ruby-saml 1.18.0 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/test.yml +4 -1
  3. data/CHANGELOG.md +3 -0
  4. data/README.md +5 -2
  5. data/lib/onelogin/ruby-saml/saml_message.rb +2 -2
  6. data/lib/onelogin/ruby-saml/version.rb +1 -1
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 59cce47afe1159fc5674f2eaf8f0392d12df280cc97fa2a4ccd7926daf989445
4
- data.tar.gz: 30a49c237e7a88328745b788d62e9ea92e87342fc571d20e002eb4feddd964ae
3
+ metadata.gz: a99ac2825ee62df158de97460877ef29ffd8c62aea17b25d75730e932b1ffe0f
4
+ data.tar.gz: 8a49efebaf25495e5bceef151de2e65f0a6ddbda0aee80fd669aafce3b252488
5
5
  SHA512:
6
- metadata.gz: c67ec4923ca4bc5e07736717d1e40f604296c95c00d1fe8ec7d28c586988b368d566a16782c676c2ce27d38d6d7e1386a5347bfbb40efc98eb033525605f5dcb
7
- data.tar.gz: 4944ad0dc2a3999e78da570aa8faa6282e26868606a5011d2b623a6ef0a9150d2e6ee08a4245d090e5d4837a9dc9ffaa78bf46d84fe466ea9384662d305d4c94
6
+ metadata.gz: 72defb3c72df4281c503b92630a6f19395131fc0964d0dd95b3a9fdbeb988a7a2bafaab4648ef2a5816aa44a59730bae1196bbd95004d59398e59e11d95e01f7
7
+ data.tar.gz: 84004d826837889160a1af3386ed253f695b55f0f1df060b6bd579f98f8691ce8c3cc02021c58c6f75038570ac4f5b4fc8f1981ca053db3a25f65227003c4fe7
data/.github/workflows/test.yml CHANGED
@@ -9,7 +9,7 @@ jobs:
9
9
  fail-fast: false
10
10
  matrix:
11
11
  os:
12
- - ubuntu-20.04
12
+ - ubuntu-22.04
13
13
  - macos-latest
14
14
  - windows-latest
15
15
  ruby-version:
@@ -24,6 +24,7 @@ jobs:
24
24
  - 3.1
25
25
  - 3.2
26
26
  - 3.3
27
+ - 3.4
27
28
  - jruby-9.1
28
29
  - jruby-9.2
29
30
  - jruby-9.3
@@ -56,6 +57,8 @@ jobs:
56
57
  ruby-version: jruby-9.4
57
58
  - os: windows-latest
58
59
  ruby-version: truffleruby
60
+ - os: ubuntu-22.04
61
+ ruby-version: 2.2
59
62
  runs-on: ${{ matrix.os }}
60
63
  steps:
61
64
  - uses: actions/checkout@v4
data/CHANGELOG.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # Ruby SAML Changelog
2
2
 
3
+ ### 1.18.1 (Jul 29, 2025)
4
+ * Fix vulnerability CVE-2025-54572 Prevent DOS due large SAML Message
5
+
3
6
  ### 1.18.0 (Mar 12, 2025)
4
7
  * [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
5
8
  * [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
data/README.md CHANGED
@@ -34,6 +34,9 @@ Thanks to the following sponsors for securing the open source ecosystem,
34
34
 
35
35
  ## Vulnerabilities
36
36
 
37
+ CVE-2025-54572 affects version ruby-saml < 1.18.1
38
+
39
+
37
40
  There are critical vulnerabilities affecting ruby-saml < 1.18.0, two of them allows SAML authentication bypass (CVE-2025-25291, CVE-2025-25292, CVE-2025-25293). Please upgrade to a fixed version (1.18.0)
38
41
 
39
42
  ## Overview
@@ -51,7 +54,7 @@ We created a demo project for Rails 4 that uses the latest version of this libra
51
54
 
52
55
  The following Ruby versions are covered by CI testing:
53
56
 
54
- * Ruby (MRI) 2.1 to 3.3
57
+ * Ruby (MRI) 2.1 to 3.4
55
58
  * JRuby 9.1 to 9.4
56
59
  * TruffleRuby (latest)
57
60
 
@@ -97,7 +100,7 @@ Using `Gemfile`
97
100
 
98
101
  ```ruby
99
102
  # latest stable
100
- gem 'ruby-saml', '~> 1.17.0'
103
+ gem 'ruby-saml', '~> 1.18.0'
101
104
 
102
105
  # or track master for bleeding-edge
103
106
  gem 'ruby-saml', :github => 'saml-toolkit/ruby-saml'
data/lib/onelogin/ruby-saml/saml_message.rb CHANGED
@@ -84,13 +84,13 @@ module OneLogin
84
84
  # @return [String] The plain SAML Message
85
85
  #
86
86
  def decode_raw_saml(saml, settings = nil)
87
- return saml unless base64_encoded?(saml)
88
-
89
87
  settings = OneLogin::RubySaml::Settings.new if settings.nil?
90
88
  if saml.bytesize > settings.message_max_bytesize
91
89
  raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
92
90
  end
93
91
 
92
+ return saml unless base64_encoded?(saml)
93
+
94
94
  decoded = decode(saml)
95
95
  begin
96
96
  message = inflate(decoded)
data/lib/onelogin/ruby-saml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.18.0'
3
+ VERSION = '1.18.1'
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.18.0
4
+ version: 1.18.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - SAML Toolkit
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2025-03-12 00:00:00.000000000 Z
12
+ date: 2025-07-29 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: nokogiri