ruby-saml-mod 0.3.7 → 0.3.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b1b242e9ff3858681e80c4091494d480e2611088
-  data.tar.gz: 1dc877f9a2879b6e37687b78ab439da852f408bf
+SHA256:
+  metadata.gz: b4cc34deecbeae7f009b7ece4531f33613e8b08b10cf621d8e3df114b4971951
+  data.tar.gz: 9fde047cb410eb4758e2a6d2d0fe8741646b8a817776d85adeae9ec368f421a5
 SHA512:
-  metadata.gz: 05a823a73ff85abcccc37895b2d4fbbfe94f87963c892a3e3ddf4281e28ec023cc6ea50625ffc23788ad3cd9b353df7190823e10ae4752f6412fb9e2df2ec1b7
-  data.tar.gz: 76e7c832f85e0e1e47a14484c3a55af32ab437b77b07a386f403ddb30ec2503f3fff5f293df0ff17b41b22fbce27372f0c3d2c7f98a2cb841c8d439f38f56a87
+  metadata.gz: d006b313304782023335b97fde466a53dafa11512307a121f5d87810beae934a02ee95b606711b43fa758f06a5204a1a2c2ad26c785fb83d60c4b7f05369c48a
+  data.tar.gz: 3948976cc68bc92780b151d545c4bb48b507c4d88640a9a7bf6ab2a9fda11b1a222fd2cac86fbac2f6133ab6c7cf3104df4eeaaa6f66271c92af471214d36a85

data/lib/xml_sec.rb

@@ -215,7 +215,7 @@ module XMLSecurity
   attach_function :xmlSecEncCtxDecrypt, [ :pointer, :pointer ], :int
   attach_function :xmlSecEncCtxDestroy, [ :pointer ], :void
 
-  attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
+  XmlSecErrorsDefaultCallbackPtr = attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
   attach_function :xmlSecErrorsDefaultCallbackEnableOutput, [ :bool ], :void
   attach_function :xmlSecErrorsSetCallback, [:pointer], :void
 
@@ -266,7 +266,6 @@ module XMLSecurity
   raise "Failed initializing XMLSec" if self.xmlSecInit < 0
   raise "Failed initializing app crypto" if self.xmlSecOpenSSLAppInit(nil) < 0
   raise "Failed initializing crypto" if self.xmlSecOpenSSLInit < 0
-  self.xmlSecErrorsSetCallback(ErrorCallback)
 
   def self.handle_xmlsec_error_callback(*args)
     raise_exception_if_necessary(*args)
@@ -377,6 +376,8 @@ module XMLSecurity
       result = false
 
       begin
+        XMLSecurity.xmlSecErrorsSetCallback(ErrorCallback)
+
         # set up the keymgr
         kmgr = XMLSecurity.xmlSecKeysMngrCreate
         raise "failed initializing key mgr" if XMLSecurity.xmlSecOpenSSLAppDefaultKeysMngrInit(kmgr) < 0
@@ -411,6 +412,7 @@ module XMLSecurity
         XMLSecurity.xmlSecDSigCtxDestroy(ctx) if ctx
         XMLSecurity.xmlFreeDoc(doc) if doc
         XMLSecurity.xmlSecKeysMngrDestroy(kmgr) if kmgr
+        XMLSecurity.xmlSecErrorsSetCallback(XmlSecErrorsDefaultCallbackPtr)
       end
 
       result

data/spec/fixtures/test7-response.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_641f919c529eb4b9c2c6447d577483256d45ac9c43" Version="2.0" IssueInstant="2014-09-16T22:15:53Z" Destination="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_641f919c529eb4b9c2c6447d577483256d45ac9c43"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>JjgISND0GviF1NMyrGHvCAAjQTE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sHnaxEHN/COmtv0AzcnLV5GT2iOp9jtIo3cLeyO/ByzytLlWr5T7SKUK9pl3vs1faLiFm/S5r62srB/nf7AWFG0VRGi2QXb/gqu9A0Bm1PnqTRAtHHxH1E8oVKadiNTP1GXtmYphCgnM3ZCW6g7wUt/uS8+7sU9Q1TOTAVPzNso=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3213cbee5db3b66a763035443e746877d161f0a7a5" Version="2.0" IssueInstant="2014-09-16T22:15:53Z"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_3213cbee5db3b66a763035443e746877d161f0a7a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fVMHYHwOvYPwyftkUgdYe0MREmM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hVs09lhchv3LKLa/JHNUkDB8Ze7p8g+HFoZmim2vZzvO0DX6SBT9dYDyJgHSwpyfNUr5Ba70/4Sw9/uGFBjhCqe1oQ5VqbmZW34ugvvXShzcnt6v/8S4e2tgOpnUS3XfQwYLt8Rq4k1D9fr3SdWws5UGbt5pSYGGyYgY+1AB9ow=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard-2.canvas.dev/saml2" Format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">testuser<!-- comment -->@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-09-16T22:20:53Z" Recipient="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-09-16T22:15:23Z" NotOnOrAfter="2014-09-16T22:20:53Z"><saml:AudienceRestriction><saml:Audience>http://shard-2.canvas.dev/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-09-16T22:15:53Z" SessionNotOnOrAfter="2014-09-17T06:15:53Z" SessionIndex="_9f28445329a5ada29cca3cfae83a08d289d0816bc0"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas</saml:AttributeValue></saml:Attribute><saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas Üser</saml:AttributeValue></saml:Attribute><saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Üser</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/response_spec.rb

@@ -163,6 +163,19 @@ describe Onelogin::Saml::Response do
     @response.fingerprint_from_idp.should == 'afe71c28ef740bc87425be13a2263d37971da1f9'
   end
 
+  # see CVE-2017-11428
+  it "returns the full content of the NameID, even if a comment-insertion attack allows it to still validate the signature" do
+    # this file is a copy of test6-response.xml, with a comment inserted into the NameID
+    @xmlb64 = Base64.encode64(File.read(fixture_path("test7-response.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
+    @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-09-16T22:15:53Z"))
+    # the signature is still valid
+    @response.should be_is_valid
+    @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
+    # the comment is ignored, but doesn't truncate the nameid
+    @response.name_id.should == 'testuser@example.com'
+  end
+
   it "should map OIDs to known attributes" do
     @xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
     @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml-mod
 version: !ruby/object:Gem::Version
-  version: 0.3.7
+  version: 0.3.8
 platform: ruby
 authors:
 - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-28 00:00:00.000000000 Z
+date: 2018-04-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -108,6 +108,7 @@ files:
 - spec/fixtures/test4-response.xml
 - spec/fixtures/test5-response.xml
 - spec/fixtures/test6-response.xml
+- spec/fixtures/test7-response.xml
 - spec/fixtures/wrong-key.pem
 - spec/fixtures/xml_missigned_assertion.xml
 - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: Ruby library for SAML service providers
@@ -154,6 +155,7 @@ test_files:
 - spec/fixtures/test4-response.xml
 - spec/fixtures/test5-response.xml
 - spec/fixtures/test6-response.xml
+- spec/fixtures/test7-response.xml
 - spec/fixtures/wrong-key.pem
 - spec/fixtures/xml_missigned_assertion.xml
 - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml