ruby-saml 1.12.2 → 1.12.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/changelog.md +3 -0
  3. data/lib/onelogin/ruby-saml/version.rb +1 -1
  4. data/lib/xml_security.rb +20 -7
  5. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 25c4115dff650511c702291e7e6e3277a2c50c43b603c4cf68ae1473b3c061b5
4
- data.tar.gz: 375b631e4059b50e112f4fc5b890e48c000ddae894fdef7cc665b9a58bad5b7a
3
+ metadata.gz: e6df1fb5db61569b11ce73e3151ae3219c435be967a5f419b8e65750b49754d5
4
+ data.tar.gz: 21610b15b73a43d72364c9967bc4da29625275250656bcf253e12e391c1929af
5
5
  SHA512:
6
- metadata.gz: 1207da19dae7cb853704a0dbbd1d55791156d6703a5d3162adaa4d47ea1e645e4806687392db53c8c3e9c0a51b2fbb45772b8202975565f9157d32b707fd56a1
7
- data.tar.gz: 9a4a9ba94e5ffd0eb24ef08e4a45435dec63333b2cbf1a0f0ecc164ce0569bb8720941c88874d64aef8524bebb5209bd70299e0e5bbdc953b7546aa055da58be
6
+ metadata.gz: 5e61a0bf5ac8028b356ab2edb614c710c3f590e0fef82812418d87e50ad81f360d56b9ff02b24c810323a2c39937318904292d4a23e4cd096c142f814537eb86
7
+ data.tar.gz: 102d27888bbc4edd3fd89fda071c16fca3bbd3cf2e9283c66c6fc499ef1e6d2cb6b05481d2798809f920a5d99d6722d9d97422d1fe61765337362280603b9fbe
data/changelog.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 1.12.3 (Sep 10, 2024)
4
+ * Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
5
+
3
6
  ### 1.12.2 (Apr 08, 2022)
4
7
  * [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
5
8
 
data/lib/onelogin/ruby-saml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.12.2'
3
+ VERSION = '1.12.3'
4
4
  end
5
5
  end
data/lib/xml_security.rb CHANGED
@@ -312,17 +312,30 @@ module XMLSecurity
312
312
  canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
313
313
  noko_sig_element.remove
314
314
 
315
+ # get signed info
316
+ signed_info_element = REXML::XPath.first(
317
+ sig_element,
318
+ "./ds:SignedInfo",
319
+ { "ds" => DSIG }
320
+ )
321
+
315
322
  # get inclusive namespaces
316
323
  inclusive_namespaces = extract_inclusive_namespaces
317
324
 
318
325
  # check digests
319
- ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
326
+ ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
320
327
 
321
- hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
328
+ reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
329
+
330
+ if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
331
+ return append_error("Duplicated IDs found", soft)
332
+ end
333
+
334
+ hashed_element = reference_nodes[0]
322
335
 
323
336
  canon_algorithm = canon_algorithm REXML::XPath.first(
324
- ref,
325
- '//ds:CanonicalizationMethod',
337
+ signed_info_element,
338
+ './ds:CanonicalizationMethod',
326
339
  { "ds" => DSIG }
327
340
  )
328
341
 
@@ -332,13 +345,13 @@ module XMLSecurity
332
345
 
333
346
  digest_algorithm = algorithm(REXML::XPath.first(
334
347
  ref,
335
- "//ds:DigestMethod",
348
+ "./ds:DigestMethod",
336
349
  { "ds" => DSIG }
337
350
  ))
338
351
  hash = digest_algorithm.digest(canon_hashed_element)
339
352
  encoded_digest_value = REXML::XPath.first(
340
353
  ref,
341
- "//ds:DigestValue",
354
+ "./ds:DigestValue",
342
355
  { "ds" => DSIG }
343
356
  )
344
357
  digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -364,7 +377,7 @@ module XMLSecurity
364
377
  def process_transforms(ref, canon_algorithm)
365
378
  transforms = REXML::XPath.match(
366
379
  ref,
367
- "//ds:Transforms/ds:Transform",
380
+ "./ds:Transforms/ds:Transform",
368
381
  { "ds" => DSIG }
369
382
  )
370
383
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.12.2
4
+ version: 1.12.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-08 00:00:00.000000000 Z
11
+ date: 2024-09-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -220,7 +220,7 @@ homepage: https://github.com/onelogin/ruby-saml
220
220
  licenses:
221
221
  - MIT
222
222
  metadata: {}
223
- post_install_message:
223
+ post_install_message:
224
224
  rdoc_options:
225
225
  - "--charset=UTF-8"
226
226
  require_paths:
@@ -236,8 +236,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
236
236
  - !ruby/object:Gem::Version
237
237
  version: '0'
238
238
  requirements: []
239
- rubygems_version: 3.0.8
240
- signing_key:
239
+ rubygems_version: 3.3.26
240
+ signing_key:
241
241
  specification_version: 4
242
242
  summary: SAML Ruby Tookit
243
243
  test_files: []