ruby-saml 1.12.2 → 1.12.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25c4115dff650511c702291e7e6e3277a2c50c43b603c4cf68ae1473b3c061b5
-  data.tar.gz: 375b631e4059b50e112f4fc5b890e48c000ddae894fdef7cc665b9a58bad5b7a
+  metadata.gz: 6c7575733bfd28deef0060550daede564f894f423c6749d71007b475694e5409
+  data.tar.gz: 4f925319b91da371cecdcb0946f617b056b9f6fbe1665dd5e5ccf2afff9f24a8
 SHA512:
-  metadata.gz: 1207da19dae7cb853704a0dbbd1d55791156d6703a5d3162adaa4d47ea1e645e4806687392db53c8c3e9c0a51b2fbb45772b8202975565f9157d32b707fd56a1
-  data.tar.gz: 9a4a9ba94e5ffd0eb24ef08e4a45435dec63333b2cbf1a0f0ecc164ce0569bb8720941c88874d64aef8524bebb5209bd70299e0e5bbdc953b7546aa055da58be
+  metadata.gz: b378e2c5e13810c280783154c7fe25a0c287e89a12698aa65a9d33873b44987b5f2cd0f0676b797fdefad86f993975b10d29a9a5665513ff68ed064efd7c41c1
+  data.tar.gz: 1b370d8753b3104ae3b8bc9e1f1c2ddd067abee96a5ea9b896cf2e0571e6999564a92df78aa5d55266821185a77770cf2f2166a2b944fde5ed6216e2b3c4b7f1

data/.github/workflows/test.yml

@@ -0,0 +1,65 @@
+name: ruby-saml CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    name: Unit test
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-20.04
+          - macos-latest
+          - windows-latest
+        ruby-version:
+          - 2.1
+          - 2.2
+          - 2.3
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+          - jruby-9.1
+          - jruby-9.2
+        exclude:
+          - os: macos-latest
+            ruby-version: 2.1
+          - os: macos-latest
+            ruby-version: 2.2
+          - os: macos-latest
+            ruby-version: 2.3
+          - os: macos-latest
+            ruby-version: 2.4
+          - os: macos-latest
+            ruby-version: 2.5
+          - os: macos-latest
+            ruby-version: jruby-9.1
+          - os: macos-latest
+            ruby-version: jruby-9.2
+          - os: windows-latest
+            ruby-version: 2.1
+          - os: windows-latest
+            ruby-version: jruby-9.1
+          - os: windows-latest
+            ruby-version: jruby-9.2
+          - os: windows-latest
+            ruby-version: jruby-9.3
+          - os: windows-latest
+            ruby-version: jruby-9.4
+          - os: windows-latest
+            ruby-version: truffleruby
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Run tests
+        run: bundle exec rake

data/changelog.md

@@ -1,4 +1,10 @@
 # RubySaml Changelog
+### 1.12.4 (Mar 12, 2025)
+* Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential.
+* Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
+
+### 1.12.3 (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 
 ### 1.12.2 (Apr 08, 2022)
 * [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -150,7 +150,8 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc?(settings)
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd")
         end
 

data/lib/onelogin/ruby-saml/response.rb

@@ -425,12 +425,13 @@ module OneLogin
       #
       def validate_structure
         structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc_enabled?
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error(structure_error_msg)
         end
 
         unless decrypted_document.nil?
-          unless valid_saml?(decrypted_document, soft)
+          unless valid_saml?(decrypted_document, soft, check_malformed_doc)
             return append_error(structure_error_msg)
           end
         end
@@ -865,6 +866,8 @@ module OneLogin
           fingerprint = settings.get_fingerprint
           opts[:cert] = idp_cert
 
+          check_malformed_doc = check_malformed_doc_enabled?
+          opts[:check_malformed_doc] = check_malformed_doc
           if fingerprint && doc.validate_document(fingerprint, @soft, opts)
             if settings.security[:check_idp_cert_expiration]
               if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
@@ -879,7 +882,7 @@ module OneLogin
           valid = false
           expired = false
           idp_certs[:signing].each do |idp_cert|
-            valid = doc.validate_document_with_cert(idp_cert, true)
+            valid = doc.validate_document_with_cert(idp_cert, true, check_malformed_doc)
             if valid
               if settings.security[:check_idp_cert_expiration]
                 if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
@@ -1063,6 +1066,10 @@ module OneLogin
           Time.parse(node.attributes[attribute])
         end
       end
+
+      def check_malformed_doc_enabled?
+        check_malformed_doc?(settings)
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -63,14 +63,13 @@ module OneLogin
       # Validates the SAML Message against the specified schema.
       # @param document [REXML::Document] The message that will be validated
       # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the message is invalid or not)
+      # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
       # @return [Boolean] True if the XML is valid, otherwise False, if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def valid_saml?(document, soft = true)
+      def valid_saml?(document, soft = true, check_malformed_doc = true)
         begin
-          xml = Nokogiri::XML(document.to_s) do |config|
-            config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-          end
+          xml = XMLSecurity::BaseDocument.safe_load_xml(document, check_malformed_doc)
         rescue Exception => error
           return false if soft
           raise ValidationError.new("XML load failed: #{error.message}")
@@ -97,10 +96,16 @@ module OneLogin
 
         decoded = decode(saml)
         begin
-          inflate(decoded)
+            message = inflate(decoded)
         rescue
-          decoded
+            message = decoded
+        end
+
+        if message.bytesize > MAX_BYTE_SIZE
+          raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
         end
+
+        message
       end
 
       # Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
@@ -157,6 +162,12 @@ module OneLogin
       def deflate(inflated)
         Zlib::Deflate.deflate(inflated, 9)[2..-5]
       end
+
+      def check_malformed_doc?(settings)
+        default_value = OneLogin::RubySaml::Settings::DEFAULTS[:check_malformed_doc]
+
+        settings.nil? ? default_value : settings.check_malformed_doc
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/settings.rb

@@ -53,6 +53,7 @@ module OneLogin
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :check_malformed_doc
       attr_accessor :passive
       attr_accessor :protocol_binding
       attr_accessor :attributes_index
@@ -259,6 +260,7 @@ module OneLogin
         :compress_request                          => true,
         :compress_response                         => true,
         :soft                                      => true,
+        :check_malformed_doc                       => true, 
         :double_quote_xml_attribute_values         => false,
         :security                                  => {
           :authn_requests_signed      => false,

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -199,7 +199,8 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc?(settings)
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd")
         end
 

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.12.2'
+    VERSION = '1.12.4'
   end
 end

data/lib/xml_security.rb

@@ -42,6 +42,36 @@ module XMLSecurity
     NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
                        Nokogiri::XML::ParseOptions::NONET
 
+    # Safety load the SAML Message XML
+    # @param document [REXML::Document] The message to be loaded
+    # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
+    # @return [Nokogiri::XML] The nokogiri document
+    # @raise [ValidationError] If there was a problem loading the SAML Message XML
+    def self.safe_load_xml(document, check_malformed_doc = true)
+      doc_str = document.to_s
+      if doc_str.include?("<!DOCTYPE")
+       raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
+      end
+
+      begin
+        xml = Nokogiri::XML(doc_str) do |config|
+          config.options = self::NOKOGIRI_OPTIONS
+        end
+      rescue StandardError => error
+        raise StandardError.new(error.message)
+      end
+
+      if xml.internal_subset
+        raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
+      end
+
+      unless xml.errors.empty?
+        raise StandardError.new("There were XML errors when parsing: #{xml.errors}") if check_malformed_doc
+      end
+
+      xml
+    end
+
     def canon_algorithm(element)
       algorithm = element
       if algorithm.is_a?(REXML::Element)
@@ -114,10 +144,8 @@ module XMLSecurity
       #<KeyInfo />
       #<Object />
     #</Signature>
-    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
-      noko = Nokogiri::XML(self.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1, check_malformed_doc = true)
+      noko = XMLSecurity::BaseDocument.safe_load_xml(self.to_s, check_malformed_doc)
 
       signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
       signed_info_element = signature_element.add_element("ds:SignedInfo")
@@ -139,9 +167,7 @@ module XMLSecurity
       reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
 
       # add SignatureValue
-      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
+      noko_sig_element = XMLSecurity::BaseDocument.safe_load_xml(signature_element.to_s, check_malformed_doc)
 
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
@@ -237,10 +263,12 @@ module XMLSecurity
           end
         end
       end
-      validate_signature(base64_cert, soft)
+      check_malformed_doc = true
+      check_malformed_doc = options[:check_malformed_doc] if options.key?(:check_malformed_doc)
+      validate_signature(base64_cert, soft, check_malformed_doc)
     end
 
-    def validate_document_with_cert(idp_cert, soft = true)
+    def validate_document_with_cert(idp_cert, soft = true, check_malformed_doc = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,
@@ -264,13 +292,17 @@ module XMLSecurity
       else
         base64_cert = Base64.encode64(idp_cert.to_pem)
       end
-      validate_signature(base64_cert, true)
+      validate_signature(base64_cert, true, check_malformed_doc)
     end
 
-    def validate_signature(base64_cert, soft = true)
+    def validate_signature(base64_cert, soft = true, check_malformed_doc = true)
 
-      document = Nokogiri::XML(self.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      begin
+        document = XMLSecurity::BaseDocument.safe_load_xml(self, check_malformed_doc)
+      rescue StandardError => error
+        @errors << error.message
+        return false if soft
+        raise ValidationError.new("XML load failed: #{error.message}")
       end
 
       # create a rexml document
@@ -312,17 +344,30 @@ module XMLSecurity
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
+      # get signed info
+      signed_info_element = REXML::XPath.first(
+        sig_element,
+        "./ds:SignedInfo",
+        { "ds" => DSIG }
+      )
+
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
       # check digests
-      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+      ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
+
+      reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
 
-      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
+        return append_error("Duplicated IDs found", soft)
+      end
+
+      hashed_element = reference_nodes[0]
 
       canon_algorithm = canon_algorithm REXML::XPath.first(
-        ref,
-        '//ds:CanonicalizationMethod',
+        signed_info_element,
+        './ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
 
@@ -332,13 +377,13 @@ module XMLSecurity
 
       digest_algorithm = algorithm(REXML::XPath.first(
         ref,
-        "//ds:DigestMethod",
+        "./ds:DigestMethod",
         { "ds" => DSIG }
       ))
       hash = digest_algorithm.digest(canon_hashed_element)
       encoded_digest_value = REXML::XPath.first(
         ref,
-        "//ds:DigestValue",
+        "./ds:DigestValue",
         { "ds" => DSIG }
       )
       digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -364,7 +409,7 @@ module XMLSecurity
     def process_transforms(ref, canon_algorithm)
       transforms = REXML::XPath.match(
         ref,
-        "//ds:Transforms/ds:Transform",
+        "./ds:Transforms/ds:Transform",
         { "ds" => DSIG }
       )
 

data/ruby-saml.gemspec

@@ -47,12 +47,20 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('rexml')
   end
 
+  s.add_development_dependency('simplecov', '<0.22.0')
+  if RUBY_VERSION < '2.4.1'
+    s.add_development_dependency('simplecov-lcov', '<0.8.0')
+    s.add_development_dependency('term-ansicolor', '1.2.2')
+    s.add_development_dependency('mime-types', '<3.6.0')
+  else
+    s.add_development_dependency('simplecov-lcov', '>0.7.0')
+  end
+
   s.add_development_dependency('coveralls')
   s.add_development_dependency('minitest', '~> 5.5')
   s.add_development_dependency('mocha',    '~> 0.14')
   s.add_development_dependency('rake',     '~> 10')
   s.add_development_dependency('shoulda',  '~> 2.11')
-  s.add_development_dependency('simplecov')
   s.add_development_dependency('systemu',  '~> 2')
   s.add_development_dependency('timecop',  '<= 0.6.0')
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.12.2
+  version: 1.12.4
 platform: ruby
 authors:
 - OneLogin LLC
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-08 00:00:00.000000000 Z
+date: 2025-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -38,6 +38,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+- !ruby/object:Gem::Dependency
+  name: simplecov-lcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -108,20 +136,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.11'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: systemu
   requirement: !ruby/object:Gem::Requirement
@@ -173,6 +187,7 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".travis.yml"
 - Gemfile
@@ -220,7 +235,7 @@ homepage: https://github.com/onelogin/ruby-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -236,8 +251,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
-signing_key: 
+rubygems_version: 3.5.18
+signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit
 test_files: []