RubyGems - ruby-saml - Versions diffs - 0.8.1 → 0.8.2 - Mend

ruby-saml 0.8.1 → 0.8.2

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (9) hide show

checksums.yaml +7 -0
data/Gemfile +21 -9
data/changelog.md +11 -1
data/lib/onelogin/ruby-saml/response.rb +12 -2
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/test/response_test.rb +8 -0
data/test/responses/response_eval.xml +7 -0
data/test/test_helper.rb +1 -2
metadata +50 -69

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 54aff65643a4409b0e306515c9f92ae634db3238
+  data.tar.gz: c9fe0db4412806b434a8bb36503ecbd7939ffa36
+SHA512:
+  metadata.gz: 07d26360f0145816ce08a5e109eae2a9c0f233154fdceb8178b69f1e9d72210baeebaa5ee978c973d6764dfd0a1d28f4ff0ea1e6beef90023a26383c342c3892
+  data.tar.gz: ee10bbde3c20e9ad2ec658506608a6d705ea9692f4c1577506e6a90b56db858f752f800300cf012e01319531d0b5f8aafcfe0f25b15b8681a2b81f7fed4c2fd4

data/Gemfile CHANGED

@@ -1,15 +1,27 @@
+#
+# Please keep this file alphabetized and organized
+#
 source 'http://rubygems.org'
 gemspec
 group :test do
-  gem "ruby-debug", "~> 0.10.4", :require => nil, :platforms => :ruby_18
-  gem "debugger",   "~> 1.1",    :require => nil, :platforms => :ruby_19
-  gem "shoulda",    "~> 2.11"
-  gem "rake",       "~> 10"
-  gem "mocha",      "~> 0.14"
-  gem "nokogiri",   "~> 1.5.0"
-  gem "timecop",    "<= 0.6.0"
-  gem "systemu",    "~> 2"
-  gem "rspec",      "~> 2"
+  if RUBY_VERSION < '1.9'
+    gem 'nokogiri',   '~> 1.5.0'
+    gem 'ruby-debug', '~> 0.10.4'
+  elsif RUBY_VERSION < '2.0'
+    gem 'debugger-linecache', '~> 1.2.0'
+    gem 'debugger', '~> 1.6.4'
+  elsif RUBY_VERSION < '2.1'
+    gem 'byebug',   '~> 2.1.1'
+  else
+    gem 'pry-byebug'
+  end
+  gem 'mocha',     '~> 0.14',  :require => false
+  gem 'rake',      '~> 10'
+  gem 'shoulda',   '~> 2.11'
+  gem 'systemu',   '~> 2'
+  gem 'test-unit', '~> 3'
+  gem 'timecop',   '<= 0.6.0'
 end

data/changelog.md CHANGED

@@ -1,7 +1,17 @@
 # RubySaml Changelog
+### 0.8.2 (Jan 26, 2014)
+* [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
 ### 0.8.0 (Feb 21, 2014)
-Changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+* [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
+* [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
 ### 0.7.3 (Feb 20, 2014)
 Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
+* [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
+* [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision

data/lib/onelogin/ruby-saml/response.rb CHANGED

@@ -151,8 +151,18 @@ module OneLogin
       end
       def xpath_first_from_signed_assertion(subelt=nil)
-        node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
-        node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
+        node = REXML::XPath.first(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
         node
       end

data/lib/onelogin/ruby-saml/version.rb CHANGED

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.1'
+    VERSION = '0.8.2'
   end
 end

data/test/response_test.rb CHANGED

@@ -254,5 +254,13 @@ class RubySamlTest < Test::Unit::TestCase
       end
     end
+    context '#xpath_first_from_signed_assertion' do
+      should 'not allow arbitrary code execution' do
+        malicious_response_document = fixture('response_eval', false)
+        response = OneLogin::RubySaml::Response.new(malicious_response_document)
+        response.send(:xpath_first_from_signed_assertion)
+        assert_equal($evalled, nil)
+      end
+    end
   end
 end

data/test/responses/response_eval.xml ADDED

@@ -0,0 +1,7 @@
+<saml:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:protocol">
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:Reference URI="#x'] or eval('$evalled = true') or /[@ID='v"/>
+    </ds:SignedInfo>
+  </ds:Signature>
+</saml:Response>

data/test/test_helper.rb CHANGED

@@ -1,7 +1,6 @@
 require 'rubygems'
 require 'test/unit'
 require 'shoulda'
-require 'ruby-debug'
 require 'mocha/setup'
 require 'timecop'
@@ -63,7 +62,7 @@ class Test::Unit::TestCase
   def signature_fingerprint_1
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
   def signature_1
     @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
   end

metadata CHANGED

@@ -1,66 +1,54 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: ruby-saml
-version: !ruby/object:Gem::Version
-  hash: 61
-  prerelease:
-  segments:
-  - 0
-  - 8
-  - 1
-  version: 0.8.1
+version: !ruby/object:Gem::Version
+  version: 0.8.2
 platform: ruby
-authors:
+authors:
 - OneLogin LLC
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-02-25 00:00:00 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+date: 2015-01-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: uuid
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        hash: 5
-        segments:
-        - 2
-        - 3
-        version: "2.3"
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency
-  name: nokogiri
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version
-        hash: 3
-        segments:
-        - 1
-        - 5
-        - 0
+      - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
-  version_requirements: *id002
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.0
 description: SAML toolkit for Ruby on Rails
 email: support@onelogin.com
 executables: []
 extensions: []
-extra_rdoc_files:
+extra_rdoc_files:
 - LICENSE
 - README.md
-files:
-- .document
-- .gitignore
-- .travis.yml
+files:
+- ".document"
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -101,6 +89,7 @@ files:
 - test/responses/response3.xml.base64
 - test/responses/response4.xml.base64
 - test/responses/response5.xml.base64
+- test/responses/response_eval.xml
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/simple_saml_php.xml
@@ -111,38 +100,29 @@ files:
 - test/xml_security_test.rb
 homepage: http://github.com/onelogin/ruby-saml
 licenses: []
+metadata: {}
 post_install_message:
-rdoc_options:
-- --charset=UTF-8
-require_paths:
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
-  requirements:
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 1.8.25
+rubygems_version: 2.2.2
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: SAML Ruby Tookit
-test_files:
+test_files:
 - test/certificates/certificate1
 - test/certificates/r1_certificate2_base64
 - test/logoutrequest_test.rb
@@ -162,6 +142,7 @@ test_files:
 - test/responses/response3.xml.base64
 - test/responses/response4.xml.base64
 - test/responses/response5.xml.base64
+- test/responses/response_eval.xml
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/simple_saml_php.xml