ruby-saml 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 162de30b9475ee4bc219f26c544304d051ab5c34
-  data.tar.gz: 685afabca84ac713ab43a2c848cfdb20dd92f579
+  metadata.gz: 0b01f4f740dfe49133d17e2bfbb42a470a6a0ecd
+  data.tar.gz: 00f47e3eaadebe97288df5daa096a9b0f26f92a7
 SHA512:
-  metadata.gz: e5a3f645b2cf71452e7f22a2bbc853f393978516e1abc185b3cbbfe4aa19403b3b3760c839d72f81fd36128241e09c58dff8c84c5b1b2dc1b0177a85b235cf81
-  data.tar.gz: 7ef80e8936bda82946041ebc220002b7d7a745819a2a419f190c6a0980449cd00516338df8879dcb67b13dd882ba155a665ed31154113fc2826112629fbbedcc
+  metadata.gz: d7dd26e1057a4d9e535debae7c91bfef6a34b9d46eb04557684bd53daed1dd00ab5cc52dbe1e4dc73114b2b28d49be8cb18c15b9cab04017aba97c5d1140df2f
+  data.tar.gz: 6aa8e7af6e43749954e8288002d2d7daef999109520888a7f5569dae32c9e0f3c09cece48687ac4e035e61ce14fa8d63a1f22e376a0a321b1775dc7718b94a94

data/README.md

@@ -1,5 +1,9 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.2.x to 1.3.X
+
+Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes. It  adds security improvements in order to prevent Signature wrapping attacks. [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
+
 ## Updating from 1.1.x to 1.2.X
 
 Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom, refactor error handling and some minor improvements

data/changelog.md

@@ -1,5 +1,10 @@
 # RubySaml Changelog
 
+### 1.3.0 (June 24, 2016)
+* [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
+* Fix XMLSecurity SHA256 and SHA512 uris
+* [#326](https://github.com/onelogin/ruby-saml/pull/326) Fix Destination validation
+
 ### 1.2.0 (April 29, 2016)
 * [#269](https://github.com/onelogin/ruby-saml/pull/269) Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
 * [#289](https://github.com/onelogin/ruby-saml/pull/289) Remove uuid gem in favor of SecureRandom

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -110,22 +110,20 @@ module OneLogin
       def validate(collect_errors = false)
         reset_errors!
 
-        if collect_errors
-          valid_state?
-          validate_success_status
-          validate_structure
-          valid_in_response_to?
-          valid_issuer?
-          validate_signature
+        validations = [
+          :valid_state?,
+          :validate_success_status,
+          :validate_structure,
+          :valid_in_response_to?,
+          :valid_issuer?,
+          :validate_signature
+        ]
 
+        if collect_errors
+          validations.each { |validation| send(validation) }
           @errors.empty?
         else
-          valid_state? &&
-          validate_success_status &&
-          validate_structure &&
-          valid_in_response_to? &&
-          valid_issuer? &&
-          validate_signature
+          validations.all? { |validation| send(validation) }
         end
       end
 

data/lib/onelogin/ruby-saml/response.rb

@@ -173,7 +173,7 @@ module OneLogin
           node = REXML::XPath.first(
             document,
             "/p:Response/p:Status/p:StatusCode",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            { "p" => PROTOCOL }
           )
           node.attributes["Value"] if node && node.attributes
         end
@@ -186,7 +186,7 @@ module OneLogin
           node = REXML::XPath.first(
             document,
             "/p:Response/p:Status/p:StatusMessage",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            { "p" => PROTOCOL }
           )
           node.text if node
         end
@@ -290,41 +290,32 @@ module OneLogin
       #
       def validate(collect_errors = false)
         reset_errors!
+        return false unless validate_response_state
+
+        validations = [
+          :validate_response_state,
+          :validate_version,
+          :validate_id,
+          :validate_success_status,
+          :validate_num_assertion,
+          :validate_no_encrypted_attributes,
+          :validate_signed_elements,
+          :validate_structure,
+          :validate_in_response_to,
+          :validate_conditions,
+          :validate_audience,
+          :validate_destination,
+          :validate_issuer,
+          :validate_session_expiration,
+          :validate_subject_confirmation,
+          :validate_signature
+        ]
 
         if collect_errors
-          return false unless validate_response_state
-          validate_version
-          validate_id
-          validate_success_status
-          validate_num_assertion
-          validate_no_encrypted_attributes
-          validate_signed_elements
-          validate_structure
-          validate_in_response_to
-          validate_conditions
-          validate_audience
-          validate_issuer
-          validate_session_expiration
-          validate_subject_confirmation
-          validate_signature
+          validations.each { |validation| send(validation) }
           @errors.empty?
         else
-          validate_response_state &&
-          validate_version &&
-          validate_id &&
-          validate_success_status &&
-          validate_num_assertion &&
-          validate_no_encrypted_attributes &&
-          validate_signed_elements &&
-          validate_structure &&
-          validate_in_response_to &&
-          validate_conditions &&
-          validate_audience &&
-          validate_destination &&
-          validate_issuer &&
-          validate_session_expiration &&
-          validate_subject_confirmation &&
-          validate_signature
+          validations.all? { |validation| send(validation) }
         end
       end
 
@@ -346,8 +337,15 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails 
       #
       def validate_structure
+        structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
         unless valid_saml?(document, soft)
-          return append_error("Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd")
+          return append_error(structure_error_msg)
+        end
+
+        unless decrypted_document.nil?
+          unless valid_saml?(decrypted_document, soft)
+            return append_error(structure_error_msg)
+          end
         end
 
         true
@@ -443,11 +441,43 @@ module OneLogin
           {"ds"=>DSIG}
         )
         signed_elements = []
+        verified_seis = []
+        verified_ids = []
         signature_nodes.each do |signature_node|
           signed_element = signature_node.parent.name
           if signed_element != 'Response' && signed_element != 'Assertion'
-            return append_error("Found an unexpected Signature Element. SAML Response rejected")
+            return append_error("Invalid Signature Element '#{signed_element}'. SAML Response rejected")
+          end
+
+          if signature_node.parent.attributes['ID'].nil?
+            return append_error("Signed Element must contain an ID. SAML Response rejected")
+          end
+
+          id = signature_node.parent.attributes.get_attribute("ID").value
+          if verified_ids.include?(id)
+            return append_error("Duplicated ID. SAML Response rejected")
           end
+          verified_ids.push(id)
+
+          # Check that reference URI matches the parent ID and no duplicate References or IDs
+          ref = REXML::XPath.first(signature_node, ".//ds:Reference", {"ds"=>DSIG})
+          if ref
+            uri = ref.attributes.get_attribute("URI")
+            if uri && !uri.value.empty?
+              sei = uri.value[1..-1]
+
+              unless sei == id
+                return append_error("Found an invalid Signed Element. SAML Response rejected")
+              end
+
+              if verified_seis.include?(sei)
+                return append_error("Duplicated Reference URI. SAML Response rejected")
+              end
+
+              verified_seis.push(sei)
+            end
+          end
+
           signed_elements << signed_element
         end
 
@@ -623,8 +653,9 @@ module OneLogin
         # otherwise, review if the decrypted assertion contains a signature
         sig_elements = REXML::XPath.match(
           document,
-          "/p:Response/ds:Signature]",
-          { "p" => PROTOCOL, "ds" => DSIG }
+          "/p:Response[@ID=$id]/ds:Signature]",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
         )
 
         use_original = sig_elements.size == 1 || decrypted_document.nil?
@@ -634,8 +665,9 @@ module OneLogin
         if sig_elements.nil? || sig_elements.size == 0
           sig_elements = REXML::XPath.match(
             doc,
-            "/p:Response/a:Assertion/ds:Signature",
-            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG}
+            "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
+            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            { 'id' => doc.signed_element_id }
           )
         end
 

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -126,24 +126,21 @@ module OneLogin
       def validate(collect_errors = false)
         reset_errors!
 
-        if collect_errors
-          validate_request_state
-          validate_id
-          validate_version
-          validate_structure
-          validate_not_on_or_after
-          validate_issuer
-          validate_signature
+        validations = [
+          :validate_request_state,
+          :validate_id,
+          :validate_version,
+          :validate_structure,
+          :validate_not_on_or_after,
+          :validate_issuer,
+          :validate_signature
+        ]
 
+        if collect_errors
+          validations.each { |validation| send(validation) }
           @errors.empty?
         else
-          validate_request_state &&
-          validate_id &&
-          validate_version &&
-          validate_structure &&
-          validate_not_on_or_after &&
-          validate_issuer &&
-          validate_signature
+          validations.all? { |validation| send(validation) }
         end
       end
 

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.2.0'
+    VERSION = '1.3.0'
   end
 end

data/lib/xml_security.rb

@@ -84,9 +84,9 @@ module XMLSecurity
     RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
     RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
     SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
-    SHA256          = "http://www.w3.org/2001/04/xmldsig-more#sha256"
+    SHA256          = 'http://www.w3.org/2001/04/xmlenc#sha256'
     SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
-    SHA512          = "http://www.w3.org/2001/04/xmldsig-more#sha512"
+    SHA512          = 'http://www.w3.org/2001/04/xmlenc#sha512'
     ENVELOPED_SIG   = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
     INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
 

data/test/logoutrequest_test.rb

@@ -112,7 +112,7 @@ class RequestTest < Minitest::Test
 
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
         assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
       end
 
       it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
@@ -125,7 +125,7 @@ class RequestTest < Minitest::Test
 
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
         assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
       end
     end
 

data/test/metadata_test.rb

@@ -203,7 +203,7 @@ class MetadataTest < Minitest::Test
         it "creates a signed metadata with specified digest and signature methods" do
           assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
           assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
-          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], xml_text
+          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], xml_text
 
           signed_metadata_2 = XMLSecurity::SignedDocument.new(xml_text)
 

data/test/request_test.rb

@@ -199,7 +199,7 @@ class RequestTest < Minitest::Test
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
         assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
       end
     end
 

data/test/response_test.rb

@@ -1288,4 +1288,17 @@ class RubySamlTest < Minitest::Test
      assert_equal "ZdrjpwEdw22vKoxWAbZB78/gQ7s=", response.attributes.single('urn:oid:1.3.6.1.4.1.5923.1.1.1.10')
     end
   end
+
+  describe "attack" do
+    it "should not be valid" do
+      settings.private_key = ruby_saml_key_text
+      signature_wrapping_attack = read_invalid_response("encrypted_new_attack.xml.base64")
+      response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+      response_wrapped.stubs(:conditions).returns(nil)
+      response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+      settings.idp_cert_fingerprint = "385b1eec71143f00db6af936e2ea12a28771d72c"
+      assert !response_wrapped.is_valid?
+    end
+  end
+
 end

data/test/slo_logoutresponse_test.rb

@@ -78,7 +78,7 @@ class SloLogoutresponseTest < Minitest::Test
         response_xml = Base64.decode64(params["SAMLResponse"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
         assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/, response_xml
-        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#sha256'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmlenc#sha256'\/>/, response_xml
       end
 
       it "create a signed logout response with 512 digest and signature method RSA_SHA384" do
@@ -91,7 +91,7 @@ class SloLogoutresponseTest < Minitest::Test
         response_xml = Base64.decode64(params["SAMLResponse"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
         assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha384'\/>/, response_xml
-        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#sha512'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmlenc#sha512'\/>/, response_xml
       end
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-29 00:00:00.000000000 Z
+date: 2016-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri