ruby-saml 1.12.4 → 1.13.0

data/lib/onelogin/ruby-saml/utils.rb

@@ -13,9 +13,25 @@ module OneLogin
     class Utils
       @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
 
-      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-      XENC      = "http://www.w3.org/2001/04/xmlenc#"
-      DURATION_FORMAT = %r(^(-?)P(?:(?:(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+)S)?)?)|(?:(\d+)W))$)
+      BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+                   :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
+      DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
+      XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
+      DURATION_FORMAT = %r(^
+        (-?)P                       # 1: Duration sign
+        (?:
+          (?:(\d+)Y)?               # 2: Years
+          (?:(\d+)M)?               # 3: Months
+          (?:(\d+)D)?               # 4: Days
+          (?:T
+            (?:(\d+)H)?             # 5: Hours
+            (?:(\d+)M)?             # 6: Minutes
+            (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
+          )?
+          |
+          (\d+)W                    # 8: Weeks
+        )
+      $)x.freeze
 
       # Checks if the x509 cert provided is expired
       #
@@ -37,31 +53,20 @@ module OneLogin
       #                            current time.
       #
       # @return [Integer] The new timestamp, after the duration is applied.
-      # 
+      #
       def self.parse_duration(duration, timestamp=Time.now.utc)
+        return nil if RUBY_VERSION < '1.9'  # 1.8.7 not supported
+
         matches = duration.match(DURATION_FORMAT)
-      
+
         if matches.nil?
           raise Exception.new("Invalid ISO 8601 duration")
         end
 
-        durYears = matches[2].to_i
-        durMonths = matches[3].to_i
-        durDays = matches[4].to_i
-        durHours = matches[5].to_i
-        durMinutes = matches[6].to_i
-        durSeconds = matches[7].to_f
-        durWeeks = matches[8].to_i
-
-        if matches[1] == "-"
-          durYears = -durYears
-          durMonths = -durMonths
-          durDays = -durDays
-          durHours = -durHours
-          durMinutes = -durMinutes
-          durSeconds = -durSeconds
-          durWeeks = -durWeeks
-        end
+        sign = matches[1] == '-' ? -1 : 1
+
+        durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
+          matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
 
         initial_datetime = Time.at(timestamp).utc.to_datetime
         final_datetime = initial_datetime.next_year(durYears)

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.12.4'
+    VERSION = '1.13.0'
   end
 end

data/lib/xml_security.rb

@@ -42,36 +42,6 @@ module XMLSecurity
     NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
                        Nokogiri::XML::ParseOptions::NONET
 
-    # Safety load the SAML Message XML
-    # @param document [REXML::Document] The message to be loaded
-    # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
-    # @return [Nokogiri::XML] The nokogiri document
-    # @raise [ValidationError] If there was a problem loading the SAML Message XML
-    def self.safe_load_xml(document, check_malformed_doc = true)
-      doc_str = document.to_s
-      if doc_str.include?("<!DOCTYPE")
-       raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
-      end
-
-      begin
-        xml = Nokogiri::XML(doc_str) do |config|
-          config.options = self::NOKOGIRI_OPTIONS
-        end
-      rescue StandardError => error
-        raise StandardError.new(error.message)
-      end
-
-      if xml.internal_subset
-        raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
-      end
-
-      unless xml.errors.empty?
-        raise StandardError.new("There were XML errors when parsing: #{xml.errors}") if check_malformed_doc
-      end
-
-      xml
-    end
-
     def canon_algorithm(element)
       algorithm = element
       if algorithm.is_a?(REXML::Element)
@@ -144,8 +114,10 @@ module XMLSecurity
       #<KeyInfo />
       #<Object />
     #</Signature>
-    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1, check_malformed_doc = true)
-      noko = XMLSecurity::BaseDocument.safe_load_xml(self.to_s, check_malformed_doc)
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
+      noko = Nokogiri::XML(self.to_s) do |config|
+        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
 
       signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
       signed_info_element = signature_element.add_element("ds:SignedInfo")
@@ -167,7 +139,9 @@ module XMLSecurity
       reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
 
       # add SignatureValue
-      noko_sig_element = XMLSecurity::BaseDocument.safe_load_xml(signature_element.to_s, check_malformed_doc)
+      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
+        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      end
 
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
@@ -185,15 +159,13 @@ module XMLSecurity
       x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
 
       # add the signature
-      issuer_element = self.elements["//saml:Issuer"]
+      issuer_element = elements["//saml:Issuer"]
       if issuer_element
-        self.root.insert_after issuer_element, signature_element
+        root.insert_after(issuer_element, signature_element)
+      elsif first_child = root.children[0]
+        root.insert_before(first_child, signature_element)
       else
-        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
-          self.root.insert_before sp_sso_descriptor, signature_element
-        else
-          self.root.add_element(signature_element)
-        end
+        root.add_element(signature_element)
       end
     end
 
@@ -263,12 +235,10 @@ module XMLSecurity
           end
         end
       end
-      check_malformed_doc = true
-      check_malformed_doc = options[:check_malformed_doc] if options.key?(:check_malformed_doc)
-      validate_signature(base64_cert, soft, check_malformed_doc)
+      validate_signature(base64_cert, soft)
     end
 
-    def validate_document_with_cert(idp_cert, soft = true, check_malformed_doc = true)
+    def validate_document_with_cert(idp_cert, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,
@@ -292,17 +262,13 @@ module XMLSecurity
       else
         base64_cert = Base64.encode64(idp_cert.to_pem)
       end
-      validate_signature(base64_cert, true, check_malformed_doc)
+      validate_signature(base64_cert, true)
     end
 
-    def validate_signature(base64_cert, soft = true, check_malformed_doc = true)
+    def validate_signature(base64_cert, soft = true)
 
-      begin
-        document = XMLSecurity::BaseDocument.safe_load_xml(self, check_malformed_doc)
-      rescue StandardError => error
-        @errors << error.message
-        return false if soft
-        raise ValidationError.new("XML load failed: #{error.message}")
+      document = Nokogiri::XML(self.to_s) do |config|
+        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
       end
 
       # create a rexml document
@@ -344,30 +310,17 @@ module XMLSecurity
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
-      # get signed info
-      signed_info_element = REXML::XPath.first(
-        sig_element,
-        "./ds:SignedInfo",
-        { "ds" => DSIG }
-      )
-
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
       # check digests
-      ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
-
-      reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
 
-      if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
-        return append_error("Duplicated IDs found", soft)
-      end
-
-      hashed_element = reference_nodes[0]
+      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
 
       canon_algorithm = canon_algorithm REXML::XPath.first(
-        signed_info_element,
-        './ds:CanonicalizationMethod',
+        ref,
+        '//ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
 
@@ -377,13 +330,13 @@ module XMLSecurity
 
       digest_algorithm = algorithm(REXML::XPath.first(
         ref,
-        "./ds:DigestMethod",
+        "//ds:DigestMethod",
         { "ds" => DSIG }
       ))
       hash = digest_algorithm.digest(canon_hashed_element)
       encoded_digest_value = REXML::XPath.first(
         ref,
-        "./ds:DigestValue",
+        "//ds:DigestValue",
         { "ds" => DSIG }
       )
       digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -409,7 +362,7 @@ module XMLSecurity
     def process_transforms(ref, canon_algorithm)
       transforms = REXML::XPath.match(
         ref,
-        "./ds:Transforms/ds:Transform",
+        "//ds:Transforms/ds:Transform",
         { "ds" => DSIG }
       )
 

data/ruby-saml.gemspec

@@ -47,20 +47,12 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('rexml')
   end
 
-  s.add_development_dependency('simplecov', '<0.22.0')
-  if RUBY_VERSION < '2.4.1'
-    s.add_development_dependency('simplecov-lcov', '<0.8.0')
-    s.add_development_dependency('term-ansicolor', '1.2.2')
-    s.add_development_dependency('mime-types', '<3.6.0')
-  else
-    s.add_development_dependency('simplecov-lcov', '>0.7.0')
-  end
-
   s.add_development_dependency('coveralls')
   s.add_development_dependency('minitest', '~> 5.5')
   s.add_development_dependency('mocha',    '~> 0.14')
   s.add_development_dependency('rake',     '~> 10')
   s.add_development_dependency('shoulda',  '~> 2.11')
+  s.add_development_dependency('simplecov')
   s.add_development_dependency('systemu',  '~> 2')
   s.add_development_dependency('timecop',  '<= 0.6.0')
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.12.4
+  version: 1.13.0
 platform: ruby
 authors:
 - OneLogin LLC
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-03-12 00:00:00.000000000 Z
+date: 2021-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -38,34 +38,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 0.22.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 0.22.0
-- !ruby/object:Gem::Dependency
-  name: simplecov-lcov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">"
-      - !ruby/object:Gem::Version
-        version: 0.7.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">"
-      - !ruby/object:Gem::Version
-        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.11'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: systemu
   requirement: !ruby/object:Gem::Requirement
@@ -189,12 +175,12 @@ files:
 - ".document"
 - ".github/workflows/test.yml"
 - ".gitignore"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
-- changelog.md
+- UPGRADING.md
 - gemfiles/nokogiri-1.5.gemfile
 - lib/onelogin/ruby-saml.rb
 - lib/onelogin/ruby-saml/attribute_service.rb
@@ -235,7 +221,7 @@ homepage: https://github.com/onelogin/ruby-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -251,8 +237,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.18
-signing_key:
+rubyforge_project: 
+rubygems_version: 2.5.2.1
+signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
 test_files: []

data/.travis.yml

@@ -1,48 +0,0 @@
-language: ruby
-rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.10
-  - 2.2.10
-  - 2.3.8
-  - 2.4.6
-  - 2.5.8
-  - 2.6.6
-  - 2.7.2
-  - 3.0.0
-  - jruby-1.7.27
-  - jruby-9.1.17.0
-  - jruby-9.2.13.0
-gemfile:
-  - Gemfile
-  - gemfiles/nokogiri-1.5.gemfile
-before_install:
-  - gem update bundler
-matrix:
-  exclude:
-    - rvm: jruby-1.7.27
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.1.17.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.13.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.1.5
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.1.10
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.2.10
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.4.6
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.5.8
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.6.6
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.7.2
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 3.0.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-env:
-  - JRUBY_OPTS="--debug"