ruby-saml 0.8.1 → 0.8.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 54aff65643a4409b0e306515c9f92ae634db3238
4
+ data.tar.gz: c9fe0db4412806b434a8bb36503ecbd7939ffa36
5
+ SHA512:
6
+ metadata.gz: 07d26360f0145816ce08a5e109eae2a9c0f233154fdceb8178b69f1e9d72210baeebaa5ee978c973d6764dfd0a1d28f4ff0ea1e6beef90023a26383c342c3892
7
+ data.tar.gz: ee10bbde3c20e9ad2ec658506608a6d705ea9692f4c1577506e6a90b56db858f752f800300cf012e01319531d0b5f8aafcfe0f25b15b8681a2b81f7fed4c2fd4
data/Gemfile CHANGED
@@ -1,15 +1,27 @@
1
+ #
2
+ # Please keep this file alphabetized and organized
3
+ #
1
4
  source 'http://rubygems.org'
2
5
 
3
6
  gemspec
4
7
 
5
8
  group :test do
6
- gem "ruby-debug", "~> 0.10.4", :require => nil, :platforms => :ruby_18
7
- gem "debugger", "~> 1.1", :require => nil, :platforms => :ruby_19
8
- gem "shoulda", "~> 2.11"
9
- gem "rake", "~> 10"
10
- gem "mocha", "~> 0.14"
11
- gem "nokogiri", "~> 1.5.0"
12
- gem "timecop", "<= 0.6.0"
13
- gem "systemu", "~> 2"
14
- gem "rspec", "~> 2"
9
+ if RUBY_VERSION < '1.9'
10
+ gem 'nokogiri', '~> 1.5.0'
11
+ gem 'ruby-debug', '~> 0.10.4'
12
+ elsif RUBY_VERSION < '2.0'
13
+ gem 'debugger-linecache', '~> 1.2.0'
14
+ gem 'debugger', '~> 1.6.4'
15
+ elsif RUBY_VERSION < '2.1'
16
+ gem 'byebug', '~> 2.1.1'
17
+ else
18
+ gem 'pry-byebug'
19
+ end
20
+
21
+ gem 'mocha', '~> 0.14', :require => false
22
+ gem 'rake', '~> 10'
23
+ gem 'shoulda', '~> 2.11'
24
+ gem 'systemu', '~> 2'
25
+ gem 'test-unit', '~> 3'
26
+ gem 'timecop', '<= 0.6.0'
15
27
  end
@@ -1,7 +1,17 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 0.8.2 (Jan 26, 2014)
4
+ * [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
5
+
3
6
  ### 0.8.0 (Feb 21, 2014)
4
- Changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`. Please update your implementations of the gem accordingly.
7
+ **IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`. Please update your implementations of the gem accordingly.
8
+
9
+ * [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
10
+ * [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
11
+
5
12
 
6
13
  ### 0.7.3 (Feb 20, 2014)
7
14
  Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
15
+
16
+ * [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
17
+ * [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision
@@ -151,8 +151,18 @@ module OneLogin
151
151
  end
152
152
 
153
153
  def xpath_first_from_signed_assertion(subelt=nil)
154
- node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
155
- node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
154
+ node = REXML::XPath.first(
155
+ document,
156
+ "/p:Response/a:Assertion[@ID=$id]#{subelt}",
157
+ { "p" => PROTOCOL, "a" => ASSERTION },
158
+ { 'id' => document.signed_element_id }
159
+ )
160
+ node ||= REXML::XPath.first(
161
+ document,
162
+ "/p:Response[@ID=$id]/a:Assertion#{subelt}",
163
+ { "p" => PROTOCOL, "a" => ASSERTION },
164
+ { 'id' => document.signed_element_id }
165
+ )
156
166
  node
157
167
  end
158
168
 
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '0.8.1'
3
+ VERSION = '0.8.2'
4
4
  end
5
5
  end
@@ -254,5 +254,13 @@ class RubySamlTest < Test::Unit::TestCase
254
254
  end
255
255
  end
256
256
 
257
+ context '#xpath_first_from_signed_assertion' do
258
+ should 'not allow arbitrary code execution' do
259
+ malicious_response_document = fixture('response_eval', false)
260
+ response = OneLogin::RubySaml::Response.new(malicious_response_document)
261
+ response.send(:xpath_first_from_signed_assertion)
262
+ assert_equal($evalled, nil)
263
+ end
264
+ end
257
265
  end
258
266
  end
@@ -0,0 +1,7 @@
1
+ <saml:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:protocol">
2
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
3
+ <ds:SignedInfo>
4
+ <ds:Reference URI="#x'] or eval('$evalled = true') or /[@ID='v"/>
5
+ </ds:SignedInfo>
6
+ </ds:Signature>
7
+ </saml:Response>
@@ -1,7 +1,6 @@
1
1
  require 'rubygems'
2
2
  require 'test/unit'
3
3
  require 'shoulda'
4
- require 'ruby-debug'
5
4
  require 'mocha/setup'
6
5
  require 'timecop'
7
6
 
@@ -63,7 +62,7 @@ class Test::Unit::TestCase
63
62
  def signature_fingerprint_1
64
63
  @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
65
64
  end
66
-
65
+
67
66
  def signature_1
68
67
  @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
69
68
  end
metadata CHANGED
@@ -1,66 +1,54 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
- version: !ruby/object:Gem::Version
4
- hash: 61
5
- prerelease:
6
- segments:
7
- - 0
8
- - 8
9
- - 1
10
- version: 0.8.1
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.8.2
11
5
  platform: ruby
12
- authors:
6
+ authors:
13
7
  - OneLogin LLC
14
8
  autorequire:
15
9
  bindir: bin
16
10
  cert_chain: []
17
-
18
- date: 2014-02-25 00:00:00 Z
19
- dependencies:
20
- - !ruby/object:Gem::Dependency
11
+ date: 2015-01-26 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
21
14
  name: uuid
22
- prerelease: false
23
- requirement: &id001 !ruby/object:Gem::Requirement
24
- none: false
25
- requirements:
26
- - - ~>
27
- - !ruby/object:Gem::Version
28
- hash: 5
29
- segments:
30
- - 2
31
- - 3
32
- version: "2.3"
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '2.3'
33
20
  type: :runtime
34
- version_requirements: *id001
35
- - !ruby/object:Gem::Dependency
36
- name: nokogiri
37
21
  prerelease: false
38
- requirement: &id002 !ruby/object:Gem::Requirement
39
- none: false
40
- requirements:
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '2.3'
27
+ - !ruby/object:Gem::Dependency
28
+ name: nokogiri
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
41
31
  - - ">="
42
- - !ruby/object:Gem::Version
43
- hash: 3
44
- segments:
45
- - 1
46
- - 5
47
- - 0
32
+ - !ruby/object:Gem::Version
48
33
  version: 1.5.0
49
34
  type: :runtime
50
- version_requirements: *id002
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: 1.5.0
51
41
  description: SAML toolkit for Ruby on Rails
52
42
  email: support@onelogin.com
53
43
  executables: []
54
-
55
44
  extensions: []
56
-
57
- extra_rdoc_files:
45
+ extra_rdoc_files:
58
46
  - LICENSE
59
47
  - README.md
60
- files:
61
- - .document
62
- - .gitignore
63
- - .travis.yml
48
+ files:
49
+ - ".document"
50
+ - ".gitignore"
51
+ - ".travis.yml"
64
52
  - Gemfile
65
53
  - LICENSE
66
54
  - README.md
@@ -101,6 +89,7 @@ files:
101
89
  - test/responses/response3.xml.base64
102
90
  - test/responses/response4.xml.base64
103
91
  - test/responses/response5.xml.base64
92
+ - test/responses/response_eval.xml
104
93
  - test/responses/response_with_ampersands.xml
105
94
  - test/responses/response_with_ampersands.xml.base64
106
95
  - test/responses/simple_saml_php.xml
@@ -111,38 +100,29 @@ files:
111
100
  - test/xml_security_test.rb
112
101
  homepage: http://github.com/onelogin/ruby-saml
113
102
  licenses: []
114
-
103
+ metadata: {}
115
104
  post_install_message:
116
- rdoc_options:
117
- - --charset=UTF-8
118
- require_paths:
105
+ rdoc_options:
106
+ - "--charset=UTF-8"
107
+ require_paths:
119
108
  - lib
120
- required_ruby_version: !ruby/object:Gem::Requirement
121
- none: false
122
- requirements:
109
+ required_ruby_version: !ruby/object:Gem::Requirement
110
+ requirements:
123
111
  - - ">="
124
- - !ruby/object:Gem::Version
125
- hash: 3
126
- segments:
127
- - 0
128
- version: "0"
129
- required_rubygems_version: !ruby/object:Gem::Requirement
130
- none: false
131
- requirements:
112
+ - !ruby/object:Gem::Version
113
+ version: '0'
114
+ required_rubygems_version: !ruby/object:Gem::Requirement
115
+ requirements:
132
116
  - - ">="
133
- - !ruby/object:Gem::Version
134
- hash: 3
135
- segments:
136
- - 0
137
- version: "0"
117
+ - !ruby/object:Gem::Version
118
+ version: '0'
138
119
  requirements: []
139
-
140
120
  rubyforge_project: http://www.rubygems.org/gems/ruby-saml
141
- rubygems_version: 1.8.25
121
+ rubygems_version: 2.2.2
142
122
  signing_key:
143
- specification_version: 3
123
+ specification_version: 4
144
124
  summary: SAML Ruby Tookit
145
- test_files:
125
+ test_files:
146
126
  - test/certificates/certificate1
147
127
  - test/certificates/r1_certificate2_base64
148
128
  - test/logoutrequest_test.rb
@@ -162,6 +142,7 @@ test_files:
162
142
  - test/responses/response3.xml.base64
163
143
  - test/responses/response4.xml.base64
164
144
  - test/responses/response5.xml.base64
145
+ - test/responses/response_eval.xml
165
146
  - test/responses/response_with_ampersands.xml
166
147
  - test/responses/response_with_ampersands.xml.base64
167
148
  - test/responses/simple_saml_php.xml