xmldsig 0.2.8 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/xmldsig/reference.rb +3 -2
  3. data/lib/xmldsig/version.rb +1 -1
  4. data/spec/fixtures/unsigned-malicious.xml +21 -0
  5. data/spec/lib/xmldsig/reference_spec.rb +10 -0
  6. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0cc1b756bb07e55a09690b94d94fc3994032311b
4
- data.tar.gz: 3ad4f0aa9cc2ce9abc66857bdf31c530656f207c
3
+ metadata.gz: b3268f56bd10ebb287e946bd2cec9bcc33b60f28
4
+ data.tar.gz: d239b42bdcaad48d8750f7706ec76f58251abf49
5
5
  SHA512:
6
- metadata.gz: 3639d76dddac3500ada6699b86e4eb23a4a9bc7f701b1ed94eb80e841b624d71a8c4a924783c9711f85af47e8bc81878524a047f6942850c6fbd463bfc5e405a
7
- data.tar.gz: 497cb5e9810215ad95f49c0e0ac0d24c91144993c99b050d933faec696a5af0a221149fd8262234a4ed31eb1cda3004ee7f6b5112fb5544f4dd9339abf4e37fb
6
+ metadata.gz: d0f22faa02b78c1e7b138620df2625619b582bf473672327dda2c21e9807253651133bec6a6b30a71e9a94c6814aadfa7b1f5dd59ff8b956ce6d3a10f5822f11
7
+ data.tar.gz: e45c639298276447fadb7decf6381b0840cca5cab409381ecaa6f38ef6b66c6f2e1eca85e244abe5b09d9ecfd6bee964185a3d881e75bac2bd2904137526a0b5
data/lib/xmldsig/reference.rb CHANGED
@@ -22,8 +22,9 @@ module Xmldsig
22
22
  def referenced_node
23
23
  if reference_uri && reference_uri != ""
24
24
  id = reference_uri[1..-1]
25
- referenced_node_xpath = @id_attr ? "//*[@#{@id_attr}='#{id}']" : "//*[@ID='#{id}' or @wsu:Id='#{id}']"
26
- if ref = document.dup.at_xpath(referenced_node_xpath, NAMESPACES)
25
+ referenced_node_xpath = @id_attr ? "//*[@#{@id_attr}=$uri]" : "//*[@ID=$uri or @wsu:Id=$uri]"
26
+ variable_bindings = { 'uri' => id }
27
+ if ref = document.dup.at_xpath(referenced_node_xpath, NAMESPACES, variable_bindings)
27
28
  ref
28
29
  else
29
30
  raise(
data/lib/xmldsig/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Xmldsig
2
- VERSION = '0.2.8'
2
+ VERSION = '0.2.9'
3
3
  end
data/spec/fixtures/unsigned-malicious.xml ADDED
@@ -0,0 +1,21 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
3
+ <foo:Bar>bar</foo:Bar>
4
+ <ds:Signature>
5
+ <ds:SignedInfo>
6
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
7
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
8
+ <ds:Reference URI="#foo' or 1=1 or ''='">
9
+ <ds:Transforms>
10
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
11
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
12
+ <ec:InclusiveNamespaces PrefixList="foo"/>
13
+ </ds:Transform>
14
+ </ds:Transforms>
15
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
16
+ <ds:DigestValue></ds:DigestValue>
17
+ </ds:Reference>
18
+ </ds:SignedInfo>
19
+ <ds:SignatureValue></ds:SignatureValue>
20
+ </ds:Signature>
21
+ </foo:Foo>
data/spec/lib/xmldsig/reference_spec.rb CHANGED
@@ -65,6 +65,16 @@ describe Xmldsig::Reference do
65
65
  expect { reference.referenced_node }.
66
66
  to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
67
67
  end
68
+
69
+ it "raises ReferencedNodeNotFound when the reference node is malicious" do
70
+ malicious_document = Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned-malicious.xml")
71
+ node = document.at_xpath('//*[@ID]')
72
+ node.remove_attribute('ID')
73
+ node.set_attribute('MyID', 'foobar')
74
+ malicious_reference = Xmldsig::Reference.new(malicious_document.at_xpath('//ds:Reference', Xmldsig::NAMESPACES), 'MyID')
75
+ expect { malicious_reference.referenced_node }.
76
+ to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
77
+ end
68
78
  end
69
79
 
70
80
  describe "#reference_uri" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: xmldsig
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.8
4
+ version: 0.2.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - benoist
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-05-10 00:00:00.000000000 Z
11
+ date: 2015-07-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -60,6 +60,7 @@ files:
60
60
  - spec/fixtures/signed/shib.cert
61
61
  - spec/fixtures/signed/shib.xml
62
62
  - spec/fixtures/signed_custom_attribute_id.xml
63
+ - spec/fixtures/unsigned-malicious.xml
63
64
  - spec/fixtures/unsigned.xml
64
65
  - spec/fixtures/unsigned/canonicalizer_1_0.xml
65
66
  - spec/fixtures/unsigned/canonicalizer_1_1.xml
@@ -116,6 +117,7 @@ test_files:
116
117
  - spec/fixtures/signed/shib.cert
117
118
  - spec/fixtures/signed/shib.xml
118
119
  - spec/fixtures/signed_custom_attribute_id.xml
120
+ - spec/fixtures/unsigned-malicious.xml
119
121
  - spec/fixtures/unsigned.xml
120
122
  - spec/fixtures/unsigned/canonicalizer_1_0.xml
121
123
  - spec/fixtures/unsigned/canonicalizer_1_1.xml