ruby-saml 1.6.1 → 1.6.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3f7f2fefafdfee2e478b50cd7ae51a8bcc55a11f
4
- data.tar.gz: ad69e7db399fc4967b7059be5edc09b0a29c60e0
3
+ metadata.gz: befd20dcf4765f47d3ae11acbb6417a044c41a1e
4
+ data.tar.gz: a102f12788b1c569a3c4b484fc19014200fe1b9d
5
5
  SHA512:
6
- metadata.gz: a6479c8fce8b75075eec5a8903cc4e8e2b0abc5af0df6829c5fe554f1fb8faad502ecd55d49dbbd883b0ca59f8c56f624cf03c12d3836231491bcdc49cff3a29
7
- data.tar.gz: 3aa4270bdd942560608e4e5bc483b501c3a7e4d9a5f390543e3fa242a82a13251800d0f61739b00f5fed92cd4b6544eb8f6541547c800f7a79174fe6a21a0cdc
6
+ metadata.gz: 53131ebe98c82fcb0e987b758e07e5a4ea289a9c33d37f57e7f0ae4c1d838b0377a3d255e77a2948c4c838164837b1c99b28b713c3f19cd73a0caee67fa47bda
7
+ data.tar.gz: 26403d0340303771f11bb855e2bb27d36e22d8a436643eaab4dacccd097b8f32307af87cff281af18ca4820cebe99c18beb62d3c2a348079de56d6bbc76daf4c
data/README.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
2
2
 
3
+ ## Updating from 1.6.X to 1.6.2
4
+
5
+ Version `1.6.2` is a recommended update for all Ruby SAML users as it includes a fix for the [CVE-2017-11428](https://www.cvedetails.com/cve/CVE-2017-11428/) vulnerability.
6
+
3
7
  ## Updating from 1.5.0 to 1.6.0
4
8
 
5
9
  Version `1.6.0` changes the preferred way to construct instances of `Logoutresponse` and `SloLogoutrequest`. Previously the _SAMLResponse_, _RelayState_, and _SigAlg_ parameters of these message types were provided via the constructor's `options[:get_params]` parameter. Unfortunately this can result in incompatibility with other SAML implementations; signatures are specified to be computed based on the _sender's_ URI-encoding of the message, which can differ from that of Ruby SAML. In particular, Ruby SAML's URI-encoding does not match that of Microsoft ADFS, so messages from ADFS can fail signature validation.
@@ -1,5 +1,8 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 1.6.2 (Feb 28, 2018)
4
+ * Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
5
+
3
6
  ### 1.6.1 (January 15, 2018)
4
7
  * [#428](https://github.com/onelogin/ruby-saml/issues/428) Fix a bug on IdPMetadataParser when parsing certificates
5
8
  * [#426](https://github.com/onelogin/ruby-saml/pull/426) Ensure `Rails` responds to `logger`
@@ -192,7 +192,7 @@ module OneLogin
192
192
  "md:IDPSSODescriptor/md:NameIDFormat",
193
193
  namespace
194
194
  )
195
- node.text if node
195
+ Utils.element_text(node)
196
196
  end
197
197
 
198
198
  # @param binding_priority [Array]
@@ -281,14 +281,14 @@ module OneLogin
281
281
  unless signing_nodes.empty?
282
282
  certs['signing'] = []
283
283
  signing_nodes.each do |cert_node|
284
- certs['signing'] << cert_node.text
284
+ certs['signing'] << Utils.element_text(cert_node)
285
285
  end
286
286
  end
287
287
 
288
288
  unless encryption_nodes.empty?
289
289
  certs['encryption'] = []
290
290
  encryption_nodes.each do |cert_node|
291
- certs['encryption'] << cert_node.text
291
+ certs['encryption'] << Utils.element_text(cert_node)
292
292
  end
293
293
  end
294
294
  end
@@ -80,7 +80,7 @@ module OneLogin
80
80
  "/p:LogoutResponse/a:Issuer",
81
81
  { "p" => PROTOCOL, "a" => ASSERTION }
82
82
  )
83
- node.nil? ? nil : node.text
83
+ Utils.element_text(node)
84
84
  end
85
85
  end
86
86
 
@@ -100,7 +100,7 @@ module OneLogin
100
100
  "/p:LogoutResponse/p:Status/p:StatusMessage",
101
101
  { "p" => PROTOCOL, "a" => ASSERTION }
102
102
  )
103
- node.text if node
103
+ Utils.element_text(node)
104
104
  end
105
105
  end
106
106
 
@@ -71,10 +71,7 @@ module OneLogin
71
71
  # @return [String] the NameID provided by the SAML response from the IdP.
72
72
  #
73
73
  def name_id
74
- @name_id ||=
75
- if name_id_node
76
- name_id_node.text
77
- end
74
+ @name_id ||= Utils.element_text(name_id_node)
78
75
  end
79
76
 
80
77
  alias_method :nameid, :name_id
@@ -159,14 +156,14 @@ module OneLogin
159
156
  if (e.elements.nil? || e.elements.size == 0)
160
157
  # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
161
158
  # otherwise the value is to be regarded as empty.
162
- ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : e.text.to_s
159
+ ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : Utils.element_text(e)
163
160
  # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes
164
161
  # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
165
162
  # identify the subject in an SP rather than email or other less opaque attributes
166
163
  # NameQualifier, if present is prefixed with a "/" to the value
167
164
  else
168
165
  REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect{|n|
169
- (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + n.text.to_s
166
+ (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + Utils.element_text(n)
170
167
  }
171
168
  end
172
169
  }
@@ -238,8 +235,7 @@ module OneLogin
238
235
  { "p" => PROTOCOL }
239
236
  )
240
237
  if nodes.size == 1
241
- node = nodes[0]
242
- node.text if node
238
+ Utils.element_text(nodes.first)
243
239
  end
244
240
  end
245
241
  end
@@ -293,7 +289,10 @@ module OneLogin
293
289
 
294
290
  nodes = issuer_response_nodes + issuer_assertion_nodes
295
291
  nodes.each do |node|
296
- issuers << node.text if node.text
292
+ text = Utils.element_text(node)
293
+ if text
294
+ issuers << text
295
+ end
297
296
  end
298
297
  issuers.uniq
299
298
  end
@@ -332,8 +331,11 @@ module OneLogin
332
331
  audiences = []
333
332
  nodes = xpath_from_signed_assertion('/a:Conditions/a:AudienceRestriction/a:Audience')
334
333
  nodes.each do |node|
335
- if node && node.text
336
- audiences << node.text
334
+ if node
335
+ text = Utils.element_text(node)
336
+ if text
337
+ audiences << text
338
+ end
337
339
  end
338
340
  end
339
341
  audiences
@@ -60,7 +60,7 @@ module OneLogin
60
60
  def name_id
61
61
  @name_id ||= begin
62
62
  node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
63
- node.nil? ? nil : node.text
63
+ Utils.element_text(node)
64
64
  end
65
65
  end
66
66
 
@@ -93,7 +93,7 @@ module OneLogin
93
93
  "/p:LogoutRequest/a:Issuer",
94
94
  { "p" => PROTOCOL, "a" => ASSERTION }
95
95
  )
96
- node.nil? ? nil : node.text
96
+ Utils.element_text(node)
97
97
  end
98
98
  end
99
99
 
@@ -123,7 +123,7 @@ module OneLogin
123
123
  )
124
124
 
125
125
  nodes.each do |node|
126
- s_indexes << node.text
126
+ s_indexes << Utils.element_text(node)
127
127
  end
128
128
 
129
129
  s_indexes
@@ -173,7 +173,7 @@ module OneLogin
173
173
  "./xenc:CipherData/xenc:CipherValue",
174
174
  { 'xenc' => XENC }
175
175
  )
176
- node = Base64.decode64(cipher_value.text)
176
+ node = Base64.decode64(element_text(cipher_value))
177
177
  encrypt_method = REXML::XPath.first(
178
178
  encrypt_data,
179
179
  "./xenc:EncryptionMethod",
@@ -201,7 +201,7 @@ module OneLogin
201
201
  "xenc" => XENC
202
202
  )
203
203
 
204
- cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
204
+ cipher_text = Base64.decode64(element_text(encrypted_symmetric_key_element))
205
205
 
206
206
  encrypt_method = REXML::XPath.first(
207
207
  encrypted_key,
@@ -281,6 +281,14 @@ module OneLogin
281
281
  def self.original_uri_match?(destination_url, settings_url)
282
282
  destination_url == settings_url
283
283
  end
284
+
285
+ # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
286
+ # that there all children other than text nodes can be ignored (e.g. comments). If nil is
287
+ # passed, nil will be returned.
288
+ def self.element_text(element)
289
+ element.texts.join if element
290
+ end
291
+
284
292
  end
285
293
  end
286
294
  end
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.6.1'
3
+ VERSION = '1.6.2'
4
4
  end
5
5
  end
@@ -29,6 +29,7 @@ require "openssl"
29
29
  require 'nokogiri'
30
30
  require "digest/sha1"
31
31
  require "digest/sha2"
32
+ require "onelogin/ruby-saml/utils"
32
33
  require "onelogin/ruby-saml/error_handling"
33
34
 
34
35
  module XMLSecurity
@@ -206,7 +207,7 @@ module XMLSecurity
206
207
  )
207
208
 
208
209
  if cert_element
209
- base64_cert = cert_element.text
210
+ base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
210
211
  cert_text = Base64.decode64(base64_cert)
211
212
  begin
212
213
  cert = OpenSSL::X509::Certificate.new(cert_text)
@@ -249,7 +250,7 @@ module XMLSecurity
249
250
  )
250
251
 
251
252
  if cert_element
252
- base64_cert = cert_element.text
253
+ base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
253
254
  cert_text = Base64.decode64(base64_cert)
254
255
  begin
255
256
  cert = OpenSSL::X509::Certificate.new(cert_text)
@@ -296,8 +297,8 @@ module XMLSecurity
296
297
  sig_element,
297
298
  "./ds:SignatureValue",
298
299
  {"ds" => DSIG}
299
- ).text
300
- signature = Base64.decode64(base64_signature)
300
+ )
301
+ signature = Base64.decode64(OneLogin::RubySaml::Utils.element_text(base64_signature))
301
302
 
302
303
  # canonicalization method
303
304
  canon_algorithm = canon_algorithm REXML::XPath.first(
@@ -338,8 +339,8 @@ module XMLSecurity
338
339
  ref,
339
340
  "//ds:DigestValue",
340
341
  { "ds" => DSIG }
341
- ).text
342
- digest_value = Base64.decode64(encoded_digest_value)
342
+ )
343
+ digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
343
344
 
344
345
  unless digests_match?(hash, digest_value)
345
346
  @errors << "Digest mismatch"
@@ -69,6 +69,20 @@ class RubySamlTest < Minitest::Test
69
69
  assert_includes ampersands_response.errors, "SAML Response must contain 1 assertion"
70
70
  end
71
71
 
72
+ describe "Prevent node text with comment attack (VU#475445)" do
73
+ before do
74
+ @response = OneLogin::RubySaml::Response.new(read_response('response_node_text_attack.xml.base64'))
75
+ end
76
+
77
+ it "receives the full NameID when there is an injected comment" do
78
+ assert_equal "support@onelogin.com", @response.name_id
79
+ end
80
+
81
+ it "receives the full AttributeValue when there is an injected comment" do
82
+ assert_equal "smith", @response.attributes["surname"]
83
+ end
84
+ end
85
+
72
86
  describe "Prevent XEE attack" do
73
87
  before do
74
88
  @response = OneLogin::RubySaml::Response.new(fixture(:attackxee))
@@ -0,0 +1 @@
1
+ PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzEzNTkwPC9zYW1sOklzc3Vlcj4NCiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxkczpTaWduZWRJbmZvPg0KICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4NCiAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4NCiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwvZHM6RGlnZXN0VmFsdWU+DQogICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9jQTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRnp4R3llbDVnT293bW95WEpyQU9ya1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lFYXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgIDxkczpYNTA5RGF0YT4NCiAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVwWTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5hVzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZOaGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT2pTdTFmalB5OGQ1dzRReUwxemQ0aEl3MU1ra2ZmNFdZL1RMRzhPWmtVNVlUU1dtbUhQRDVrdllINXVvWFMvNnFRODFxWHBSMndWOENUb3daSlVMZzA5ZGRSZFJuOFFzcWoxRnlPQzVzbEUzeTJiWjJvRnVhNzJvZi80OWZwdWpuRlQ2S25RNjFDQk1xbERvVFFxT1Q2MnZHSjhuUDZNWld2QTZzeHF1ZDVBZ01CQUFFd0F3WUJBQU1CQUE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgIDwvZHM6U2lnbmF0dXJlPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnN1cHBvcnQ8IS0tIGF0dGFjayEgLS0+QG9uZWxvZ2luLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiIFJlY2lwaWVudD0ie3JlY2lwaWVudH0iLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQyMTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+e2F1ZGllbmNlfTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMTlUMjE6NTc6MzdaIiBTZXNzaW9uSW5kZXg9Il81MzFjMzJkMjgzYmRmZjdlMDRlNDg3YmNkYmM0ZGQ4ZCI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9InN1cm5hbWUiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnM8IS0tIGF0dGFjayEgLS0+bWl0aDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0iYW5vdGhlcl92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dmFsdWUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0icm9sZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImZpcnN0bmFtZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Ym9iPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gIA0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImF0dHJpYnV0ZV93aXRoX25pbF92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhdHRyaWJ1dGVfd2l0aF9uaWxzX2FuZF9lbXB0eV9zdHJpbmdzIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZT52YWx1ZVByZXNlbnQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTpuaWw9IjEiLz4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.6.1
4
+ version: 1.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-15 00:00:00.000000000 Z
11
+ date: 2018-02-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -276,6 +276,7 @@ files:
276
276
  - test/responses/response_encrypted_nameid.xml.base64
277
277
  - test/responses/response_eval.xml
278
278
  - test/responses/response_no_cert_and_encrypted_attrs.xml
279
+ - test/responses/response_node_text_attack.xml.base64
279
280
  - test/responses/response_unsigned_xml_base64
280
281
  - test/responses/response_with_ampersands.xml
281
282
  - test/responses/response_with_ampersands.xml.base64
@@ -337,7 +338,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
337
338
  version: '0'
338
339
  requirements: []
339
340
  rubyforge_project: http://www.rubygems.org/gems/ruby-saml
340
- rubygems_version: 2.5.1
341
+ rubygems_version: 2.4.8
341
342
  signing_key:
342
343
  specification_version: 4
343
344
  summary: SAML Ruby Tookit
@@ -431,6 +432,7 @@ test_files:
431
432
  - test/responses/response_encrypted_nameid.xml.base64
432
433
  - test/responses/response_eval.xml
433
434
  - test/responses/response_no_cert_and_encrypted_attrs.xml
435
+ - test/responses/response_node_text_attack.xml.base64
434
436
  - test/responses/response_unsigned_xml_base64
435
437
  - test/responses/response_with_ampersands.xml
436
438
  - test/responses/response_with_ampersands.xml.base64