Description
Description
When a SAML artifact binding request is received at /realms/{realm}/protocol/saml with a SAMLart parameter that decodes to fewer than 2 bytes, ArtifactBindingUtils.byteArrayToResolverProviderId() reads ar[0] and ar[1] without first checking the length of the array. This causes an unhandled ArrayIndexOutOfBoundsException, resulting in an HTTP 500 response.
Version affected
26.5.4 (latest stable)
Expected behavior
A malformed or undersized SAMLart value should be rejected early with an appropriate client error (HTTP 400) before any byte-level parsing is attempted.
Actual behavior
Submitting SAMLart=YQ== (valid Base64 decoding to a single byte) causes Keycloak to throw an ArrayIndexOutOfBoundsException in ArtifactBindingUtils.byteArrayToResolverProviderId() and return HTTP 500. No authentication is required to trigger this.
Steps to reproduce
- Start Keycloak 26.5.4 in production mode with SAML artifact binding enabled.
- Send the following request (no authentication required):
POST /realms/master/protocol/saml
Content-Type: application/x-www-form-urlencoded
SAMLart=YQ==
- Observe HTTP 500 response and
ArrayIndexOutOfBoundsException in server logs.
Relevant code
server-spi-private/src/main/java/org/keycloak/protocol/saml/util/ArtifactBindingUtils.java line 10 and 14 — array read at index 0 and 1 without prior length validation.
Suggested fix
Add a length check in byteArrayToResolverProviderId() before accessing ar[0] and ar[1], and return an explicit error or throw an IllegalArgumentException if the input is shorter than the minimum expected artifact length (which per the SAML artifact spec should be at least 4 bytes for the type code and endpoint index).
Description
Description
When a SAML artifact binding request is received at
/realms/{realm}/protocol/samlwith aSAMLartparameter that decodes to fewer than 2 bytes,ArtifactBindingUtils.byteArrayToResolverProviderId()readsar[0]andar[1]without first checking the length of the array. This causes an unhandledArrayIndexOutOfBoundsException, resulting in an HTTP 500 response.Version affected
26.5.4 (latest stable)
Expected behavior
A malformed or undersized
SAMLartvalue should be rejected early with an appropriate client error (HTTP 400) before any byte-level parsing is attempted.Actual behavior
Submitting
SAMLart=YQ==(valid Base64 decoding to a single byte) causes Keycloak to throw anArrayIndexOutOfBoundsExceptioninArtifactBindingUtils.byteArrayToResolverProviderId()and return HTTP 500. No authentication is required to trigger this.Steps to reproduce
ArrayIndexOutOfBoundsExceptionin server logs.Relevant code
server-spi-private/src/main/java/org/keycloak/protocol/saml/util/ArtifactBindingUtils.javaline 10 and 14 — array read at index 0 and 1 without prior length validation.Suggested fix
Add a length check in
byteArrayToResolverProviderId()before accessingar[0]andar[1], and return an explicit error or throw anIllegalArgumentExceptionif the input is shorter than the minimum expected artifact length (which per the SAML artifact spec should be at least 4 bytes for the type code and endpoint index).