feat: wrap inflation errors

`pako` has a tendency to throw obscure error strings e.g. "too many length or distance symbols", which can make gracefully handling bad input difficult when an error is thrown from `parseLoginRequest`. This wraps the inflation step to allow throwing a dedicated error with a static message for inflation issues, while still making the original error available.
tngan · Feb 23, 2023 · 67be597 · 67be597
1 parent 49295a2
commit 67be597
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 2 deletions.
diff --git a/src/flow.ts b/src/flow.ts
@@ -1,4 +1,4 @@
-import { inflateString, base64Decode } from './utility';
+import { inflateString, base64Decode, WrappedError } from './utility';
 import { verifyTime } from './validator';
 import libsaml from './libsaml';
 import {
@@ -67,7 +67,13 @@ async function redirectFlow(options): Promise<FlowResult>  {
     return Promise.reject('ERR_REDIRECT_FLOW_BAD_ARGS');
   }
 
-  const xmlString = inflateString(decodeURIComponent(content));
+  let xmlString: string
+
+  try {
+    xmlString = inflateString(decodeURIComponent(content));
+  } catch (cause) {
+    throw new WrappedError('ERR_FAILED_INFLATION', { cause })
+  }
 
   // validate the xml
   try {

diff --git a/src/utility.ts b/src/utility.ts
@@ -8,6 +8,21 @@ import { inflate, deflate } from 'pako';
 
 const BASE64_STR = 'base64';
 
+/**
+ * An Error class with a "cause".
+ *
+ * This can be replaced by the native option, once the minimum supported version is >=16.9.0.
+ * https://nodejs.org/docs/latest-v16.x/api/errors.html#errorcause
+ */
+export class WrappedError extends Error {
+  public cause: any;
+
+  constructor(message: string, options: { cause: any }) {
+    super(message);
+    this.cause = options.cause;
+  }
+}
+
 /**
  * @desc Mimic lodash.zipObject
  * @param arr1 {string[]}

diff --git a/test/flow.ts b/test/flow.ts
@@ -1382,3 +1382,11 @@ test.serial('should not throw ERR_SUBJECT_UNCONFIRMED for the expired SAML respo
   }
 
 });
+
+test('should throw ERR_FAILED_INFLATION when pako is unable to inflate a redirect login request', async t => {
+  const query = { SAMLRequest: 'foo', Signature: 'bar', SigAlg: 'baz' };
+  const error = await t.throwsAsync<any>(idp.parseLoginRequest(sp, 'redirect', { query }));
+
+  t.is(error.message, 'ERR_FAILED_INFLATION');
+  t.is(error.cause, 'invalid block type'); // pako throws strings instead of Error instances for bad input
+});