ruby-saml 1.12.2 → 1.12.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/changelog.md +3 -0
  3. data/lib/onelogin/ruby-saml/version.rb +1 -1
  4. data/lib/xml_security.rb +20 -7
  5. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 25c4115dff650511c702291e7e6e3277a2c50c43b603c4cf68ae1473b3c061b5
4
- data.tar.gz: 375b631e4059b50e112f4fc5b890e48c000ddae894fdef7cc665b9a58bad5b7a
3
+ metadata.gz: e6df1fb5db61569b11ce73e3151ae3219c435be967a5f419b8e65750b49754d5
4
+ data.tar.gz: 21610b15b73a43d72364c9967bc4da29625275250656bcf253e12e391c1929af
5
5
  SHA512:
6
- metadata.gz: 1207da19dae7cb853704a0dbbd1d55791156d6703a5d3162adaa4d47ea1e645e4806687392db53c8c3e9c0a51b2fbb45772b8202975565f9157d32b707fd56a1
7
- data.tar.gz: 9a4a9ba94e5ffd0eb24ef08e4a45435dec63333b2cbf1a0f0ecc164ce0569bb8720941c88874d64aef8524bebb5209bd70299e0e5bbdc953b7546aa055da58be
6
+ metadata.gz: 5e61a0bf5ac8028b356ab2edb614c710c3f590e0fef82812418d87e50ad81f360d56b9ff02b24c810323a2c39937318904292d4a23e4cd096c142f814537eb86
7
+ data.tar.gz: 102d27888bbc4edd3fd89fda071c16fca3bbd3cf2e9283c66c6fc499ef1e6d2cb6b05481d2798809f920a5d99d6722d9d97422d1fe61765337362280603b9fbe
data/changelog.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 1.12.3 (Sep 10, 2024)
4
+ * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
5
+
3
6
  ### 1.12.2 (Apr 08, 2022)
4
7
  * [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
5
8
 
data/lib/onelogin/ruby-saml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.12.2'
3
+ VERSION = '1.12.3'
4
4
  end
5
5
  end
data/lib/xml_security.rb CHANGED
@@ -312,17 +312,30 @@ module XMLSecurity
312
312
  canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
313
313
  noko_sig_element.remove
314
314
 
315
+ # get signed info
316
+ signed_info_element = REXML::XPath.first(
317
+ sig_element,
318
+ "./ds:SignedInfo",
319
+ { "ds" => DSIG }
320
+ )
321
+
315
322
  # get inclusive namespaces
316
323
  inclusive_namespaces = extract_inclusive_namespaces
317
324
 
318
325
  # check digests
319
- ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
326
+ ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
320
327
 
321
- hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
328
+ reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
329
+
330
+ if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
331
+ return append_error("Duplicated IDs found", soft)
332
+ end
333
+
334
+ hashed_element = reference_nodes[0]
322
335
 
323
336
  canon_algorithm = canon_algorithm REXML::XPath.first(
324
- ref,
325
- '//ds:CanonicalizationMethod',
337
+ signed_info_element,
338
+ './ds:CanonicalizationMethod',
326
339
  { "ds" => DSIG }
327
340
  )
328
341
 
@@ -332,13 +345,13 @@ module XMLSecurity
332
345
 
333
346
  digest_algorithm = algorithm(REXML::XPath.first(
334
347
  ref,
335
- "//ds:DigestMethod",
348
+ "./ds:DigestMethod",
336
349
  { "ds" => DSIG }
337
350
  ))
338
351
  hash = digest_algorithm.digest(canon_hashed_element)
339
352
  encoded_digest_value = REXML::XPath.first(
340
353
  ref,
341
- "//ds:DigestValue",
354
+ "./ds:DigestValue",
342
355
  { "ds" => DSIG }
343
356
  )
344
357
  digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -364,7 +377,7 @@ module XMLSecurity
364
377
  def process_transforms(ref, canon_algorithm)
365
378
  transforms = REXML::XPath.match(
366
379
  ref,
367
- "//ds:Transforms/ds:Transform",
380
+ "./ds:Transforms/ds:Transform",
368
381
  { "ds" => DSIG }
369
382
  )
370
383
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.12.2
4
+ version: 1.12.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-08 00:00:00.000000000 Z
11
+ date: 2024-09-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -220,7 +220,7 @@ homepage: https://github.com/onelogin/ruby-saml
220
220
  licenses:
221
221
  - MIT
222
222
  metadata: {}
223
- post_install_message:
223
+ post_install_message:
224
224
  rdoc_options:
225
225
  - "--charset=UTF-8"
226
226
  require_paths:
@@ -236,8 +236,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
236
236
  - !ruby/object:Gem::Version
237
237
  version: '0'
238
238
  requirements: []
239
- rubygems_version: 3.0.8
240
- signing_key:
239
+ rubygems_version: 3.3.26
240
+ signing_key:
241
241
  specification_version: 4
242
242
  summary: SAML Ruby Tookit
243
243
  test_files: []