ruby-saml 1.12.1 → 1.12.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/changelog.md +6 -0
  3. data/lib/onelogin/ruby-saml/logoutrequest.rb +4 -4
  4. data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +5 -4
  5. data/lib/onelogin/ruby-saml/version.rb +1 -1
  6. data/lib/xml_security.rb +20 -7
  7. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3ac80594648fe4830b965c65366f8bb261a4edfe148c9e929f352b39a1b3428f
4
- data.tar.gz: b6379aa66a89f2074f434e8c97163022d533e1cdc30c20555135c2e4c82353b4
3
+ metadata.gz: e6df1fb5db61569b11ce73e3151ae3219c435be967a5f419b8e65750b49754d5
4
+ data.tar.gz: 21610b15b73a43d72364c9967bc4da29625275250656bcf253e12e391c1929af
5
5
  SHA512:
6
- metadata.gz: b1a380101d7684431209f4e8cc2704c8118621465c3b0a8efc623d573377e14706a4368eae6ea9ef1666da4c36e5e6a61ccae845d9f87e1bab98fbf2cd626ad6
7
- data.tar.gz: e251b75351483f04d21bc4228af9752cab4d0cc4568952835960363671c28f9e38e62f9b727bde5d62b3a39e095593041e1e7dea9d93084fe6a87aef45a0f8ab
6
+ metadata.gz: 5e61a0bf5ac8028b356ab2edb614c710c3f590e0fef82812418d87e50ad81f360d56b9ff02b24c810323a2c39937318904292d4a23e4cd096c142f814537eb86
7
+ data.tar.gz: 102d27888bbc4edd3fd89fda071c16fca3bbd3cf2e9283c66c6fc499ef1e6d2cb6b05481d2798809f920a5d99d6722d9d97422d1fe61765337362280603b9fbe
data/changelog.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 1.12.3 (Sep 10, 2024)
4
+ * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
5
+
6
+ ### 1.12.2 (Apr 08, 2022)
7
+ * [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
8
+
3
9
  ### 1.12.1 (Apr 05, 2022)
4
10
  * Fix XPath typo incompatible with Rexml 3.2.5
5
11
  * Refactor GCM support
data/lib/onelogin/ruby-saml/logoutrequest.rb CHANGED
@@ -32,14 +32,14 @@ module OneLogin
32
32
  #
33
33
  def create(settings, params={})
34
34
  params = create_params(settings, params)
35
- params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
35
+ params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
36
36
  saml_request = CGI.escape(params.delete("SAMLRequest"))
37
37
  request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
38
38
  params.each_pair do |key, value|
39
39
  request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
40
40
  end
41
- raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
42
- @logout_url = settings.idp_slo_target_url + request_params
41
+ raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
42
+ @logout_url = settings.idp_slo_service_url + request_params
43
43
  end
44
44
 
45
45
  # Creates the Get parameters for the logout request.
@@ -109,7 +109,7 @@ module OneLogin
109
109
  root.attributes['ID'] = uuid
110
110
  root.attributes['IssueInstant'] = time
111
111
  root.attributes['Version'] = "2.0"
112
- root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
112
+ root.attributes['Destination'] = settings.idp_slo_service_url unless settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
113
113
 
114
114
  if settings.sp_entity_id
115
115
  issuer = root.add_element "saml:Issuer"
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb CHANGED
@@ -36,15 +36,15 @@ module OneLogin
36
36
  #
37
37
  def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
38
38
  params = create_params(settings, request_id, logout_message, params, logout_status_code)
39
- params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
40
- url = settings.idp_slo_response_service_url || settings.idp_slo_target_url
39
+ params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
40
+ url = settings.idp_slo_response_service_url || settings.idp_slo_service_url
41
41
  saml_response = CGI.escape(params.delete("SAMLResponse"))
42
42
  response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
43
43
  params.each_pair do |key, value|
44
44
  response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
45
45
  end
46
46
 
47
- raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if url.nil? or url.empty?
47
+ raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
48
48
  @logout_url = url + response_params
49
49
  end
50
50
 
@@ -117,7 +117,8 @@ module OneLogin
117
117
  response_doc = XMLSecurity::Document.new
118
118
  response_doc.uuid = uuid
119
119
 
120
- destination = settings.idp_slo_response_service_url || settings.idp_slo_target_url
120
+ destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
121
+
121
122
 
122
123
  root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
123
124
  root.attributes['ID'] = uuid
data/lib/onelogin/ruby-saml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.12.1'
3
+ VERSION = '1.12.3'
4
4
  end
5
5
  end
data/lib/xml_security.rb CHANGED
@@ -312,17 +312,30 @@ module XMLSecurity
312
312
  canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
313
313
  noko_sig_element.remove
314
314
 
315
+ # get signed info
316
+ signed_info_element = REXML::XPath.first(
317
+ sig_element,
318
+ "./ds:SignedInfo",
319
+ { "ds" => DSIG }
320
+ )
321
+
315
322
  # get inclusive namespaces
316
323
  inclusive_namespaces = extract_inclusive_namespaces
317
324
 
318
325
  # check digests
319
- ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
326
+ ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
320
327
 
321
- hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
328
+ reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
329
+
330
+ if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
331
+ return append_error("Duplicated IDs found", soft)
332
+ end
333
+
334
+ hashed_element = reference_nodes[0]
322
335
 
323
336
  canon_algorithm = canon_algorithm REXML::XPath.first(
324
- ref,
325
- '//ds:CanonicalizationMethod',
337
+ signed_info_element,
338
+ './ds:CanonicalizationMethod',
326
339
  { "ds" => DSIG }
327
340
  )
328
341
 
@@ -332,13 +345,13 @@ module XMLSecurity
332
345
 
333
346
  digest_algorithm = algorithm(REXML::XPath.first(
334
347
  ref,
335
- "//ds:DigestMethod",
348
+ "./ds:DigestMethod",
336
349
  { "ds" => DSIG }
337
350
  ))
338
351
  hash = digest_algorithm.digest(canon_hashed_element)
339
352
  encoded_digest_value = REXML::XPath.first(
340
353
  ref,
341
- "//ds:DigestValue",
354
+ "./ds:DigestValue",
342
355
  { "ds" => DSIG }
343
356
  )
344
357
  digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -364,7 +377,7 @@ module XMLSecurity
364
377
  def process_transforms(ref, canon_algorithm)
365
378
  transforms = REXML::XPath.match(
366
379
  ref,
367
- "//ds:Transforms/ds:Transform",
380
+ "./ds:Transforms/ds:Transform",
368
381
  { "ds" => DSIG }
369
382
  )
370
383
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.12.1
4
+ version: 1.12.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-05 00:00:00.000000000 Z
11
+ date: 2024-09-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -220,7 +220,7 @@ homepage: https://github.com/onelogin/ruby-saml
220
220
  licenses:
221
221
  - MIT
222
222
  metadata: {}
223
- post_install_message:
223
+ post_install_message:
224
224
  rdoc_options:
225
225
  - "--charset=UTF-8"
226
226
  require_paths:
@@ -236,8 +236,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
236
236
  - !ruby/object:Gem::Version
237
237
  version: '0'
238
238
  requirements: []
239
- rubygems_version: 3.0.8
240
- signing_key:
239
+ rubygems_version: 3.3.26
240
+ signing_key:
241
241
  specification_version: 4
242
242
  summary: SAML Ruby Tookit
243
243
  test_files: []