elastic · azasypkin · Dec 18, 2019 · azasypkin · Dec 18, 2019
diff --git a/x-pack/plugins/security/server/routes/authentication/saml.ts b/x-pack/plugins/security/server/routes/authentication/saml.ts
@@ -12,7 +12,14 @@ import { RouteDefinitionParams } from '..';
 /**
  * Defines routes required for SAML authentication.
  */
-export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: RouteDefinitionParams) {
+export function defineSAMLRoutes({
+  router,
+  logger,
+  authc,
+  csp,
+  basePath,
+  config,
+}: RouteDefinitionParams) {
   router.get(
     {
       path: '/api/security/saml/capture-url-fragment',
@@ -43,11 +50,15 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route
       options: { authRequired: false },
     },
     (context, request, response) => {
+      // NodeJS limits the maximum size of the Request-Line + all HTTP headers to 8KB.
+      // See https://nodejs.org/api/cli.html#cli_max_http_header_size_size.
+      const maxRedirectURLSize = config.authc.saml?.maxRedirectURLSize.getValueInBytes() ?? 4096;
       return response.custom(
         createCustomResourceResponse(
           `
+          const hash = encodeURIComponent(window.location.hash);
           window.location.replace(
-            '${basePath.serverBasePath}/api/security/saml/start?redirectURLFragment=' + encodeURIComponent(window.location.hash)
+            '${basePath.serverBasePath}/api/security/saml/start?redirectURLFragment=' + (hash.length < ${maxRedirectURLSize} ? hash : '')
           );
         `,
           'text/javascript',

diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts
@@ -150,6 +150,39 @@ export default function({ getService }: FtrProviderContext) {
           '/api/security/saml/start?redirectURLFragment=%23%2Fworkpad'
         );
       });
+
+      it('does not send URL fragments that exceed size limit to the server', async () => {
+        const response = await supertest.get('/api/security/saml/capture-url-fragment').expect(200);
+
+        const kibanaBaseURL = url.format({ ...config.get('servers.kibana'), auth: false });
+        const dom = new JSDOM(response.text, {
+          url: kibanaBaseURL,
+          runScripts: 'dangerously',
+          resources: 'usable',
+          beforeParse(window) {
+            // JSDOM doesn't support changing of `window.location` and throws an exception if script
+            // tries to do that and we have to workaround this behaviour. We also need to wait until our
+            // script is loaded and executed, __isScriptExecuted__ is used exactly for that.
+            (window as Record<string, any>).__isScriptExecuted__ = new Promise(resolve => {
+              const hash = '#/workpad'.repeat(10);
+              Object.defineProperty(window, 'location', {
+                value: {
+                  hash,
+                  href: `${kibanaBaseURL}/api/security/saml/capture-url-fragment${hash}`,
+                  replace(newLocation: string) {
+                    this.href = newLocation;
+                    resolve();
+                  },
+                },
+              });
+            });
+          },
+        });
+
+        await (dom.window as Record<string, any>).__isScriptExecuted__;
+
+        expect(dom.window.location.href).to.be('/api/security/saml/start?redirectURLFragment=');
+      });
     });
 
     describe('initiating handshake', () => {