ruby-saml 1.12.4 → 1.18.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/FUNDING.yml +3 -0
- data/.github/workflows/test.yml +29 -2
- data/{changelog.md → CHANGELOG.md} +64 -15
- data/LICENSE +2 -1
- data/README.md +425 -233
- data/UPGRADING.md +158 -0
- data/lib/onelogin/ruby-saml/authrequest.rb +9 -11
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +115 -84
- data/lib/onelogin/ruby-saml/logoutrequest.rb +9 -9
- data/lib/onelogin/ruby-saml/logoutresponse.rb +2 -2
- data/lib/onelogin/ruby-saml/metadata.rb +75 -42
- data/lib/onelogin/ruby-saml/response.rb +130 -70
- data/lib/onelogin/ruby-saml/saml_message.rb +16 -19
- data/lib/onelogin/ruby-saml/settings.rb +214 -110
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +51 -37
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +9 -9
- data/lib/onelogin/ruby-saml/utils.rb +129 -46
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +81 -48
- data/ruby-saml.gemspec +40 -14
- metadata +29 -32
- data/.travis.yml +0 -48
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a99ac2825ee62df158de97460877ef29ffd8c62aea17b25d75730e932b1ffe0f
|
|
4
|
+
data.tar.gz: 8a49efebaf25495e5bceef151de2e65f0a6ddbda0aee80fd669aafce3b252488
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 72defb3c72df4281c503b92630a6f19395131fc0964d0dd95b3a9fdbeb988a7a2bafaab4648ef2a5816aa44a59730bae1196bbd95004d59398e59e11d95e01f7
|
|
7
|
+
data.tar.gz: 84004d826837889160a1af3386ed253f695b55f0f1df060b6bd579f98f8691ce8c3cc02021c58c6f75038570ac4f5b4fc8f1981ca053db3a25f65227003c4fe7
|
data/.github/FUNDING.yml
ADDED
data/.github/workflows/test.yml
CHANGED
|
@@ -9,7 +9,7 @@ jobs:
|
|
|
9
9
|
fail-fast: false
|
|
10
10
|
matrix:
|
|
11
11
|
os:
|
|
12
|
-
- ubuntu-
|
|
12
|
+
- ubuntu-22.04
|
|
13
13
|
- macos-latest
|
|
14
14
|
- windows-latest
|
|
15
15
|
ruby-version:
|
|
@@ -21,8 +21,15 @@ jobs:
|
|
|
21
21
|
- 2.6
|
|
22
22
|
- 2.7
|
|
23
23
|
- 3.0
|
|
24
|
+
- 3.1
|
|
25
|
+
- 3.2
|
|
26
|
+
- 3.3
|
|
27
|
+
- 3.4
|
|
24
28
|
- jruby-9.1
|
|
25
29
|
- jruby-9.2
|
|
30
|
+
- jruby-9.3
|
|
31
|
+
- jruby-9.4
|
|
32
|
+
- truffleruby
|
|
26
33
|
exclude:
|
|
27
34
|
- os: macos-latest
|
|
28
35
|
ruby-version: 2.1
|
|
@@ -50,6 +57,8 @@ jobs:
|
|
|
50
57
|
ruby-version: jruby-9.4
|
|
51
58
|
- os: windows-latest
|
|
52
59
|
ruby-version: truffleruby
|
|
60
|
+
- os: ubuntu-22.04
|
|
61
|
+
ruby-version: 2.2
|
|
53
62
|
runs-on: ${{ matrix.os }}
|
|
54
63
|
steps:
|
|
55
64
|
- uses: actions/checkout@v4
|
|
@@ -62,4 +71,22 @@ jobs:
|
|
|
62
71
|
run: bundle install
|
|
63
72
|
|
|
64
73
|
- name: Run tests
|
|
65
|
-
run: bundle exec rake
|
|
74
|
+
run: bundle exec rake
|
|
75
|
+
|
|
76
|
+
- name: Coveralls
|
|
77
|
+
uses: coverallsapp/github-action@master
|
|
78
|
+
with:
|
|
79
|
+
github-token: ${{ secrets.github_token }}
|
|
80
|
+
parallel: true
|
|
81
|
+
flag-name: run-${{ matrix.ruby-version }}
|
|
82
|
+
|
|
83
|
+
finish:
|
|
84
|
+
needs: test
|
|
85
|
+
runs-on: ubuntu-latest
|
|
86
|
+
steps:
|
|
87
|
+
- name: Coveralls Finished
|
|
88
|
+
uses: coverallsapp/github-action@master
|
|
89
|
+
with:
|
|
90
|
+
github-token: ${{ secrets.github_token }}
|
|
91
|
+
flag-name: run-${{ matrix.ruby-version }}
|
|
92
|
+
parallel-finished: true
|
|
@@ -1,21 +1,70 @@
|
|
|
1
|
-
#
|
|
2
|
-
### 1.12.4 (Mar 12, 2025)
|
|
3
|
-
* Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential.
|
|
4
|
-
* Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
|
|
1
|
+
# Ruby SAML Changelog
|
|
5
2
|
|
|
6
|
-
### 1.
|
|
3
|
+
### 1.18.1 (Jul 29, 2025)
|
|
4
|
+
* Fix vulnerability CVE-2025-54572 Prevent DOS due large SAML Message
|
|
5
|
+
|
|
6
|
+
### 1.18.0 (Mar 12, 2025)
|
|
7
|
+
* [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
|
|
8
|
+
* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
|
|
9
|
+
* [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
|
|
10
|
+
* [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
|
|
11
|
+
|
|
12
|
+
### 1.17.0 (Sep 10, 2024)
|
|
13
|
+
* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
|
|
14
|
+
* [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
|
|
15
|
+
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
|
|
16
|
+
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
|
|
17
|
+
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Deprecate `Settings#certificate_new` parameter.
|
|
18
|
+
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` will use the first non-expired certificate/key when signing/decrypting. It will raise an error only if there are no valid certificates/keys.
|
|
19
|
+
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now validates the certificate `not_before` condition; previously it was only validating `not_after`.
|
|
20
|
+
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now causes the generated SP metadata to exclude any inactive/expired certificates.
|
|
21
|
+
|
|
22
|
+
### 1.16.0 (Oct 09, 2023)
|
|
23
|
+
* [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
|
|
24
|
+
|
|
25
|
+
### 1.15.0 (Jan 04, 2023)
|
|
26
|
+
* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
|
|
27
|
+
* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
|
|
28
|
+
* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support `Settings#idp_cert_multi` with string keys
|
|
29
|
+
* [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
|
|
30
|
+
* Add info about new repo, new maintainer, new security contact
|
|
31
|
+
* Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support
|
|
32
|
+
|
|
33
|
+
### 1.14.0 (Feb 01, 2022)
|
|
34
|
+
* [#627](https://github.com/onelogin/ruby-saml/pull/627) Support escape downcasing for validating SLO Signatures of ADFS/Azure
|
|
35
|
+
* [#633](https://github.com/onelogin/ruby-saml/pull/633) Support ability to change ID prefix
|
|
36
|
+
* Make the uuid editable on the SAML Messages generated by the toolkit
|
|
37
|
+
* [#622](https://github.com/onelogin/ruby-saml/pull/622) Add security setting to more strictly enforce audience validation
|
|
38
|
+
|
|
39
|
+
### 1.13.0 (Sept 06, 2021)
|
|
40
|
+
* [#611](https://github.com/onelogin/ruby-saml/pull/601) Replace MAX_BYTE_SIZE constant with setting: message_max_bytesize
|
|
41
|
+
* [#605](https://github.com/onelogin/ruby-saml/pull/605) :allowed_clock_drift is now bidrectional
|
|
42
|
+
* [#614](https://github.com/onelogin/ruby-saml/pull/614) Support :name_id_format option for IdpMetadataParser
|
|
43
|
+
* [#611](https://github.com/onelogin/ruby-saml/pull/611) IdpMetadataParser should always set idp_cert_multi, even when there is only one cert
|
|
44
|
+
* [#610](https://github.com/onelogin/ruby-saml/pull/610) New IDP sso/slo binding params which deprecate :embed_sign
|
|
45
|
+
* [#602](https://github.com/onelogin/ruby-saml/pull/602) Refactor the OneLogin::RubySaml::Metadata class
|
|
46
|
+
* [#586](https://github.com/onelogin/ruby-saml/pull/586) Support milliseconds in cacheDuration parsing
|
|
47
|
+
* [#585](https://github.com/onelogin/ruby-saml/pull/585) Do not append " | " to StatusCode unnecessarily
|
|
48
|
+
* [#607](https://github.com/onelogin/ruby-saml/pull/607) Clean up
|
|
49
|
+
* Add warning about the use of IdpMetadataParser class and SSRF
|
|
50
|
+
* CI: Migrate from Travis to Github Actions
|
|
51
|
+
|
|
52
|
+
### 1.12.4 (Mar 12, 2025)
|
|
53
|
+
* [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
|
|
54
|
+
|
|
55
|
+
### 1.12.3 (Sep 10, 2024)
|
|
7
56
|
* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
|
|
8
57
|
|
|
9
|
-
### 1.12.2 (Apr 08,
|
|
10
|
-
* [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
|
|
58
|
+
### 1.12.2 (Apr 08, 2021)
|
|
59
|
+
* [#575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
|
|
11
60
|
|
|
12
|
-
### 1.12.1 (Apr 05,
|
|
61
|
+
### 1.12.1 (Apr 05, 2021)
|
|
13
62
|
* Fix XPath typo incompatible with Rexml 3.2.5
|
|
14
63
|
* Refactor GCM support
|
|
15
64
|
|
|
16
65
|
### 1.12.0 (Feb 18, 2021)
|
|
17
66
|
* Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
|
|
18
|
-
* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
|
|
67
|
+
* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
|
|
19
68
|
* Adding idp_sso_service_url and idp_slo_service_url settings
|
|
20
69
|
* [#536](https://github.com/onelogin/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
|
|
21
70
|
* Reduce size of built gem by excluding the test folder
|
|
@@ -27,7 +76,7 @@
|
|
|
27
76
|
* Support Process Transform
|
|
28
77
|
* Raise SettingError if invoking an action with no endpoint defined on the settings
|
|
29
78
|
* Made IdpMetadataParser more extensible for subclasses
|
|
30
|
-
*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
79
|
+
* [#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
31
80
|
* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
|
|
32
81
|
* Improve documentation
|
|
33
82
|
|
|
@@ -147,7 +196,7 @@
|
|
|
147
196
|
* Fix response_test.rb of gem 1.3.0
|
|
148
197
|
* Add reference to Security Guidelines
|
|
149
198
|
* Update License
|
|
150
|
-
* [#334](https://github.com/onelogin/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.
|
|
199
|
+
* [#334](https://github.com/onelogin/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.
|
|
151
200
|
|
|
152
201
|
### 1.3.0 (June 24, 2016)
|
|
153
202
|
* [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
|
|
@@ -165,7 +214,7 @@
|
|
|
165
214
|
* [#316](https://github.com/onelogin/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
|
|
166
215
|
* [#321](https://github.com/onelogin/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
|
|
167
216
|
* Changes on empty URI of Signature reference management
|
|
168
|
-
* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
|
|
217
|
+
* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
|
|
169
218
|
* [#306](https://github.com/onelogin/ruby-saml/pull/306) Support WantAssertionsSigned
|
|
170
219
|
|
|
171
220
|
### 1.1.2 (February 15, 2016)
|
|
@@ -182,9 +231,9 @@
|
|
|
182
231
|
* [#270](https://github.com/onelogin/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
|
|
183
232
|
* [#261](https://github.com/onelogin/ruby-saml/pull/261) Allow validate_subject_confirmation Response validation to be skipped
|
|
184
233
|
* [#258](https://github.com/onelogin/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
|
|
185
|
-
* [#256](https://github.com/onelogin/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
|
|
234
|
+
* [#256](https://github.com/onelogin/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
|
|
186
235
|
* [#255](https://github.com/onelogin/ruby-saml/pull/255) Refactor validate signature.
|
|
187
|
-
* [#254](https://github.com/onelogin/ruby-saml/pull/254) Handle empty URI references
|
|
236
|
+
* [#254](https://github.com/onelogin/ruby-saml/pull/254) Handle empty URI references
|
|
188
237
|
* [#251](https://github.com/onelogin/ruby-saml/pull/251) Support qualified and unqualified NameID in attributes
|
|
189
238
|
* [#234](https://github.com/onelogin/ruby-saml/pull/234) Add explicit support for JRuby
|
|
190
239
|
|
|
@@ -192,7 +241,7 @@
|
|
|
192
241
|
* [#247](https://github.com/onelogin/ruby-saml/pull/247) Avoid entity expansion (XEE attacks)
|
|
193
242
|
* [#246](https://github.com/onelogin/ruby-saml/pull/246) Fix bug generating Logout Response (issuer was at wrong order)
|
|
194
243
|
* [#243](https://github.com/onelogin/ruby-saml/issues/243) and [#244](https://github.com/onelogin/ruby-saml/issues/244) Fix metadata builder errors. Fix metadata xsd.
|
|
195
|
-
* [#241](https://github.com/onelogin/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
|
|
244
|
+
* [#241](https://github.com/onelogin/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
|
|
196
245
|
* [#240](https://github.com/onelogin/ruby-saml/pull/240) and [#238](https://github.com/onelogin/ruby-saml/pull/238) Improve test coverage and refactor.
|
|
197
246
|
* [#239](https://github.com/onelogin/ruby-saml/pull/239) Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
|
|
198
247
|
* [#237](https://github.com/onelogin/ruby-saml/pull/237) Don't pretty print metadata by default.
|
data/LICENSE
CHANGED