Skip to content

v2.3.0
Compare
Choose a tag to compare
@tngan tngan released this 22 Sep 17:10
· 245 commits to master since this release
v2.3.0
1371ff7

Release Note

#119 Trim space in certificate string (7173238, contributed by @ahwitz)
#121 Response xsd schema validation (reported by @thijsschoonbrood)

Reference: https://www.whitehats.nl/blog/xml-signature-wrapping-samlify

This release includes a fix for potential security risk reported by @thijsschoonbrood from WhiteHats B.V., all versions before samlify v2.2.0 basically accepts any kind of response without a schema validation, and the xpath we used to fetch the xml element is in relative path, so that it could expose to MITM attack in the following form:

<saml:NameID>[email protected]</saml:NameID>
<samlp:Response>
  <saml:Assertion>
    <saml:NameID>[email protected]</saml:NameID>
  </saml:Assertion>
</samlp:Response>
const { samlContent, extract } = await sp.parseLoginResponse(idp, 'post', req);

The parsed result in extract.nameid object would have an array consists of [email protected] and [email protected]. samlify is designed to parse essential fields and leave the validation to users, the false nameid (or other sensitive fields) can be accepted unless the validation is done properly on developer side.

A test is made and an error is expected to be thrown. Error: Element 'NameID': No matching global declaration available for the validation root.

The first approach is to add response xsd schema validation, and the next step would be refactor of the usage of xpath and introduce common validations (#111, #126), such as time validation.

Assets 2
Loading