ruby-saml 1.12.1 → 1.12.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/changelog.md +6 -0
- data/lib/onelogin/ruby-saml/logoutrequest.rb +4 -4
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +5 -4
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +20 -7
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e6df1fb5db61569b11ce73e3151ae3219c435be967a5f419b8e65750b49754d5
|
4
|
+
data.tar.gz: 21610b15b73a43d72364c9967bc4da29625275250656bcf253e12e391c1929af
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5e61a0bf5ac8028b356ab2edb614c710c3f590e0fef82812418d87e50ad81f360d56b9ff02b24c810323a2c39937318904292d4a23e4cd096c142f814537eb86
|
7
|
+
data.tar.gz: 102d27888bbc4edd3fd89fda071c16fca3bbd3cf2e9283c66c6fc499ef1e6d2cb6b05481d2798809f920a5d99d6722d9d97422d1fe61765337362280603b9fbe
|
data/changelog.md
CHANGED
@@ -1,5 +1,11 @@
|
|
1
1
|
# RubySaml Changelog
|
2
2
|
|
3
|
+
### 1.12.3 (Sep 10, 2024)
|
4
|
+
* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
|
5
|
+
|
6
|
+
### 1.12.2 (Apr 08, 2022)
|
7
|
+
* [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
|
8
|
+
|
3
9
|
### 1.12.1 (Apr 05, 2022)
|
4
10
|
* Fix XPath typo incompatible with Rexml 3.2.5
|
5
11
|
* Refactor GCM support
|
@@ -32,14 +32,14 @@ module OneLogin
|
|
32
32
|
#
|
33
33
|
def create(settings, params={})
|
34
34
|
params = create_params(settings, params)
|
35
|
-
params_prefix = (settings.
|
35
|
+
params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
|
36
36
|
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
37
37
|
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
38
38
|
params.each_pair do |key, value|
|
39
39
|
request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
|
40
40
|
end
|
41
|
-
raise SettingError.new "Invalid settings,
|
42
|
-
@logout_url = settings.
|
41
|
+
raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
|
42
|
+
@logout_url = settings.idp_slo_service_url + request_params
|
43
43
|
end
|
44
44
|
|
45
45
|
# Creates the Get parameters for the logout request.
|
@@ -109,7 +109,7 @@ module OneLogin
|
|
109
109
|
root.attributes['ID'] = uuid
|
110
110
|
root.attributes['IssueInstant'] = time
|
111
111
|
root.attributes['Version'] = "2.0"
|
112
|
-
root.attributes['Destination'] = settings.
|
112
|
+
root.attributes['Destination'] = settings.idp_slo_service_url unless settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
|
113
113
|
|
114
114
|
if settings.sp_entity_id
|
115
115
|
issuer = root.add_element "saml:Issuer"
|
@@ -36,15 +36,15 @@ module OneLogin
|
|
36
36
|
#
|
37
37
|
def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
|
38
38
|
params = create_params(settings, request_id, logout_message, params, logout_status_code)
|
39
|
-
params_prefix = (settings.
|
40
|
-
url = settings.idp_slo_response_service_url || settings.
|
39
|
+
params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
|
40
|
+
url = settings.idp_slo_response_service_url || settings.idp_slo_service_url
|
41
41
|
saml_response = CGI.escape(params.delete("SAMLResponse"))
|
42
42
|
response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
|
43
43
|
params.each_pair do |key, value|
|
44
44
|
response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
|
45
45
|
end
|
46
46
|
|
47
|
-
raise SettingError.new "Invalid settings,
|
47
|
+
raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
|
48
48
|
@logout_url = url + response_params
|
49
49
|
end
|
50
50
|
|
@@ -117,7 +117,8 @@ module OneLogin
|
|
117
117
|
response_doc = XMLSecurity::Document.new
|
118
118
|
response_doc.uuid = uuid
|
119
119
|
|
120
|
-
destination = settings.idp_slo_response_service_url || settings.
|
120
|
+
destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
|
121
|
+
|
121
122
|
|
122
123
|
root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
123
124
|
root.attributes['ID'] = uuid
|
data/lib/xml_security.rb
CHANGED
@@ -312,17 +312,30 @@ module XMLSecurity
|
|
312
312
|
canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
|
313
313
|
noko_sig_element.remove
|
314
314
|
|
315
|
+
# get signed info
|
316
|
+
signed_info_element = REXML::XPath.first(
|
317
|
+
sig_element,
|
318
|
+
"./ds:SignedInfo",
|
319
|
+
{ "ds" => DSIG }
|
320
|
+
)
|
321
|
+
|
315
322
|
# get inclusive namespaces
|
316
323
|
inclusive_namespaces = extract_inclusive_namespaces
|
317
324
|
|
318
325
|
# check digests
|
319
|
-
ref = REXML::XPath.first(
|
326
|
+
ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
|
320
327
|
|
321
|
-
|
328
|
+
reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
|
329
|
+
|
330
|
+
if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
|
331
|
+
return append_error("Duplicated IDs found", soft)
|
332
|
+
end
|
333
|
+
|
334
|
+
hashed_element = reference_nodes[0]
|
322
335
|
|
323
336
|
canon_algorithm = canon_algorithm REXML::XPath.first(
|
324
|
-
|
325
|
-
'
|
337
|
+
signed_info_element,
|
338
|
+
'./ds:CanonicalizationMethod',
|
326
339
|
{ "ds" => DSIG }
|
327
340
|
)
|
328
341
|
|
@@ -332,13 +345,13 @@ module XMLSecurity
|
|
332
345
|
|
333
346
|
digest_algorithm = algorithm(REXML::XPath.first(
|
334
347
|
ref,
|
335
|
-
"
|
348
|
+
"./ds:DigestMethod",
|
336
349
|
{ "ds" => DSIG }
|
337
350
|
))
|
338
351
|
hash = digest_algorithm.digest(canon_hashed_element)
|
339
352
|
encoded_digest_value = REXML::XPath.first(
|
340
353
|
ref,
|
341
|
-
"
|
354
|
+
"./ds:DigestValue",
|
342
355
|
{ "ds" => DSIG }
|
343
356
|
)
|
344
357
|
digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
|
@@ -364,7 +377,7 @@ module XMLSecurity
|
|
364
377
|
def process_transforms(ref, canon_algorithm)
|
365
378
|
transforms = REXML::XPath.match(
|
366
379
|
ref,
|
367
|
-
"
|
380
|
+
"./ds:Transforms/ds:Transform",
|
368
381
|
{ "ds" => DSIG }
|
369
382
|
)
|
370
383
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-saml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.12.
|
4
|
+
version: 1.12.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OneLogin LLC
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-09-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -220,7 +220,7 @@ homepage: https://github.com/onelogin/ruby-saml
|
|
220
220
|
licenses:
|
221
221
|
- MIT
|
222
222
|
metadata: {}
|
223
|
-
post_install_message:
|
223
|
+
post_install_message:
|
224
224
|
rdoc_options:
|
225
225
|
- "--charset=UTF-8"
|
226
226
|
require_paths:
|
@@ -236,8 +236,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
236
236
|
- !ruby/object:Gem::Version
|
237
237
|
version: '0'
|
238
238
|
requirements: []
|
239
|
-
rubygems_version: 3.
|
240
|
-
signing_key:
|
239
|
+
rubygems_version: 3.3.26
|
240
|
+
signing_key:
|
241
241
|
specification_version: 4
|
242
242
|
summary: SAML Ruby Tookit
|
243
243
|
test_files: []
|