saml2 1.0.8 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0a2a3fe46968c45f6286e8d20892d5e450d7cd2d
-  data.tar.gz: 38b77b60cfba7566d3de65ac158161cb238e56b5
+  metadata.gz: 5806ee95e988647a1593ddb8c9f833b1c0ae9064
+  data.tar.gz: 536f3c655fb7e81ff79003f46dbd1f3d9ec76d3e
 SHA512:
-  metadata.gz: 5b669dcc2296c61d1fa14a51ef26b7152d529c4e78a2bc57875bfcc132e0c4623ed0ebc6e78616fd3c4d0f68eed3e51f6a9a5da3c85a89bf977287ccf40a0dd5
-  data.tar.gz: 47ccb4ab69acf34047e79806ff37ea8dd5a114d798bac3544b62294bab07268574a66c217ea7ccd2a963291c6d0974b73141312e9f6dd3078ef707e3801e912d
+  metadata.gz: 487c35b7ae581c8dcc89140341cbb7d1513eac561c571b416c4b5a889b2010eacfae9250f7462837425487b90dec337e0c26456c085cf392b2f3c55bb0ab63ca
+  data.tar.gz: ac21dc27daa7f8297187dd7f7a2f9797fdb9fe3c4bb986d7d258edd296a9709ab1ec2a9b3fea0b89fd2b251fec4547ccef31b08c06352459f14ca79d6a49dfc4

data/lib/saml2.rb

@@ -6,4 +6,9 @@ require 'saml2/version'
 require 'saml2/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
 
 module SAML2
+  class << self
+    def config
+      @config ||= { max_message_size: 1024 * 1024 }
+    end
+  end
 end

data/lib/saml2/assertion.rb

@@ -31,13 +31,13 @@ module SAML2
             ID: id,
             Version: '2.0',
             IssueInstant: issue_instant.iso8601
-        ) do |builder|
-          issuer.build(builder, element: 'Issuer')
+        ) do |assertion|
+          issuer.build(assertion, element: 'Issuer')
 
-          subject.build(builder)
+          subject.build(assertion)
 
-          conditions.build(builder)
-          statements.each { |stmt| stmt.build(builder) }
+          conditions.build(assertion)
+          statements.each { |stmt| stmt.build(assertion) }
         end
       end.doc.root
     end

data/lib/saml2/attribute.rb

@@ -52,13 +52,13 @@ module SAML2
     end
 
     def build(builder)
-      builder['saml'].Attribute('Name' => name) do |builder|
-        builder.parent['FriendlyName'] = friendly_name if friendly_name
-        builder.parent['NameFormat'] = name_format if name_format
+      builder['saml'].Attribute('Name' => name) do |attribute|
+        attribute.parent['FriendlyName'] = friendly_name if friendly_name
+        attribute.parent['NameFormat'] = name_format if name_format
         Array.wrap(value).each do |value|
           xsi_type, val = convert_to_xsi(value)
-          builder['saml'].AttributeValue(val) do |builder|
-            builder.parent['xsi:type'] = xsi_type if xsi_type
+          attribute['saml'].AttributeValue(val) do |attribute_value|
+            attribute_value.parent['xsi:type'] = xsi_type if xsi_type
           end
         end
       end
@@ -68,8 +68,8 @@ module SAML2
       @name = node['Name']
       @friendly_name = node['FriendlyName']
       @name_format = node['NameFormat']
-      values = node.xpath('saml:AttributeValue', Namespaces::ALL).map do |node|
-        convert_from_xsi(node.attribute_with_ns('type', Namespaces::XSI), node.content && node.content.strip)
+      values = node.xpath('saml:AttributeValue', Namespaces::ALL).map do |value|
+        convert_from_xsi(value.attribute_with_ns('type', Namespaces::XSI), value.content && value.content.strip)
       end
       @value = case values.length
                when 0; nil
@@ -131,8 +131,8 @@ module SAML2
 
     def build(builder)
       builder['saml'].AttributeStatement('xmlns:xs' => Namespaces::XS,
-                                         'xmlns:xsi' => Namespaces::XSI) do |builder|
-        @attributes.each { |attr| attr.build(builder) }
+                                         'xmlns:xsi' => Namespaces::XSI) do |statement|
+        @attributes.each { |attr| attr.build(statement) }
       end
     end
   end

data/lib/saml2/authn_request.rb

@@ -9,16 +9,28 @@ require 'saml2/schemas'
 require 'saml2/subject'
 
 module SAML2
+  class MessageTooLarge < RuntimeError
+  end
+
   class AuthnRequest
     def self.decode(authnrequest)
       begin
-        zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        authnrequest = zstream.inflate(Base64.decode64(authnrequest))
-        zstream.finish
+        raise MessageTooLarge if authnrequest.bytesize > SAML2.config[:max_message_size]
+        authnrequest = Base64.decode64(authnrequest)
+        zstream = Zlib::Inflate.new
+        xml = ''
+        # do it in 1K slices, so we can protect against bombs
+        (0..authnrequest.bytesize / 1024).each do |i|
+          xml.concat(zstream.inflate(authnrequest.byteslice(i * 1024, 1024)))
+          raise MessageTooLarge if xml.bytesize > SAML2.config[:max_message_size]
+        end
+        xml.concat(zstream.finish)
+        raise MessageTooLarge if xml.bytesize > SAML2.config[:max_message_size]
+
         zstream.close
-      rescue Zlib::BufError
+      rescue Zlib::DataError, Zlib::BufError
       end
-      parse(authnrequest)
+      parse(xml)
     end
 
     def self.parse(authnrequest)

data/lib/saml2/authn_statement.rb

@@ -16,9 +16,9 @@ module SAML2
     attr_accessor :authn_instant, :authn_context_class_ref
 
     def build(builder)
-      builder['saml'].AuthnStatement('AuthnInstant' => authn_instant.iso8601) do |builder|
-        builder['saml'].AuthnContext do |builder|
-          builder['saml'].AuthnContextClassRef(authn_context_class_ref) if authn_context_class_ref
+      builder['saml'].AuthnStatement('AuthnInstant' => authn_instant.iso8601) do |authn_statement|
+        authn_statement['saml'].AuthnContext do |authn_context|
+          authn_context['saml'].AuthnContextClassRef(authn_context_class_ref) if authn_context_class_ref
         end
       end
     end

data/lib/saml2/base.rb

@@ -27,17 +27,17 @@ module SAML2
     end
 
     def self.load_string_array(node, element)
-      node.xpath(element, Namespaces::ALL).map do |node|
-        node.content && node.content.strip
+      node.xpath(element, Namespaces::ALL).map do |element_node|
+        element_node.content && element_node.content.strip
       end
     end
 
     def self.load_object_array(node, element, klass)
-      node.xpath(element, Namespaces::ALL).map do |node|
+      node.xpath(element, Namespaces::ALL).map do |element_node|
         if klass.is_a?(Hash)
-          klass[node.name].from_xml(node)
+          klass[element_node.name].from_xml(element_node)
         else
-          klass.from_xml(node)
+          klass.from_xml(element_node)
         end
       end
     end

data/lib/saml2/conditions.rb

@@ -26,12 +26,12 @@ module SAML2
     end
 
     def build(builder)
-      builder['saml'].Conditions do |builder|
-        builder.parent['NotBefore'] = not_before.iso8601 if not_before
-        builder.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
+      builder['saml'].Conditions do |conditions|
+        conditions.parent['NotBefore'] = not_before.iso8601 if not_before
+        conditions.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
 
         each do |condition|
-          condition.build(builder)
+          condition.build(conditions)
         end
       end
     end
@@ -55,9 +55,9 @@ module SAML2
       end
 
       def build(builder)
-        builder['saml'].AudienceRestriction do |builder|
+        builder['saml'].AudienceRestriction do |audience_restriction|
           Array.wrap(audience).each do |single_audience|
-            builder['saml'].Audience(single_audience)
+            audience_restriction['saml'].Audience(single_audience)
           end
         end
       end

data/lib/saml2/contact.rb

@@ -34,15 +34,15 @@ module SAML2
     end
 
     def build(builder)
-      builder['md'].ContactPerson('contactType' => type) do |builder|
-        builder['md'].Company(company) if company
-        builder['md'].GivenName(given_name) if given_name
-        builder['md'].SurName(surname) if surname
+      builder['md'].ContactPerson('contactType' => type) do |contact_person|
+        contact_person['md'].Company(company) if company
+        contact_person['md'].GivenName(given_name) if given_name
+        contact_person['md'].SurName(surname) if surname
         email_addresses.each do |email|
-          builder['md'].EmailAddress(email)
+          contact_person['md'].EmailAddress(email)
         end
         telephone_numbers.each do |tel|
-          builder['md'].TelephoneNumber(tel)
+          contact_person['md'].TelephoneNumber(tel)
         end
       end
     end

data/lib/saml2/entity.rb

@@ -120,9 +120,9 @@ module SAML2
       builder['md'].EntityDescriptor('entityID' => entity_id,
                                      'xmlns:md' => Namespaces::METADATA,
                                      'xmlns:dsig' => Namespaces::DSIG,
-                                     'xmlns:xenc' => Namespaces::XENC) do |builder|
+                                     'xmlns:xenc' => Namespaces::XENC) do |entity_descriptor|
         roles.each do |role|
-          role.build(builder)
+          role.build(entity_descriptor)
         end
 
         super

data/lib/saml2/identity_provider.rb

@@ -41,21 +41,21 @@ module SAML2
     end
 
     def build(builder)
-      builder['md'].IDPSSODescriptor do |builder|
-        super(builder)
+      builder['md'].IDPSSODescriptor do |idp_sso_descriptor|
+        super(idp_sso_descriptor)
 
-        builder['WantAuthnRequestsSigned'] = want_authn_requests_signed? unless want_authn_requests_signed?.nil?
+        idp_sso_descriptor['WantAuthnRequestsSigned'] = want_authn_requests_signed? unless want_authn_requests_signed?.nil?
 
         single_sign_on_services.each do |sso|
-          sso.build(builder, 'SingleSignOnService')
+          sso.build(idp_sso_descriptor, 'SingleSignOnService')
         end
 
         attribute_profiles.each do |ap|
-          builder['md'].AttributeProfile(ap)
+          idp_sso_descriptor['md'].AttributeProfile(ap)
         end
 
         attributes.each do |attr|
-          attr.build(builder)
+          attr.build(idp_sso_descriptor)
         end
       end
     end

data/lib/saml2/key.rb

@@ -38,15 +38,15 @@ module SAML2
     end
 
     def build(builder)
-      builder['md'].KeyDescriptor do |builder|
-        builder.parent['use'] = use if use
-        builder['dsig'].KeyInfo do |builder|
-          builder['dsig'].X509Data do |builder|
-            builder['dsig'].X509Certificate(x509)
+      builder['md'].KeyDescriptor do |key_descriptor|
+        key_descriptor.parent['use'] = use if use
+        key_descriptor['dsig'].KeyInfo do |key_info|
+          key_info['dsig'].X509Data do |x509_data|
+            x509_data['dsig'].X509Certificate(x509)
           end
         end
         encryption_methods.each do |method|
-          builder['xenc'].EncryptionMethod('Algorithm' => method)
+          key_descriptor['xenc'].EncryptionMethod('Algorithm' => method)
         end
       end
     end

data/lib/saml2/organization.rb

@@ -37,10 +37,10 @@ module SAML2
     end
 
     def build(builder)
-      builder['md'].Organization do |builder|
-        self.class.build(builder, @name, 'OrganizationName')
-        self.class.build(builder, @display_name, 'OrganizationDisplayName')
-        self.class.build(builder, @url, 'OrganizationURL')
+      builder['md'].Organization do |organization|
+        self.class.build(organization, @name, 'OrganizationName')
+        self.class.build(organization, @display_name, 'OrganizationDisplayName')
+        self.class.build(organization, @url, 'OrganizationURL')
       end
     end
 

data/lib/saml2/response.rb

@@ -77,17 +77,17 @@ module SAML2
         Version: '2.0',
         IssueInstant: issue_instant.iso8601,
         Destination: destination
-      ) do |builder|
-        builder.parent['InResponseTo'] = in_response_to if in_response_to
+      ) do |response|
+        response.parent['InResponseTo'] = in_response_to if in_response_to
 
-        issuer.build(builder, element: 'Issuer', include_namespace: true) if issuer
+        issuer.build(response, element: 'Issuer', include_namespace: true) if issuer
 
-        builder['samlp'].Status do |builder|
-          builder['samlp'].StatusCode(Value: status_code)
+        response['samlp'].Status do |status|
+          status['samlp'].StatusCode(Value: status_code)
           end
 
         assertions.each do |assertion|
-          builder.parent << assertion.to_xml
+          response.parent << assertion.to_xml
         end
       end
     end

data/lib/saml2/sso.rb

@@ -2,8 +2,6 @@ require 'saml2/role'
 
 module SAML2
   class SSO < Role
-    attr_reader :single_logout_services, :name_id_formats
-
     def initialize
       super
       @single_logout_services = []

data/lib/saml2/subject.rb

@@ -14,9 +14,9 @@ module SAML2
     end
 
     def build(builder)
-      builder['saml'].Subject do |builder|
-        name_id.build(builder) if name_id
-        confirmation.build(builder) if confirmation
+      builder['saml'].Subject do |subject|
+        name_id.build(subject) if name_id
+        confirmation.build(subject) if confirmation
       end
     end
 
@@ -30,16 +30,16 @@ module SAML2
       attr_accessor :method, :not_before, :not_on_or_after, :recipient, :in_response_to
 
       def build(builder)
-        builder['saml'].SubjectConfirmation('Method' => method) do |builder|
+        builder['saml'].SubjectConfirmation('Method' => method) do |subject_confirmation|
           if in_response_to ||
               recipient ||
               not_before ||
               not_on_or_after
-            builder['saml'].SubjectConfirmationData do |builder|
-              builder.parent['NotBefore'] = not_before.iso8601 if not_before
-              builder.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
-              builder.parent['Recipient'] = recipient if recipient
-              builder.parent['InResponseTo'] = in_response_to if in_response_to
+            subject_confirmation['saml'].SubjectConfirmationData do |subject_confirmation_data|
+              subject_confirmation_data.parent['NotBefore'] = not_before.iso8601 if not_before
+              subject_confirmation_data.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
+              subject_confirmation_data.parent['Recipient'] = recipient if recipient
+              subject_confirmation_data.parent['InResponseTo'] = in_response_to if in_response_to
             end
           end
         end

data/lib/saml2/version.rb

@@ -1,3 +1,3 @@
 module SAML2
-  VERSION = '1.0.8'
+  VERSION = '1.0.9'
 end

data/spec/lib/attribute_consuming_service_spec.rb

@@ -119,7 +119,7 @@ module SAML2
         attr.value = 'value'
         acs.requested_attributes << attr
         stmt = acs.create_statement({})
-        stmt.must_equal nil
+        assert_nil(stmt)
       end
 
     end

data/spec/lib/attribute_spec.rb

@@ -4,9 +4,9 @@ module SAML2
   describe Attribute do
     def serialize(attribute)
       doc = Nokogiri::XML::Builder.new do |builder|
-        builder['saml'].Root('xmlns:saml' => Namespaces::SAML) do |builder|
-          attribute.build(builder)
-          builder.parent.child['xmlns:saml'] = Namespaces::SAML
+        builder['saml'].Root('xmlns:saml' => Namespaces::SAML) do |root|
+          attribute.build(root)
+          root.parent.child['xmlns:saml'] = Namespaces::SAML
         end
       end.doc
       doc.root.child.to_s

data/spec/lib/authn_request_spec.rb

@@ -15,6 +15,11 @@ module SAML2
         authnrequest = AuthnRequest.decode('abc')
         authnrequest.valid_schema?.must_equal false
       end
+
+      it "doesn't allow deflate bombs" do
+        bomb = Base64.encode64(Zlib::Deflate.deflate("\0" * 2 * 1024 * 1024))
+        -> { AuthnRequest.decode(bomb) }.must_raise MessageTooLarge
+      end
     end
 
     it "should be valid" do

data/spec/lib/entity_spec.rb

@@ -9,12 +9,12 @@ module SAML2
 
     it "should return nil when not valid schema" do
       entity = Entity.parse("<xml></xml>")
-      entity.must_equal nil
+      assert_nil(entity)
     end
 
     it "should return nil on non-XML" do
       entity = Entity.parse("garbage")
-      entity.must_equal nil
+      assert_nil(entity)
     end
 
     describe "valid schema" do
@@ -27,7 +27,7 @@ module SAML2
       it "should parse the organization" do
         entity.organization.display_name.must_equal 'Canvas'
         entity.organization.display_name('en').must_equal 'Canvas'
-        entity.organization.display_name('es').must_equal nil
+        assert_nil(entity.organization.display_name('es'))
         entity.organization.display_name(:all).must_equal en: 'Canvas'
       end
 

data/spec/lib/indexed_object_spec.rb

@@ -16,7 +16,7 @@ module SAML2
       acses.map(&:location).must_equal ['a', 'b']
       acses[1].location.must_equal 'a'
       acses[3].location.must_equal 'b'
-      acses[0].must_equal nil
+      assert_nil(acses[0])
     end
 
     describe "#default" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 1.0.8
+  version: 1.0.9
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-06 00:00:00.000000000 Z
+date: 2017-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -193,7 +193,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: SAML 2.0 Library