return null;
+    }
+
+    return authHeader.substring(pos);
   }
 
   /**

packages/issuer-cas/src/issuer.ts

@@ -573,6 +573,12 @@ export class CASIssuer {
       return undefined;
     }
 
+    // Defensive type check - pgtUrl could be array from query params
+    if (typeof pgtUrl !== "string") {
+      this.log("warn", "Invalid pgtUrl type");
+      return undefined;
+    }
+
     // Validate pgtUrl (must be HTTPS)
     if (!pgtUrl.startsWith("https://")) {
       this.log("warn", `Invalid pgtUrl (not HTTPS): ${pgtUrl}`);
@@ -698,6 +704,10 @@ export class CASIssuer {
    * Build redirect URL with ticket
    */
   private buildRedirectUrl(service: string, ticket: string): string {
+    // Defensive type check - service could be array from query params
+    if (typeof service !== "string") {
+      service = String(service);
+    }
     const separator = service.includes("?") ? "&" : "?";
     return `${service}${separator}ticket=${ticket}`;
   }

packages/issuer-oidc/src/provider.ts

@@ -2068,6 +2068,11 @@ export class OIDCProvider {
    * Check if a URI is potentially dangerous (XSS, injection)
    */
   private isDangerousUri(uri: string): boolean {
+    // Limit URI length to prevent potential ReDoS (also rejects unreasonably long URIs)
+    if (!uri || uri.length > 8192) {
+      return true;
+    }
+
     // Check for dangerous schemes
     const dangerousSchemes = /^\s*(javascript|vbscript|data):/i;
     if (dangerousSchemes.test(uri)) {

packages/issuer-oidc/src/router.ts

@@ -476,12 +476,26 @@ async function handleEndSession(
 ): Promise<void> {
   const { provider, renderLogout } = options;
 
-  const postLogoutRedirectUri = (req.query.post_logout_redirect_uri ||
-    req.body?.post_logout_redirect_uri) as string;
-  const idTokenHint = (req.query.id_token_hint ||
-    req.body?.id_token_hint) as string;
-  const clientId = (req.query.client_id || req.body?.client_id) as string;
-  const state = (req.query.state || req.body?.state) as string;
+  // Helper to safely extract string param (could be array from query string)
+  const getStringParam = (
+    value: string | string[] | undefined,
+  ): string | undefined => {
+    if (Array.isArray(value)) return value[0];
+    return value;
+  };
+
+  const postLogoutRedirectUri = getStringParam(
+    req.query.post_logout_redirect_uri as string | string[] | undefined,
+  ) || getStringParam(req.body?.post_logout_redirect_uri);
+  const idTokenHint = getStringParam(
+    req.query.id_token_hint as string | string[] | undefined,
+  ) || getStringParam(req.body?.id_token_hint);
+  const clientId = getStringParam(
+    req.query.client_id as string | string[] | undefined,
+  ) || getStringParam(req.body?.client_id);
+  const state = getStringParam(
+    req.query.state as string | string[] | undefined,
+  ) || getStringParam(req.body?.state);
 
   // Validate logout request
   const validation = provider.validateLogoutRequest({

packages/lib-cas/src/utils.ts

@@ -10,6 +10,10 @@ export function isServiceUrlValid(
   serviceUrl: string,
   allowedPatterns: string[],
 ): boolean {
+  // Defensive type check - ensure serviceUrl is a string (could be array from query params)
+  if (typeof serviceUrl !== "string") {
+    return false;
+  }
   if (!serviceUrl || !allowedPatterns || allowedPatterns.length === 0) {
     return false;
   }
@@ -87,6 +91,10 @@ export function appendQueryParam(
   key: string,
   value: string,
 ): string {
+  // Defensive type check
+  if (typeof url !== "string") {
+    url = String(url);
+  }
   const separator = url.includes("?") ? "&" : "?";
   return `${url}${separator}${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
 }
@@ -218,7 +226,11 @@ export function buildSamlValidateUrl(
  * Normalize CAS server URL (remove trailing slash)
  */
 export function normalizeCasServerUrl(url: string): string {
-  return url.replace(/\/+$/, "");
+  // Remove trailing slashes without regex to avoid ReDoS warnings
+  while (url.endsWith("/")) {
+    url = url.slice(0, -1);
+  }
+  return url;
 }
 
 /**

packages/lib-cas/src/xml-parser.ts

@@ -4,6 +4,12 @@
 
 import { SAMLValidateRequest, CASValidateResult } from "./types";
 
+/**
+ * Maximum XML input size to prevent ReDoS attacks
+ * 1MB should be more than enough for any valid CAS/SAML response
+ */
+const MAX_XML_SIZE = 1024 * 1024;
+
 /**
  * Simple XML tag extraction (without full XML parser dependency)
  */
@@ -60,7 +66,7 @@ function extractAttribute(
 export function parseSamlValidateRequest(
   xml: string,
 ): SAMLValidateRequest | null {
-  if (!xml) return null;
+  if (!xml || xml.length > MAX_XML_SIZE) return null;
 
   // Extract ticket from AssertionArtifact
   const ticket = extractTagContent(xml, "AssertionArtifact");
@@ -95,11 +101,11 @@ function unescapeXml(str: string): string {
  * Parse CAS serviceValidate response
  */
 export function parseServiceValidateResponse(xml: string): CASValidateResult {
-  if (!xml) {
+  if (!xml || xml.length > MAX_XML_SIZE) {
     return {
       success: false,
       code: "INVALID_RESPONSE",
-      message: "Empty response",
+      message: !xml ? "Empty response" : "Response too large",
     };
   }
 
@@ -199,11 +205,11 @@ export function parseValidateResponse(response: string): CASValidateResult {
  * Parse SAML validate response (for CAS SP)
  */
 export function parseSamlValidateResponse(xml: string): CASValidateResult {
-  if (!xml) {
+  if (!xml || xml.length > MAX_XML_SIZE) {
     return {
       success: false,
       code: "INVALID_RESPONSE",
-      message: "Empty response",
+      message: !xml ? "Empty response" : "Response too large",
     };
   }
 
@@ -273,11 +279,11 @@ export function parseProxyResponse(
 ):
   | { success: true; proxyTicket: string }
   | { success: false; code: string; message: string } {
-  if (!xml) {
+  if (!xml || xml.length > MAX_XML_SIZE) {
     return {
       success: false,
       code: "INVALID_RESPONSE",
-      message: "Empty response",
+      message: !xml ? "Empty response" : "Response too large",
     };
   }
 

packages/lib-saml/src/utils.ts

@@ -317,11 +317,21 @@ export function parseQueryString(query: string): Record<string, string> {
   return params;
 }
 
+/**
+ * Maximum SOAP envelope size to prevent ReDoS attacks
+ */
+const MAX_SOAP_SIZE = 1024 * 1024; // 1MB
+
 /**
  * Extract SAML message from SOAP envelope
  * Supports both LogoutRequest and LogoutResponse
  */
 export function extractSamlFromSoap(soapEnvelope: string): string | null {
+  // Limit input size to prevent ReDoS
+  if (!soapEnvelope || soapEnvelope.length > MAX_SOAP_SIZE) {
+    return null;
+  }
+
   // Try to extract LogoutRequest
   let match = soapEnvelope.match(
     /<(?:samlp:|)[Ll]ogout[Rr]equest[\s\S]*?<\/(?:samlp:|)[Ll]ogout[Rr]equest>/,