xmldsig 0.2.8 → 0.2.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/xmldsig/reference.rb +3 -2
  3. data/lib/xmldsig/version.rb +1 -1
  4. data/spec/fixtures/unsigned-malicious.xml +21 -0
  5. data/spec/lib/xmldsig/reference_spec.rb +10 -0
  6. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0cc1b756bb07e55a09690b94d94fc3994032311b
4
- data.tar.gz: 3ad4f0aa9cc2ce9abc66857bdf31c530656f207c
3
+ metadata.gz: b3268f56bd10ebb287e946bd2cec9bcc33b60f28
4
+ data.tar.gz: d239b42bdcaad48d8750f7706ec76f58251abf49
5
5
  SHA512:
6
- metadata.gz: 3639d76dddac3500ada6699b86e4eb23a4a9bc7f701b1ed94eb80e841b624d71a8c4a924783c9711f85af47e8bc81878524a047f6942850c6fbd463bfc5e405a
7
- data.tar.gz: 497cb5e9810215ad95f49c0e0ac0d24c91144993c99b050d933faec696a5af0a221149fd8262234a4ed31eb1cda3004ee7f6b5112fb5544f4dd9339abf4e37fb
6
+ metadata.gz: d0f22faa02b78c1e7b138620df2625619b582bf473672327dda2c21e9807253651133bec6a6b30a71e9a94c6814aadfa7b1f5dd59ff8b956ce6d3a10f5822f11
7
+ data.tar.gz: e45c639298276447fadb7decf6381b0840cca5cab409381ecaa6f38ef6b66c6f2e1eca85e244abe5b09d9ecfd6bee964185a3d881e75bac2bd2904137526a0b5
data/lib/xmldsig/reference.rb CHANGED
@@ -22,8 +22,9 @@ module Xmldsig
22
22
  def referenced_node
23
23
  if reference_uri && reference_uri != ""
24
24
  id = reference_uri[1..-1]
25
- referenced_node_xpath = @id_attr ? "//*[@#{@id_attr}='#{id}']" : "//*[@ID='#{id}' or @wsu:Id='#{id}']"
26
- if ref = document.dup.at_xpath(referenced_node_xpath, NAMESPACES)
25
+ referenced_node_xpath = @id_attr ? "//*[@#{@id_attr}=$uri]" : "//*[@ID=$uri or @wsu:Id=$uri]"
26
+ variable_bindings = { 'uri' => id }
27
+ if ref = document.dup.at_xpath(referenced_node_xpath, NAMESPACES, variable_bindings)
27
28
  ref
28
29
  else
29
30
  raise(
data/lib/xmldsig/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Xmldsig
2
- VERSION = '0.2.8'
2
+ VERSION = '0.2.9'
3
3
  end
data/spec/fixtures/unsigned-malicious.xml ADDED
@@ -0,0 +1,21 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <foo:Foo ID="foo" xmlns:foo="http://example.com/foo#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#">
3
+ <foo:Bar>bar</foo:Bar>
4
+ <ds:Signature>
5
+ <ds:SignedInfo>
6
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
7
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
8
+ <ds:Reference URI="#foo' or 1=1 or ''='">
9
+ <ds:Transforms>
10
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
11
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
12
+ <ec:InclusiveNamespaces PrefixList="foo"/>
13
+ </ds:Transform>
14
+ </ds:Transforms>
15
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
16
+ <ds:DigestValue></ds:DigestValue>
17
+ </ds:Reference>
18
+ </ds:SignedInfo>
19
+ <ds:SignatureValue></ds:SignatureValue>
20
+ </ds:Signature>
21
+ </foo:Foo>
data/spec/lib/xmldsig/reference_spec.rb CHANGED
@@ -65,6 +65,16 @@ describe Xmldsig::Reference do
65
65
  expect { reference.referenced_node }.
66
66
  to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
67
67
  end
68
+
69
+ it "raises ReferencedNodeNotFound when the reference node is malicious" do
70
+ malicious_document = Nokogiri::XML::Document.parse File.read("spec/fixtures/unsigned-malicious.xml")
71
+ node = document.at_xpath('//*[@ID]')
72
+ node.remove_attribute('ID')
73
+ node.set_attribute('MyID', 'foobar')
74
+ malicious_reference = Xmldsig::Reference.new(malicious_document.at_xpath('//ds:Reference', Xmldsig::NAMESPACES), 'MyID')
75
+ expect { malicious_reference.referenced_node }.
76
+ to raise_error(Xmldsig::Reference::ReferencedNodeNotFound)
77
+ end
68
78
  end
69
79
 
70
80
  describe "#reference_uri" do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: xmldsig
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.8
4
+ version: 0.2.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - benoist
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-05-10 00:00:00.000000000 Z
11
+ date: 2015-07-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -60,6 +60,7 @@ files:
60
60
  - spec/fixtures/signed/shib.cert
61
61
  - spec/fixtures/signed/shib.xml
62
62
  - spec/fixtures/signed_custom_attribute_id.xml
63
+ - spec/fixtures/unsigned-malicious.xml
63
64
  - spec/fixtures/unsigned.xml
64
65
  - spec/fixtures/unsigned/canonicalizer_1_0.xml
65
66
  - spec/fixtures/unsigned/canonicalizer_1_1.xml
@@ -116,6 +117,7 @@ test_files:
116
117
  - spec/fixtures/signed/shib.cert
117
118
  - spec/fixtures/signed/shib.xml
118
119
  - spec/fixtures/signed_custom_attribute_id.xml
120
+ - spec/fixtures/unsigned-malicious.xml
119
121
  - spec/fixtures/unsigned.xml
120
122
  - spec/fixtures/unsigned/canonicalizer_1_0.xml
121
123
  - spec/fixtures/unsigned/canonicalizer_1_1.xml