ruby-saml 0.8.1 → 0.8.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/Gemfile +21 -9
- data/changelog.md +11 -1
- data/lib/onelogin/ruby-saml/response.rb +12 -2
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/test/response_test.rb +8 -0
- data/test/responses/response_eval.xml +7 -0
- data/test/test_helper.rb +1 -2
- metadata +50 -69
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 54aff65643a4409b0e306515c9f92ae634db3238
|
4
|
+
data.tar.gz: c9fe0db4412806b434a8bb36503ecbd7939ffa36
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 07d26360f0145816ce08a5e109eae2a9c0f233154fdceb8178b69f1e9d72210baeebaa5ee978c973d6764dfd0a1d28f4ff0ea1e6beef90023a26383c342c3892
|
7
|
+
data.tar.gz: ee10bbde3c20e9ad2ec658506608a6d705ea9692f4c1577506e6a90b56db858f752f800300cf012e01319531d0b5f8aafcfe0f25b15b8681a2b81f7fed4c2fd4
|
data/Gemfile
CHANGED
@@ -1,15 +1,27 @@
|
|
1
|
+
#
|
2
|
+
# Please keep this file alphabetized and organized
|
3
|
+
#
|
1
4
|
source 'http://rubygems.org'
|
2
5
|
|
3
6
|
gemspec
|
4
7
|
|
5
8
|
group :test do
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
9
|
+
if RUBY_VERSION < '1.9'
|
10
|
+
gem 'nokogiri', '~> 1.5.0'
|
11
|
+
gem 'ruby-debug', '~> 0.10.4'
|
12
|
+
elsif RUBY_VERSION < '2.0'
|
13
|
+
gem 'debugger-linecache', '~> 1.2.0'
|
14
|
+
gem 'debugger', '~> 1.6.4'
|
15
|
+
elsif RUBY_VERSION < '2.1'
|
16
|
+
gem 'byebug', '~> 2.1.1'
|
17
|
+
else
|
18
|
+
gem 'pry-byebug'
|
19
|
+
end
|
20
|
+
|
21
|
+
gem 'mocha', '~> 0.14', :require => false
|
22
|
+
gem 'rake', '~> 10'
|
23
|
+
gem 'shoulda', '~> 2.11'
|
24
|
+
gem 'systemu', '~> 2'
|
25
|
+
gem 'test-unit', '~> 3'
|
26
|
+
gem 'timecop', '<= 0.6.0'
|
15
27
|
end
|
data/changelog.md
CHANGED
@@ -1,7 +1,17 @@
|
|
1
1
|
# RubySaml Changelog
|
2
2
|
|
3
|
+
### 0.8.2 (Jan 26, 2014)
|
4
|
+
* [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
|
5
|
+
|
3
6
|
### 0.8.0 (Feb 21, 2014)
|
4
|
-
|
7
|
+
**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`. Please update your implementations of the gem accordingly.
|
8
|
+
|
9
|
+
* [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
|
10
|
+
* [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
|
11
|
+
|
5
12
|
|
6
13
|
### 0.7.3 (Feb 20, 2014)
|
7
14
|
Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
|
15
|
+
|
16
|
+
* [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
|
17
|
+
* [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision
|
@@ -151,8 +151,18 @@ module OneLogin
|
|
151
151
|
end
|
152
152
|
|
153
153
|
def xpath_first_from_signed_assertion(subelt=nil)
|
154
|
-
node = REXML::XPath.first(
|
155
|
-
|
154
|
+
node = REXML::XPath.first(
|
155
|
+
document,
|
156
|
+
"/p:Response/a:Assertion[@ID=$id]#{subelt}",
|
157
|
+
{ "p" => PROTOCOL, "a" => ASSERTION },
|
158
|
+
{ 'id' => document.signed_element_id }
|
159
|
+
)
|
160
|
+
node ||= REXML::XPath.first(
|
161
|
+
document,
|
162
|
+
"/p:Response[@ID=$id]/a:Assertion#{subelt}",
|
163
|
+
{ "p" => PROTOCOL, "a" => ASSERTION },
|
164
|
+
{ 'id' => document.signed_element_id }
|
165
|
+
)
|
156
166
|
node
|
157
167
|
end
|
158
168
|
|
data/test/response_test.rb
CHANGED
@@ -254,5 +254,13 @@ class RubySamlTest < Test::Unit::TestCase
|
|
254
254
|
end
|
255
255
|
end
|
256
256
|
|
257
|
+
context '#xpath_first_from_signed_assertion' do
|
258
|
+
should 'not allow arbitrary code execution' do
|
259
|
+
malicious_response_document = fixture('response_eval', false)
|
260
|
+
response = OneLogin::RubySaml::Response.new(malicious_response_document)
|
261
|
+
response.send(:xpath_first_from_signed_assertion)
|
262
|
+
assert_equal($evalled, nil)
|
263
|
+
end
|
264
|
+
end
|
257
265
|
end
|
258
266
|
end
|
@@ -0,0 +1,7 @@
|
|
1
|
+
<saml:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:protocol">
|
2
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
3
|
+
<ds:SignedInfo>
|
4
|
+
<ds:Reference URI="#x'] or eval('$evalled = true') or /[@ID='v"/>
|
5
|
+
</ds:SignedInfo>
|
6
|
+
</ds:Signature>
|
7
|
+
</saml:Response>
|
data/test/test_helper.rb
CHANGED
@@ -1,7 +1,6 @@
|
|
1
1
|
require 'rubygems'
|
2
2
|
require 'test/unit'
|
3
3
|
require 'shoulda'
|
4
|
-
require 'ruby-debug'
|
5
4
|
require 'mocha/setup'
|
6
5
|
require 'timecop'
|
7
6
|
|
@@ -63,7 +62,7 @@ class Test::Unit::TestCase
|
|
63
62
|
def signature_fingerprint_1
|
64
63
|
@signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
|
65
64
|
end
|
66
|
-
|
65
|
+
|
67
66
|
def signature_1
|
68
67
|
@signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
|
69
68
|
end
|
metadata
CHANGED
@@ -1,66 +1,54 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-saml
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
5
|
-
prerelease:
|
6
|
-
segments:
|
7
|
-
- 0
|
8
|
-
- 8
|
9
|
-
- 1
|
10
|
-
version: 0.8.1
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.8.2
|
11
5
|
platform: ruby
|
12
|
-
authors:
|
6
|
+
authors:
|
13
7
|
- OneLogin LLC
|
14
8
|
autorequire:
|
15
9
|
bindir: bin
|
16
10
|
cert_chain: []
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
- !ruby/object:Gem::Dependency
|
11
|
+
date: 2015-01-26 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
21
14
|
name: uuid
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
- !ruby/object:Gem::Version
|
28
|
-
hash: 5
|
29
|
-
segments:
|
30
|
-
- 2
|
31
|
-
- 3
|
32
|
-
version: "2.3"
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '2.3'
|
33
20
|
type: :runtime
|
34
|
-
version_requirements: *id001
|
35
|
-
- !ruby/object:Gem::Dependency
|
36
|
-
name: nokogiri
|
37
21
|
prerelease: false
|
38
|
-
|
39
|
-
|
40
|
-
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '2.3'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: nokogiri
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
41
31
|
- - ">="
|
42
|
-
- !ruby/object:Gem::Version
|
43
|
-
hash: 3
|
44
|
-
segments:
|
45
|
-
- 1
|
46
|
-
- 5
|
47
|
-
- 0
|
32
|
+
- !ruby/object:Gem::Version
|
48
33
|
version: 1.5.0
|
49
34
|
type: :runtime
|
50
|
-
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: 1.5.0
|
51
41
|
description: SAML toolkit for Ruby on Rails
|
52
42
|
email: support@onelogin.com
|
53
43
|
executables: []
|
54
|
-
|
55
44
|
extensions: []
|
56
|
-
|
57
|
-
extra_rdoc_files:
|
45
|
+
extra_rdoc_files:
|
58
46
|
- LICENSE
|
59
47
|
- README.md
|
60
|
-
files:
|
61
|
-
- .document
|
62
|
-
- .gitignore
|
63
|
-
- .travis.yml
|
48
|
+
files:
|
49
|
+
- ".document"
|
50
|
+
- ".gitignore"
|
51
|
+
- ".travis.yml"
|
64
52
|
- Gemfile
|
65
53
|
- LICENSE
|
66
54
|
- README.md
|
@@ -101,6 +89,7 @@ files:
|
|
101
89
|
- test/responses/response3.xml.base64
|
102
90
|
- test/responses/response4.xml.base64
|
103
91
|
- test/responses/response5.xml.base64
|
92
|
+
- test/responses/response_eval.xml
|
104
93
|
- test/responses/response_with_ampersands.xml
|
105
94
|
- test/responses/response_with_ampersands.xml.base64
|
106
95
|
- test/responses/simple_saml_php.xml
|
@@ -111,38 +100,29 @@ files:
|
|
111
100
|
- test/xml_security_test.rb
|
112
101
|
homepage: http://github.com/onelogin/ruby-saml
|
113
102
|
licenses: []
|
114
|
-
|
103
|
+
metadata: {}
|
115
104
|
post_install_message:
|
116
|
-
rdoc_options:
|
117
|
-
- --charset=UTF-8
|
118
|
-
require_paths:
|
105
|
+
rdoc_options:
|
106
|
+
- "--charset=UTF-8"
|
107
|
+
require_paths:
|
119
108
|
- lib
|
120
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
121
|
-
|
122
|
-
requirements:
|
109
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
110
|
+
requirements:
|
123
111
|
- - ">="
|
124
|
-
- !ruby/object:Gem::Version
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
version: "0"
|
129
|
-
required_rubygems_version: !ruby/object:Gem::Requirement
|
130
|
-
none: false
|
131
|
-
requirements:
|
112
|
+
- !ruby/object:Gem::Version
|
113
|
+
version: '0'
|
114
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
115
|
+
requirements:
|
132
116
|
- - ">="
|
133
|
-
- !ruby/object:Gem::Version
|
134
|
-
|
135
|
-
segments:
|
136
|
-
- 0
|
137
|
-
version: "0"
|
117
|
+
- !ruby/object:Gem::Version
|
118
|
+
version: '0'
|
138
119
|
requirements: []
|
139
|
-
|
140
120
|
rubyforge_project: http://www.rubygems.org/gems/ruby-saml
|
141
|
-
rubygems_version:
|
121
|
+
rubygems_version: 2.2.2
|
142
122
|
signing_key:
|
143
|
-
specification_version:
|
123
|
+
specification_version: 4
|
144
124
|
summary: SAML Ruby Tookit
|
145
|
-
test_files:
|
125
|
+
test_files:
|
146
126
|
- test/certificates/certificate1
|
147
127
|
- test/certificates/r1_certificate2_base64
|
148
128
|
- test/logoutrequest_test.rb
|
@@ -162,6 +142,7 @@ test_files:
|
|
162
142
|
- test/responses/response3.xml.base64
|
163
143
|
- test/responses/response4.xml.base64
|
164
144
|
- test/responses/response5.xml.base64
|
145
|
+
- test/responses/response_eval.xml
|
165
146
|
- test/responses/response_with_ampersands.xml
|
166
147
|
- test/responses/response_with_ampersands.xml.base64
|
167
148
|
- test/responses/simple_saml_php.xml
|