ruby-saml 1.17.0 → 1.18.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 188af740c1b9627be73d3a4cbd8261316773d3b3da0b74b0ef49b5d1c9c04f02
-  data.tar.gz: 85cb561ba597924b7037be197dac6fd175c1a626969829e170bb44d8e8a1a50d
+  metadata.gz: 59cce47afe1159fc5674f2eaf8f0392d12df280cc97fa2a4ccd7926daf989445
+  data.tar.gz: 30a49c237e7a88328745b788d62e9ea92e87342fc571d20e002eb4feddd964ae
 SHA512:
-  metadata.gz: 0b154ce0a94f1f1b525179d33f8a98d5422cabafe527f32104646135ae0a9218064638639b7ec5735de1dda8ef55faa5571f22f563d57f44e040a81b6116b5a1
-  data.tar.gz: 78ea0021299530423e28935782b851894ed9740c1e93c610575518532d22bcc20829dbe26b0569f38ad21894cc145b3d785c75765c8bd0dde6e078598d864545
+  metadata.gz: c67ec4923ca4bc5e07736717d1e40f604296c95c00d1fe8ec7d28c586988b368d566a16782c676c2ce27d38d6d7e1386a5347bfbb40efc98eb033525605f5dcb
+  data.tar.gz: 4944ad0dc2a3999e78da570aa8faa6282e26868606a5011d2b623a6ef0a9150d2e6ee08a4245d090e5d4837a9dc9ffaa78bf46d84fe466ea9384662d305d4c94

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Ruby SAML Changelog
 
+### 1.18.0  (Mar 12, 2025)
+* [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+* [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
+* [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
+
 ### 1.17.0  (Sep 10, 2024)
 * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
@@ -15,7 +21,7 @@
 
 ### 1.15.0 (Jan 04, 2023)
 * [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
-* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata 
+* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
 * [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support `Settings#idp_cert_multi` with string keys
 * [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
 * Add info about new repo, new maintainer, new security contact
@@ -40,6 +46,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.4  (Mar 12, 2025)
+* [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
+
 ### 1.12.3  (Sep 10, 2024)
 * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 
@@ -52,7 +61,7 @@
 
 ### 1.12.0 (Feb 18, 2021)
 * Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
-* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings 
+* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
 * Adding idp_sso_service_url and idp_slo_service_url settings
 * [#536](https://github.com/onelogin/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
 * Reduce size of built gem by excluding the test folder
@@ -184,7 +193,7 @@
 * Fix response_test.rb of gem 1.3.0
 * Add reference to Security Guidelines
 * Update License
-* [#334](https://github.com/onelogin/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method. 
+* [#334](https://github.com/onelogin/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.
 
 ### 1.3.0 (June 24, 2016)
 * [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
@@ -202,7 +211,7 @@
 * [#316](https://github.com/onelogin/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
 * [#321](https://github.com/onelogin/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
 * Changes on empty URI of Signature reference management
-* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI 
+* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
 * [#306](https://github.com/onelogin/ruby-saml/pull/306) Support WantAssertionsSigned
 
 ### 1.1.2 (February 15, 2016)
@@ -219,9 +228,9 @@
 * [#270](https://github.com/onelogin/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
 * [#261](https://github.com/onelogin/ruby-saml/pull/261) Allow validate_subject_confirmation Response validation to be skipped
 * [#258](https://github.com/onelogin/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
-* [#256](https://github.com/onelogin/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods. 
+* [#256](https://github.com/onelogin/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
 * [#255](https://github.com/onelogin/ruby-saml/pull/255) Refactor validate signature.
-* [#254](https://github.com/onelogin/ruby-saml/pull/254) Handle empty URI references 
+* [#254](https://github.com/onelogin/ruby-saml/pull/254) Handle empty URI references
 * [#251](https://github.com/onelogin/ruby-saml/pull/251) Support qualified and unqualified NameID in attributes
 * [#234](https://github.com/onelogin/ruby-saml/pull/234) Add explicit support for JRuby
 
@@ -229,7 +238,7 @@
 * [#247](https://github.com/onelogin/ruby-saml/pull/247) Avoid entity expansion (XEE attacks)
 * [#246](https://github.com/onelogin/ruby-saml/pull/246) Fix bug generating Logout Response (issuer was at wrong order)
 * [#243](https://github.com/onelogin/ruby-saml/issues/243) and [#244](https://github.com/onelogin/ruby-saml/issues/244) Fix metadata builder errors. Fix metadata xsd.
-* [#241](https://github.com/onelogin/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces. 
+* [#241](https://github.com/onelogin/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
 * [#240](https://github.com/onelogin/ruby-saml/pull/240) and [#238](https://github.com/onelogin/ruby-saml/pull/238) Improve test coverage and refactor.
 * [#239](https://github.com/onelogin/ruby-saml/pull/239) Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
 * [#237](https://github.com/onelogin/ruby-saml/pull/237) Don't pretty print metadata by default.

data/README.md

@@ -4,10 +4,37 @@
 [![Rubygem Version](https://badge.fury.io/rb/ruby-saml.svg)](https://badge.fury.io/rb/ruby-saml)
 [![GitHub version](https://badge.fury.io/gh/SAML-Toolkits%2Fruby-saml.svg)](https://badge.fury.io/gh/SAML-Toolkits%2Fruby-saml) ![GitHub](https://img.shields.io/github/license/SAML-Toolkits/ruby-saml) ![Gem](https://img.shields.io/gem/dtv/ruby-saml?label=gem%20downloads%20latest) ![Gem](https://img.shields.io/gem/dt/ruby-saml?label=gem%20total%20downloads)
 
-Ruby SAML minor and tiny versions may introduce breaking changes. Please read
+Minor and patch versions of Ruby SAML may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
-There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409). Make sure you are using an updated version. (1.12.3 is safe)
+### Pay it Forward: Support RubySAML and Strengthen Open-Source Security
+
+RubySAML is a trusted authentication library used by startups and enterprises alike.
+
+But security doesn't happen in a vacuum. Vulnerabilities in authentication libraries can
+have widespread consequences. Maintaining open-source security requires continuous
+effort, expertise, and funding. By supporting RubySAML, you’re not just securing your
+own systems—you’re strengthening auth security globally.
+
+#### How you can help
+
+* Sponsor RubySAML: [GitHub Sponsors](https://github.com/sponsors/SAML-Toolkits)
+* Contribute to secure-by-design improvements
+* Responsibly report vulnerabilities (see "Vulnerability Reporting" above)
+
+Security is a shared responsibility. If RubySAML has helped your organization, please
+consider giving back. Together, we can keep authentication secure.
+
+### Sponsors
+
+Thanks to the following sponsors for securing the open source ecosystem,
+
+[<img alt="84codes" src="https://avatars.githubusercontent.com/u/5353257" width="75px">](https://www.84codes.com)
+
+
+## Vulnerabilities
+
+There are critical vulnerabilities affecting ruby-saml < 1.18.0, two of them allows SAML authentication bypass (CVE-2025-25291, CVE-2025-25292, CVE-2025-25293). Please upgrade to a fixed version (1.18.0)
 
 ## Overview
 
@@ -15,7 +42,7 @@ The Ruby SAML library is for implementing the client side of a SAML authorizatio
 i.e. it provides a means for managing authorization initialization and confirmation
 requests from identity providers.
 
-SAML authorization is a two step process and you are expected to implement support for both.
+SAML authorization is a two-step process and you are expected to implement support for both.
 
 We created a demo project for Rails 4 that uses the latest version of this library:
 [ruby-saml-example](https://github.com/saml-toolkits/ruby-saml-example)
@@ -34,7 +61,7 @@ The following Ruby versions are covered by CI testing:
 * Make your feature addition or bug fix
 * Add tests for your new features. This is important so we don't break any features in a future version unintentionally.
 * Ensure all tests pass by running `bundle exec rake test`.
-* Do not change rakefile, version, or history.
+* Do not change Rakefile, version, or history.
 * Open a pull request, following [this template](https://gist.github.com/Lordnibbler/11002759).
 
 ## Security Guidelines
@@ -45,21 +72,20 @@ by mail to the maintainer: sixto.martin.garcia+security@gmail.com
 ### Security Warning
 
 Some tools may incorrectly report ruby-saml is a potential security vulnerability.
-ruby-saml depends on Nokogiri, and it's possible to use Nokogiri in a dangerous way
+ruby-saml depends on Nokogiri, and it is possible to use Nokogiri in a dangerous way
 (by enabling its DTDLOAD option and disabling its NONET option).
 This dangerous Nokogiri configuration, which is sometimes used by other components,
 can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
 However, ruby-saml never enables this dangerous Nokogiri configuration;
 ruby-saml never enables DTDLOAD, and it never disables NONET.
 
-The OneLogin::RubySaml::IdpMetadataParser class does not validate in any way the URL
-that is introduced in order to be parsed.
+The OneLogin::RubySaml::IdpMetadataParser class does not validate the provided URL before parsing.
 
-Usually the same administrator that handles the Service Provider also sets the URL to
+Usually, the same administrator who handles the Service Provider also sets the URL to
 the IdP, which should be a trusted resource.
 
-But there are other scenarios, like a SAAS app where the administrator of the app
-delegates this functionality to other users. In this case, extra precaution should
+But there are other scenarios, like a SaaS app where the administrator of the app
+delegates this functionality to other users. In this case, extra precautions should
 be taken in order to validate such URL inputs and avoid attacks like SSRF.
 
 ## Getting Started
@@ -71,7 +97,7 @@ Using `Gemfile`
 
 ```ruby
 # latest stable
-gem 'ruby-saml', '~> 1.11.0'
+gem 'ruby-saml', '~> 1.17.0'
 
 # or track master for bleeding-edge
 gem 'ruby-saml', :github => 'saml-toolkit/ruby-saml'
@@ -116,8 +142,8 @@ gem install nokogiri --version '~> 1.5.10'
 ### Configuring Logging
 
 When troubleshooting SAML integration issues, you will find it extremely helpful to examine the
-output of this gem's business logic. By default, log messages are emitted to RAILS_DEFAULT_LOGGER
-when the gem is used in a Rails context, and to STDOUT when the gem is used outside of Rails.
+output of this gem's business logic. By default, log messages are emitted to `RAILS_DEFAULT_LOGGER`
+when the gem is used in a Rails context, and to `STDOUT` when the gem is used outside of Rails.
 
 To override the default behavior and control the destination of log messages, provide
 a ruby Logger object to the gem's logging singleton:
@@ -140,7 +166,7 @@ def init
 end
 ```
 
-If the SP knows who should be authenticated in the IdP, then can provide that info as follows:
+If the SP knows who should be authenticated in the IdP, it can provide that info as follows:
 
 ```ruby
 def init
@@ -218,7 +244,7 @@ def saml_settings
 end
 ```
 
-The use of settings.issuer is deprecated in favour of settings.sp_entity_id since version 1.11.0
+The use of `settings.issuer` is deprecated in favor of `settings.sp_entity_id` since version 1.11.0
 
 Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.
 For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation`
@@ -373,11 +399,11 @@ IdpMetadataParser by its Entity Id value:
              )
 ```
 
-### Retrieve one Entity Descriptor with an specific binding and nameid format when several are available
+### Retrieve one Entity Descriptor with a specific binding and nameid format when several are available
 
-If the Metadata contains several bindings and nameids, the relevant ones
-also can be specified when retrieving the settings from the IdpMetadataParser
-by the values of binding and nameid:
+If the metadata contains multiple bindings and NameID formats, the relevant ones
+can be specified when retrieving the settings from the IdpMetadataParser
+by the values of binding and NameID:
 
 ```ruby
   validate_cert = true
@@ -441,13 +467,13 @@ if valid
     entity_id: "<entity_id_of_the_entity_to_be_retrieved>"
   )
 else
-  print "Metadata Signarture failed to be verified with the cert provided"
+  print "Metadata Signature failed to be verified with the cert provided"
 end
 ```
 
 ## Retrieving Attributes
 
-If you are using `saml:AttributeStatement` to transfer data like the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
+If you are using `saml:AttributeStatement` to transfer data, such as the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
 `single_value_compatibility` (when activated, only the first value is returned)
 
 ```ruby
@@ -670,7 +696,7 @@ Next, you may specify the specific SP SAML messages you would like to sign:
   settings.security[:logout_responses_signed] = true  # Enable signature on Logout Response
 ```
 
-Signatures will be handled automatically for both `HTTP-Redirect` and `HTTP-Redirect` Binding.
+Signatures will be handled automatically for both `HTTP-Redirect` and `HTTP-POST` Binding.
 Note that the RelayState parameter is used when creating the Signature on the `HTTP-Redirect` Binding.
 Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the
 signature validation process will fail at the Identity Provider.
@@ -762,7 +788,7 @@ Note the following:
 #### Audience Validation
 
 A service provider should only consider a SAML response valid if the IdP includes an <AudienceRestriction>
-element containting an <Audience> element that uniquely identifies the service provider. Unless you specify
+element containing an <Audience> element that uniquely identifies the service provider. Unless you specify
 the `skip_audience` option, Ruby SAML will validate that each SAML response includes an <Audience> element
 whose contents matches `settings.sp_entity_id`.
 
@@ -940,7 +966,7 @@ end
 
 ## Attribute Service
 
-To request attributes from the IdP the SP needs to provide an attribute service within it's metadata and reference the index in the assertion.
+To request attributes from the IdP the SP must provide an attribute service within its metadata and reference the index in the assertion.
 
 ```ruby
 settings = OneLogin::RubySaml::Settings.new
@@ -957,7 +983,7 @@ The `attribute_value` option additionally accepts an array of possible values.
 
 ## Custom Metadata Fields
 
-Some IdPs may require to add SPs to add additional fields (Organization, ContactPerson, etc.)
+Some IdPs may require SPs to add additional fields (Organization, ContactPerson, etc.)
 into the SP metadata. This can be achieved by extending the `OneLogin::RubySaml::Metadata`
 class and overriding the `#add_extras` method as per the following example:
 

data/UPGRADING.md

@@ -1,5 +1,14 @@
 # Ruby SAML Migration Guide
 
+## Updating from 1.17.x to 1.18.0
+
+Version `1.18.0` changes the way the toolkit validates SAML signatures. There is a new order
+how validation happens in the toolkit and also the toolkit by default will check malformed doc
+when parsing a SAML Message (`settings.check_malformed_doc`).
+
+The SignedDocument class defined at xml_security.rb experienced several changes.
+We don't expect compatibilty issues if you use the main methods offered by ruby-saml, but if you use a fork or customized usage, is possible that you need to adapt your code.
+
 ## Updating from 1.12.x to 1.13.0
 
 Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -64,7 +64,7 @@ module OneLogin
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
 
-        request = ""
+        request = "".dup
         request_doc.write(request)
 
         Logging.debug "Created AuthnRequest: #{request}"

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -384,14 +384,12 @@ module OneLogin
         # @return [String|nil] the fingerpint of the X509Certificate if it exists
         #
         def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1)
-          @fingerprint ||= begin
-            return unless certificate
+          return unless certificate
 
-            cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
+          cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
 
-            fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
-            fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-          end
+          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+          fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
         end
 
         # @return [Array] the names of all SAML attributes if any exist

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -61,7 +61,7 @@ module OneLogin
         request_doc = create_logout_request_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
 
-        request = ""
+        request = "".dup
         request_doc.write(request)
 
         Logging.debug "Created SLO Logout Request: #{request}"

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -150,7 +150,8 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc?(settings)
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd")
         end
 

data/lib/onelogin/ruby-saml/metadata.rb

@@ -145,7 +145,7 @@ module OneLogin
       end
 
       def output_xml(meta_doc, pretty_print)
-        ret = ''
+        ret = ''.dup
 
         # pretty print the XML so IdP administrators can easily see what the SP supports
         if pretty_print

data/lib/onelogin/ruby-saml/response.rb

@@ -17,6 +17,10 @@ module OneLogin
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
       XENC      = "http://www.w3.org/2001/04/xmlenc#"
+      SAML_NAMESPACES = {
+        "p" => PROTOCOL,
+        "a" => ASSERTION
+      }.freeze
 
       # TODO: Settings should probably be initialized too... WDYT?
 
@@ -198,6 +202,27 @@ module OneLogin
         end
       end
 
+      # Gets the AuthnInstant from the AuthnStatement.
+      # Could be used to require re-authentication if a long time has passed
+      # since the last user authentication.
+      # @return [String] AuthnInstant value
+      #
+      def authn_instant
+        @authn_instant ||= begin
+          node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          node.nil? ? nil : node.attributes['AuthnInstant']
+        end
+      end
+
+      # Gets the AuthnContextClassRef from the AuthnStatement
+      # Could be used to require re-authentication if the assertion
+      # did not met the requested authentication context class.
+      # @return [String] AuthnContextClassRef value
+      #
+      def authn_context_class_ref
+        @authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
+      end
+
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
       #
@@ -282,7 +307,7 @@ module OneLogin
           issuer_response_nodes = REXML::XPath.match(
             document,
             "/p:Response/a:Issuer",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            SAML_NAMESPACES
           )
 
           unless issuer_response_nodes.size == 1
@@ -349,7 +374,7 @@ module OneLogin
         ! REXML::XPath.first(
           document,
           "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
-          { "p" => PROTOCOL, "a" => ASSERTION }
+          SAML_NAMESPACES
         ).nil?
       end
 
@@ -380,9 +405,9 @@ module OneLogin
           :validate_id,
           :validate_success_status,
           :validate_num_assertion,
-          :validate_no_duplicated_attributes,
           :validate_signed_elements,
           :validate_structure,
+          :validate_no_duplicated_attributes,
           :validate_in_response_to,
           :validate_one_conditions,
           :validate_conditions,
@@ -423,12 +448,14 @@ module OneLogin
       #
       def validate_structure
         structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
-        unless valid_saml?(document, soft)
+
+        check_malformed_doc = check_malformed_doc_enabled?
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error(structure_error_msg)
         end
 
         unless decrypted_document.nil?
-          unless valid_saml?(decrypted_document, soft)
+          unless valid_saml?(decrypted_document, soft, check_malformed_doc)
             return append_error(structure_error_msg)
           end
         end
@@ -812,7 +839,7 @@ module OneLogin
 
           unless settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
             if name_id_spnamequalifier != settings.sp_entity_id
-              return append_error("The SPNameQualifier value mistmatch the SP entityID value.")
+              return append_error("SPNameQualifier value does not match the SP entityID value.")
             end
           end
         end
@@ -820,6 +847,25 @@ module OneLogin
         true
       end
 
+      def doc_to_validate
+        # If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
+        # otherwise, review if the decrypted assertion contains a signature
+        sig_elements = REXML::XPath.match(
+          document,
+          "/p:Response[@ID=$id]/ds:Signature",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
+        )
+
+        use_original = sig_elements.size == 1 || decrypted_document.nil?
+        doc = use_original ? document : decrypted_document
+        if !doc.processed
+          doc.cache_referenced_xml(@soft, check_malformed_doc_enabled?)
+        end
+
+        return doc
+      end
+
       # Validates the Signature
       # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
@@ -827,8 +873,8 @@ module OneLogin
       def validate_signature
         error_msg = "Invalid Signature on SAML Response"
 
-        # If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
-        # otherwise, review if the decrypted assertion contains a signature
+        doc = doc_to_validate
+
         sig_elements = REXML::XPath.match(
           document,
           "/p:Response[@ID=$id]/ds:Signature",
@@ -836,15 +882,12 @@ module OneLogin
           { 'id' => document.signed_element_id }
         )
 
-        use_original = sig_elements.size == 1 || decrypted_document.nil?
-        doc = use_original ? document : decrypted_document
-
-        # Check signature nodes
+        # Check signature node inside assertion
         if sig_elements.nil? || sig_elements.size == 0
           sig_elements = REXML::XPath.match(
             doc,
             "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
-            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            SAML_NAMESPACES.merge({"ds"=>DSIG}),
             { 'id' => doc.signed_element_id }
           )
         end
@@ -922,24 +965,47 @@ module OneLogin
           end
       end
 
+      def get_cached_signed_assertion
+        xml = doc_to_validate.referenced_xml
+        empty_doc = REXML::Document.new
+
+        return empty_doc if xml.nil? # when no signature/reference is found, return empty document
+
+        root = REXML::Document.new(xml).root
+
+        if root.attributes["ID"] != doc_to_validate.signed_element_id
+          return empty_doc
+        end
+
+        assertion = empty_doc
+        if root.name == "Response"
+          if REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
+            assertion = REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
+          elsif REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION})
+            assertion = decrypt_assertion(REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION}))
+          end
+        elsif root.name == "Assertion"
+          assertion = root
+        end
+
+        assertion
+      end
+
+      def signed_assertion
+        @signed_assertion ||= get_cached_signed_assertion
+      end
+
       # Extracts the first appearance that matchs the subelt (pattern)
       # Search on any Assertion that is signed, or has a Response parent signed
       # @param subelt [String] The XPath pattern
       # @return [REXML::Element | nil] If any matches, return the Element
       #
       def xpath_first_from_signed_assertion(subelt=nil)
-        doc = decrypted_document.nil? ? document : decrypted_document
+        doc = signed_assertion
         node = REXML::XPath.first(
             doc,
-            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
-        )
-        node ||= REXML::XPath.first(
-            doc,
-            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
+            "./#{subelt}",
+            SAML_NAMESPACES
         )
         node
       end
@@ -950,19 +1016,13 @@ module OneLogin
       # @return [Array of REXML::Element] Return all matches
       #
       def xpath_from_signed_assertion(subelt=nil)
-        doc = decrypted_document.nil? ? document : decrypted_document
+        doc = signed_assertion
         node = REXML::XPath.match(
             doc,
-            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
+            "./#{subelt}",
+            SAML_NAMESPACES
         )
-        node.concat( REXML::XPath.match(
-            doc,
-            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
-            { "p" => PROTOCOL, "a" => ASSERTION },
-            { 'id' => doc.signed_element_id }
-        ))
+        node
       end
 
       # Generates the decrypted_document
@@ -996,7 +1056,7 @@ module OneLogin
         encrypted_assertion_node = REXML::XPath.first(
           document_copy,
           "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
-          { "p" => PROTOCOL, "a" => ASSERTION }
+          SAML_NAMESPACES
         )
         response_node.add(decrypt_assertion(encrypted_assertion_node))
         encrypted_assertion_node.remove
@@ -1066,6 +1126,10 @@ module OneLogin
           Time.parse(node.attributes[attribute])
         end
       end
+
+      def check_malformed_doc_enabled?
+        check_malformed_doc?(settings)
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -19,15 +19,13 @@ module OneLogin
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol".freeze
 
       BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
-      @@mutex = Mutex.new
 
       # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
       #
       def self.schema
-        @@mutex.synchronize do
-          Dir.chdir(File.expand_path("../../../schemas", __FILE__)) do
-            ::Nokogiri::XML::Schema(File.read("saml-schema-protocol-2.0.xsd"))
-          end
+        path = File.expand_path("../../../schemas/saml-schema-protocol-2.0.xsd", __FILE__)
+        File.open(path) do |file|
+          ::Nokogiri::XML::Schema(file)
         end
       end
 
@@ -60,14 +58,13 @@ module OneLogin
       # Validates the SAML Message against the specified schema.
       # @param document [REXML::Document] The message that will be validated
       # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the message is invalid or not)
+      # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
       # @return [Boolean] True if the XML is valid, otherwise False, if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def valid_saml?(document, soft = true)
+      def valid_saml?(document, soft = true, check_malformed_doc = true)
         begin
-          xml = Nokogiri::XML(document.to_s) do |config|
-            config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-          end
+          xml = XMLSecurity::BaseDocument.safe_load_xml(document, check_malformed_doc)
         rescue StandardError => error
           return false if soft
           raise ValidationError.new("XML load failed: #{error.message}")
@@ -83,6 +80,7 @@ module OneLogin
 
       # Base64 decode and try also to inflate a SAML Message
       # @param saml [String] The deflated and encoded SAML Message
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @return [String] The plain SAML Message
       #
       def decode_raw_saml(saml, settings = nil)
@@ -95,10 +93,16 @@ module OneLogin
 
         decoded = decode(saml)
         begin
-          inflate(decoded)
+            message = inflate(decoded)
         rescue
-          decoded
+            message = decoded
+        end
+
+        if message.bytesize > settings.message_max_bytesize
+            raise ValidationError.new("SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
         end
+
+        message
       end
 
       # Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
@@ -155,6 +159,12 @@ module OneLogin
       def deflate(inflated)
         Zlib::Deflate.deflate(inflated, 9)[2..-5]
       end
+
+      def check_malformed_doc?(settings)
+        default_value = OneLogin::RubySaml::Settings::DEFAULTS[:check_malformed_doc]
+
+        settings.nil? ? default_value : settings.check_malformed_doc
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/settings.rb

@@ -55,6 +55,7 @@ module OneLogin
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
       attr_accessor :message_max_bytesize
+      attr_accessor :check_malformed_doc
       attr_accessor :passive
       attr_reader   :protocol_binding
       attr_accessor :attributes_index
@@ -281,7 +282,9 @@ module OneLogin
         :compress_response                         => true,
         :message_max_bytesize                      => 250000,
         :soft                                      => true,
+        :check_malformed_doc                       => true,
         :double_quote_xml_attribute_values         => false,
+        
         :security                                  => {
           :authn_requests_signed      => false,
           :logout_requests_signed     => false,

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -238,7 +238,8 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc?(settings)
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd")
         end
 

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -70,7 +70,7 @@ module OneLogin
         response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
         response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
 
-        response = ""
+        response = "".dup
         response_doc.write(response)
 
         Logging.debug "Created SLO Logout Response: #{response}"

data/lib/onelogin/ruby-saml/utils.rb

@@ -32,7 +32,9 @@ module OneLogin
           (\d+)W                    # 8: Weeks
         )
       $)x.freeze
+
       UUID_PREFIX = '_'
+      @@prefix = '_'
 
       # Checks if the x509 cert provided is expired.
       #
@@ -252,6 +254,8 @@ module OneLogin
       # @param status_message [Strig] StatusMessage value
       # @return [String] The status error message
       def self.status_error_msg(error_msg, raw_status_code = nil, status_message = nil)
+        error_msg = error_msg.dup
+
         unless raw_status_code.nil?
           if raw_status_code.include? "|"
             status_codes = raw_status_code.split(' | ')
@@ -400,11 +404,15 @@ module OneLogin
       end
 
       def self.set_prefix(value)
-        UUID_PREFIX.replace value
+        @@prefix = value
+      end
+
+      def self.prefix
+        @@prefix
       end
 
       def self.uuid
-        "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
+        "#{prefix}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
       end
 
       # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.17.0'
+    VERSION = '1.18.0'
   end
 end

data/lib/xml_security.rb

@@ -42,6 +42,36 @@ module XMLSecurity
     NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
                        Nokogiri::XML::ParseOptions::NONET
 
+    # Safety load the SAML Message XML
+    # @param document [REXML::Document] The message to be loaded
+    # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
+    # @return [Nokogiri::XML] The nokogiri document
+    # @raise [ValidationError] If there was a problem loading the SAML Message XML
+    def self.safe_load_xml(document, check_malformed_doc = true)
+      doc_str = document.to_s
+      if doc_str.include?("<!DOCTYPE")
+       raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
+      end
+
+      begin
+        xml = Nokogiri::XML(doc_str) do |config|
+          config.options = self::NOKOGIRI_OPTIONS
+        end
+      rescue StandardError => error
+        raise StandardError.new(error.message)
+      end
+
+      if xml.internal_subset
+        raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
+      end
+
+      unless xml.errors.empty?
+        raise StandardError.new("There were XML errors when parsing: #{xml.errors}") if check_malformed_doc
+      end
+
+      xml
+    end
+
     def canon_algorithm(element)
       algorithm = element
       if algorithm.is_a?(REXML::Element)
@@ -114,10 +144,8 @@ module XMLSecurity
       #<KeyInfo />
       #<Object />
     #</Signature>
-    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
-      noko = Nokogiri::XML(self.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
+    def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1, check_malformed_doc = true)
+      noko = XMLSecurity::BaseDocument.safe_load_xml(self.to_s, check_malformed_doc)
 
       signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
       signed_info_element = signature_element.add_element("ds:SignedInfo")
@@ -139,9 +167,7 @@ module XMLSecurity
       reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
 
       # add SignatureValue
-      noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-      end
+      noko_sig_element = XMLSecurity::BaseDocument.safe_load_xml(signature_element.to_s, check_malformed_doc)
 
       noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
@@ -190,12 +216,31 @@ module XMLSecurity
     def initialize(response, errors = [])
       super(response)
       @errors = errors
+      reset_elements
+    end
+
+    def reset_elements
+      @referenced_xml = nil
+      @cached_signed_info = nil
+      @signature = nil
+      @signature_algorithm = nil
+      @ref = nil
+      @processed = false
+    end
+
+    def processed
+      @processed
+    end
+
+    def referenced_xml
+      @referenced_xml
     end
 
     def signed_element_id
       @signed_element_id ||= extract_signed_element_id
     end
 
+    # Validates the referenced_xml, which is the signed part of the document
     def validate_document(idp_cert_fingerprint, soft = true, options = {})
       # get cert from response
       cert_element = REXML::XPath.first(
@@ -224,6 +269,7 @@ module XMLSecurity
         if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
           return append_error("Fingerprint mismatch", soft)
         end
+        base64_cert = Base64.encode64(cert.to_der)
       else
         if options[:cert]
           base64_cert = Base64.encode64(options[:cert].to_pem)
@@ -259,16 +305,22 @@ module XMLSecurity
         if idp_cert.to_pem != cert.to_pem
           return append_error("Certificate of the Signature element does not match provided certificate", soft)
         end
-      else
-        base64_cert = Base64.encode64(idp_cert.to_pem)
       end
-      validate_signature(base64_cert, true)
+
+      encoded_idp_cert = Base64.encode64(idp_cert.to_pem)
+      validate_signature(encoded_idp_cert, true)
     end
 
-    def validate_signature(base64_cert, soft = true)
+    def cache_referenced_xml(soft, check_malformed_doc = true)
+      reset_elements
+      @processed = true
 
-      document = Nokogiri::XML(self.to_s) do |config|
-        config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
+      begin
+        nokogiri_document = XMLSecurity::BaseDocument.safe_load_xml(self, check_malformed_doc)
+      rescue StandardError => error
+        @errors << error.message
+        return false if soft
+        raise ValidationError.new("XML load failed: #{error.message}")
       end
 
       # create a rexml document
@@ -281,13 +333,15 @@ module XMLSecurity
           {"ds"=>DSIG}
       )
 
+      return if sig_element.nil?
+
       # signature method
       sig_alg_value = REXML::XPath.first(
         sig_element,
         "./ds:SignedInfo/ds:SignatureMethod",
         {"ds"=>DSIG}
       )
-      signature_algorithm = algorithm(sig_alg_value)
+      @signature_algorithm = algorithm(sig_alg_value)
 
       # get signature
       base64_signature = REXML::XPath.first(
@@ -295,7 +349,11 @@ module XMLSecurity
         "./ds:SignatureValue",
         {"ds" => DSIG}
       )
-      signature = Base64.decode64(OneLogin::RubySaml::Utils.element_text(base64_signature))
+
+      return if base64_signature.nil?
+
+      base64_signature_text = OneLogin::RubySaml::Utils.element_text(base64_signature)
+      @signature = base64_signature_text.nil? ? nil : Base64.decode64(base64_signature_text)
 
       # canonicalization method
       canon_algorithm = canon_algorithm REXML::XPath.first(
@@ -304,66 +362,75 @@ module XMLSecurity
         'ds' => DSIG
       )
 
-      noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+      noko_sig_element = nokogiri_document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
 
-      canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
-      noko_sig_element.remove
+      @cached_signed_info = noko_signed_info_element.canonicalize(canon_algorithm)
 
-      # get signed info
-      signed_info_element = REXML::XPath.first(
-        sig_element,
-        "./ds:SignedInfo",
-        { "ds" => DSIG }
-      )
+      ### Now get the @referenced_xml to use?
+      rexml_signed_info = REXML::Document.new(@cached_signed_info.to_s).root
+
+      noko_sig_element.remove
 
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
       # check digests
-      ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
-
-      reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      @ref = REXML::XPath.first(rexml_signed_info, "./ds:Reference", {"ds"=>DSIG})
+      return if @ref.nil?
 
-      if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
-        return append_error("Digest mismatch. Duplicated ID found", soft)
-      end
+      reference_nodes = nokogiri_document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
 
       hashed_element = reference_nodes[0]
+      return if hashed_element.nil?
 
       canon_algorithm = canon_algorithm REXML::XPath.first(
-        signed_info_element,
+        rexml_signed_info,
         './ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
 
-      canon_algorithm = process_transforms(ref, canon_algorithm)
+      canon_algorithm = process_transforms(@ref, canon_algorithm)
+
+      @referenced_xml = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+    end
+
+    def validate_signature(base64_cert, soft = true)
+      if !@processed
+        cache_referenced_xml(soft)
+      end
+
+      return append_error("No Signature Algorithm Method found", soft) if @signature_algorithm.nil?  
+      return append_error("No Signature node found", soft) if @signature.nil?  
+      return append_error("No canonized SignedInfo ", soft) if @cached_signed_info.nil?
+      return append_error("No Reference node found", soft) if @ref.nil?
+      return append_error("No referenced XML", soft) if @referenced_xml.nil?
 
-      canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+      # get certificate object
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
 
       digest_algorithm = algorithm(REXML::XPath.first(
-        ref,
+        @ref,
         "./ds:DigestMethod",
         { "ds" => DSIG }
       ))
-      hash = digest_algorithm.digest(canon_hashed_element)
+      hash = digest_algorithm.digest(@referenced_xml)
       encoded_digest_value = REXML::XPath.first(
-        ref,
+        @ref,
         "./ds:DigestValue",
         { "ds" => DSIG }
       )
-      digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
+      encoded_digest_value_text = OneLogin::RubySaml::Utils.element_text(encoded_digest_value)
+      digest_value = encoded_digest_value_text.nil? ? nil : Base64.decode64(encoded_digest_value_text)
 
-      unless digests_match?(hash, digest_value)
+      # Compare the computed "hash" with the "signed" hash
+      unless hash && hash == digest_value
         return append_error("Digest mismatch", soft)
       end
 
-      # get certificate object
-      cert_text = Base64.decode64(base64_cert)
-      cert = OpenSSL::X509::Certificate.new(cert_text)
-
       # verify signature
-      unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+      unless cert.public_key.verify(@signature_algorithm.new, @signature, @cached_signed_info)
         return append_error("Key validation error", soft)
       end
 

data/ruby-saml.gemspec

@@ -59,6 +59,12 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('rexml')
   end
 
+  if RUBY_VERSION >= '3.4.0'
+    s.add_runtime_dependency("logger")
+    s.add_runtime_dependency("base64")
+    s.add_runtime_dependency('mutex_m')
+  end
+
   s.add_development_dependency('simplecov', '<0.22.0')
   if RUBY_VERSION < '2.4.1'
     s.add_development_dependency('simplecov-lcov', '<0.8.0')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.0
 platform: ruby
 authors:
 - SAML Toolkit
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-10 00:00:00.000000000 Z
+date: 2025-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri