RubyGems - ruby-saml - Versions diffs - 0.8.1 → 0.8.2 - Mend

ruby-saml 0.8.1 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +7 -0
data/Gemfile +21 -9
data/changelog.md +11 -1
data/lib/onelogin/ruby-saml/response.rb +12 -2
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/test/response_test.rb +8 -0
data/test/responses/response_eval.xml +7 -0
data/test/test_helper.rb +1 -2
metadata +50 -69

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 54aff65643a4409b0e306515c9f92ae634db3238
+  data.tar.gz: c9fe0db4412806b434a8bb36503ecbd7939ffa36
+SHA512:
+  metadata.gz: 07d26360f0145816ce08a5e109eae2a9c0f233154fdceb8178b69f1e9d72210baeebaa5ee978c973d6764dfd0a1d28f4ff0ea1e6beef90023a26383c342c3892
+  data.tar.gz: ee10bbde3c20e9ad2ec658506608a6d705ea9692f4c1577506e6a90b56db858f752f800300cf012e01319531d0b5f8aafcfe0f25b15b8681a2b81f7fed4c2fd4

data/Gemfile CHANGED

@@ -1,15 +1,27 @@
+#
+# Please keep this file alphabetized and organized
+#
 source 'http://rubygems.org'
 gemspec
 group :test do
-  gem "ruby-debug", "~> 0.10.4", :require => nil, :platforms => :ruby_18
-  gem "debugger",   "~> 1.1",    :require => nil, :platforms => :ruby_19
-  gem "shoulda",    "~> 2.11"
-  gem "rake",       "~> 10"
-  gem "mocha",      "~> 0.14"
-  gem "nokogiri",   "~> 1.5.0"
-  gem "timecop",    "<= 0.6.0"
-  gem "systemu",    "~> 2"
-  gem "rspec",      "~> 2"
+  if RUBY_VERSION < '1.9'
+    gem 'nokogiri',   '~> 1.5.0'
+    gem 'ruby-debug', '~> 0.10.4'
+  elsif RUBY_VERSION < '2.0'
+    gem 'debugger-linecache', '~> 1.2.0'
+    gem 'debugger', '~> 1.6.4'
+  elsif RUBY_VERSION < '2.1'
+    gem 'byebug',   '~> 2.1.1'
+  else
+    gem 'pry-byebug'
+  end
+  gem 'mocha',     '~> 0.14',  :require => false
+  gem 'rake',      '~> 10'
+  gem 'shoulda',   '~> 2.11'
+  gem 'systemu',   '~> 2'
+  gem 'test-unit', '~> 3'
+  gem 'timecop',   '<= 0.6.0'
 end

data/changelog.md CHANGED

@@ -1,7 +1,17 @@
 # RubySaml Changelog
+### 0.8.2 (Jan 26, 2014)
+* [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
 ### 0.8.0 (Feb 21, 2014)
-Changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+* [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
+* [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
 ### 0.7.3 (Feb 20, 2014)
 Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
+* [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
+* [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision

data/lib/onelogin/ruby-saml/response.rb CHANGED

@@ -151,8 +151,18 @@ module OneLogin
       end
       def xpath_first_from_signed_assertion(subelt=nil)
-        node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
-        node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
+        node = REXML::XPath.first(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
         node
       end

data/lib/onelogin/ruby-saml/version.rb CHANGED

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.1'
+    VERSION = '0.8.2'
   end
 end

data/test/response_test.rb CHANGED

@@ -254,5 +254,13 @@ class RubySamlTest < Test::Unit::TestCase
       end
     end
+    context '#xpath_first_from_signed_assertion' do
+      should 'not allow arbitrary code execution' do
+        malicious_response_document = fixture('response_eval', false)
+        response = OneLogin::RubySaml::Response.new(malicious_response_document)
+        response.send(:xpath_first_from_signed_assertion)
+        assert_equal($evalled, nil)
+      end
+    end
   end
 end

data/test/responses/response_eval.xml ADDED

@@ -0,0 +1,7 @@
+<saml:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:protocol">
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:Reference URI="#x'] or eval('$evalled = true') or /[@ID='v"/>
+    </ds:SignedInfo>
+  </ds:Signature>
+</saml:Response>

data/test/test_helper.rb CHANGED

@@ -1,7 +1,6 @@
 require 'rubygems'
 require 'test/unit'
 require 'shoulda'
-require 'ruby-debug'
 require 'mocha/setup'
 require 'timecop'
@@ -63,7 +62,7 @@ class Test::Unit::TestCase
   def signature_fingerprint_1
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
   def signature_1
     @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
   end

metadata CHANGED

@@ -1,66 +1,54 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: ruby-saml
-version: !ruby/object:Gem::Version
-  hash: 61
-  prerelease:
-  segments:
-  - 0
-  - 8
-  - 1
-  version: 0.8.1
+version: !ruby/object:Gem::Version
+  version: 0.8.2
 platform: ruby
-authors:
+authors:
 - OneLogin LLC
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-02-25 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2015-01-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: uuid
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        hash: 5
-        segments:
-        - 2
-        - 3
-        version: "2.3"
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: nokogiri
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 1
-        - 5
-        - 0
+      - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
-  version_requirements: *id002
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.0
 description: SAML toolkit for Ruby on Rails
 email: support@onelogin.com
 executables: []
 extensions: []
-extra_rdoc_files:
+extra_rdoc_files:
 - LICENSE
 - README.md
-files:
-- .document
-- .gitignore
-- .travis.yml
+files:
+- ".document"
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -101,6 +89,7 @@ files:
 - test/responses/response3.xml.base64
 - test/responses/response4.xml.base64
 - test/responses/response5.xml.base64
+- test/responses/response_eval.xml
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/simple_saml_php.xml
@@ -111,38 +100,29 @@ files:
 - test/xml_security_test.rb
 homepage: http://github.com/onelogin/ruby-saml
 licenses: []
+metadata: {}
 post_install_message:
-rdoc_options:
-- --charset=UTF-8
-require_paths:
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 1.8.25
+rubygems_version: 2.2.2
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: SAML Ruby Tookit
-test_files:
+test_files:
 - test/certificates/certificate1
 - test/certificates/r1_certificate2_base64
 - test/logoutrequest_test.rb
@@ -162,6 +142,7 @@ test_files:
 - test/responses/response3.xml.base64
 - test/responses/response4.xml.base64
 - test/responses/response5.xml.base64
+- test/responses/response_eval.xml
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/simple_saml_php.xml