Skip to content

Upgrade xml-crypto from ^0.10.0 to ^2.0.0 #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mcab merged 3 commits into from
Feb 4, 2021
Merged

Upgrade xml-crypto from ^0.10.0 to ^2.0.0 #228

mcab merged 3 commits into from
Feb 4, 2021

Conversation

@mcab
Copy link
Member

@mcab mcab commented Feb 4, 2021
edited
Loading

This combines the work from #215 and partial work from #123.

  • xml-crypto is vulnerable to weak signatures being improperly validated. See GHSA-c27r-x354-4m68.
  • Bumping xml-crypto from ^0.10.0 to ^2.0.0 made check_saml_signature no longer work.
  • Digging deeper revealed that the signatures were no longer being properly grabbed from the XML passed through.
  • Validated that choosing the root node of the document made signatures work.
  • Grabbing the test case for a <ds:Signature> declared at the root level still worked as well.

donhcd and others added 3 commits February 4, 2021 10:46
@donhcd @mcab
[SECURITY] upgrade xml-crypto, fix signature xpath
52e0a9b 
because of GHSA-c27r-x354-4m68
@mcab
feat: Scope xpath to root of document
b43eab4 
If we put priority on which tags are present for Signature validation
(AuthnRequest < Response < Assertion), it's possible for a crafted SAML request
to validate the signature for a particular tag, which is invalid for the
request.

Guard against this by selecting for the signature by starting from the root
document element, as we've done so in the past.
@mcab
feat: accept saml response with xml sig namespace at the root level
4e63121 
the xml dsig namespace can be specified at the root of the SAML response
instead of on each Signature element.  The canonincalized xml for the
signature element requires that the namespace declaration be present on
the siganture element.
mcab
mcab commented Feb 4, 2021
View reviewed changes
lib/saml2.coffee
sig = new xmlcrypto.SignedXml()
sig.keyInfoProvider = getKey: -> format_pem(certificate, 'CERTIFICATE')
sig.loadSignature signature[0].toString()
sig.loadSignature signature[0]
Copy link
Member Author

@mcab mcab Feb 4, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change shouldn't be major. xml-crypto would just reparse if it was made into a string.

https://github.com/yaronn/xml-crypto/blob/3d9db712e6232c765cd2ad6bd2902b88a0d22100/lib/signed-xml.js#L583-L587

@mcab
Copy link
Member Author

mcab commented Feb 4, 2021

This will get wrapped up as 3.0.0, because of the potential breaking change for signature selection for xpath.

@mcab mcab mentioned this pull request Feb 4, 2021
Closed
@mcab mcab merged commit 4dab06e into master Feb 4, 2021
This was referenced Feb 4, 2021
Closed
Closed
@mcab mcab deleted the mcab/upgrade-xml-crypto branch February 4, 2021 21:07
@mcab mcab self-assigned this Feb 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mcab mcab

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mcab @donhcd