Skip to content

Prevent error when an EncryptedAssertion is next to the Signature in the document root. #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
XavierTalpe wants to merge 2 commits into from
Closed

Prevent error when an EncryptedAssertion is next to the Signature in the document root. #69

XavierTalpe wants to merge 2 commits into from

Conversation

@XavierTalpe
Copy link

@XavierTalpe XavierTalpe commented Jun 27, 2016

I came across an issue when the SAML login response has the following structure:

<Response ...>
    <Issuer ...>
        ...
    </Issuer>
    <Signature>
        ...
    </Signature>
    <Status>
        <:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </Status>
    <EncryptedAssertion>
        ...
    </EncryptedAssertion>
</Response>

Note that both the EncryptedAssertion and the Signature block are part of the root node. The EncryptedAssertion also does not contain any Signature elements after decryption.

The current version of the code fails with the error Signed data did not contain a SAML Assertion!.

This bug is caused by the combination of

signed_data = check_saml_signature(result, cert) or check_saml_signature saml_response_str, cert

and

for sd in signed_data
    signed_dom = (new xmldom.DOMParser()).parseFromString(sd)
    assertion = signed_dom.getElementsByTagNameNS(XMLNS.SAML, 'Assertion')
    if assertion.length is 1
        return cb_wf null, signed_dom
return cb_wf new Error("Signed data did not contain a SAML Assertion!")

In case the EncryptedAssertion block does not contain any Signatures, check_saml_signature(result, cert) will fail and check_saml_signature saml_response_str, cert is executed to retrieve the Signatures from the original SAML response. Because this SAML response still contains the EncryptedAssertion, getElementsByTagNameNS(XMLNS.SAML, 'Assertion') will fail.

I modified the code so it can handle each use case. I looked into adding a test but this seems a bit trickier than expected because I can't use the original SAML response (company privacy/security).

My apologies if I overlooked something, I'm not a SAML expert :).

Xavier Talpe added 2 commits June 27, 2016 11:02
@XavierTalpe
Copy link
Author

XavierTalpe commented Jul 6, 2016

Any update on this?

@sebakerckhof
Copy link

sebakerckhof commented Jul 12, 2016

+1

@cozmo
Copy link
Contributor

cozmo commented Jul 12, 2016

@XavierTalpe @sebakerckhof Sorry about the delay here - We'll take a look at this today.

jefff
jefff reviewed Jul 26, 2016
View reviewed changes
lib/saml2.coffee
else
return cb_wf new Error( "Signed data does not contain a SAML Assertion!" )
else if signatures_from_response
decrypted_assertion_dom = (new xmldom.DOMParser()).parseFromString(decrypted_assertion)
Copy link
Contributor

@jefff jefff Jul 26, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about the delay of this review; I was on vacation and didn't have a chance to look it over.

I think there's a potential security pitfall here. Specifically, the fact that signatures_from_response is set only means that the response contains some signature, but this line is parsing the decrypted assertion and passing it on as validated. The signature may not have covered the encrypted assertion (or unencrypted assertion) of the response and this means it would accept invalid data.

I'm not sure what the best fix is for this. It seems like either it would have to be decrypted again from the signed data or some reference would have to be maintained and checked that the assertion was part of the signed data. It's also possible I'm misunderstanding this logic so please let me know if that is the case.

Copy link

@sebakerckhof sebakerckhof Jul 27, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take a look at this in one of the coming days.

SamDecrock added a commit to SamDecrock/saml2 that referenced this pull request Aug 11, 2016
@SamDecrock
Different approach on fixing issue of pull request Clever#69
e5a6a03
@SamDecrock SamDecrock mentioned this pull request Aug 11, 2016
Open
@bensimian
Copy link

bensimian commented Jan 17, 2017

+1

@mohit
Copy link

mohit commented Aug 7, 2017

closing in favor of first reviewing #74 Please comment if you think #74 is not a solution for the same issue

@mohit mohit closed this Aug 7, 2017
@snyk-bot snyk-bot mentioned this pull request Sep 10, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Mar 18, 2021
Open
@snyk-bot snyk-bot mentioned this pull request Mar 21, 2022
Open
@enterstudio enterstudio mentioned this pull request Nov 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@XavierTalpe @sebakerckhof @cozmo @bensimian @mohit @jefff