npm - saml - Versions diffs - 3.0.1 → 4.0.0 - Mend

saml 3.0.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.md +23 -0
package/lib/saml11.js +4 -0
package/lib/saml20.js +4 -0
package/lib/xml/encrypt.js +3 -1
package/package.json +12 -12
package/.github/workflows/semgrep.yml +0 -15
package/.idea/modules.xml +0 -8
package/.idea/node-saml.iml +0 -12
package/.idea/vcs.xml +0 -6
package/.travis.yml +0 -4
package/CHANGELOG.md +0 -82
package/commitlint.config.js +0 -1
package/test/saml11.tests.js +0 -489
package/test/saml20.tests.js +0 -688
package/test/test-auth0-chain.pem +0 -160
package/test/test-auth0.der +0 -0
package/test/test-auth0.key +0 -27
package/test/test-auth0.pem +0 -24
package/test/test-auth0_rsa.pub +0 -9
package/test/utils.js +0 -116
package/test/utils.tests.js +0 -63

package/README.md CHANGED Viewed

@@ -32,6 +32,29 @@ var signedAssertion = saml.create(options);
 Everything except the cert and key is optional.
+### Encryption
+SAML assertions can optionally be encrypted, by providing a certificate and public key, as follows:
+```js
+var saml = require('saml').Saml20; // or Saml11
+var options = {
+  cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
+  key: fs.readFileSync(__dirname + '/test-auth0.key'),
+  nameIdentifier: 'foo',
+  encryptionPublicKey: fs.readFileSync(__dirname + '/encryption-key.pub'),
+  encryptionCert: fs.readFileSync(__dirname + '/encryption-cert.pem'),
+  encryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc', // Defaults to http://www.w3.org/2009/xmlenc11#aes256-gcm if not specified
+  disallowEncryptionWithInsecureAlgorithm: true,
+  warnOnInsecureEncryptionAlgorithm: true
+}
+```
+See [node-xml-encryption](https://github.com/auth0/node-xml-encryption) for documentation on the allowed algorithms. If using algorithms treated as insecure by [node-xml-encryption](https://github.com/auth0/node-xml-encryption), you must provide disallowEncryptionWithInsecureAlgorithm option set to false.
+A warning will be piped to `stderr` using console.warn() by default when the insecure algorithms are used and above mentioned flag is false. This can be disabled via the `warnOnInsecureEncryptionAlgorithm` flag.
 ## Issue Reporting
 If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.

package/lib/saml11.js CHANGED Viewed

@@ -56,6 +56,8 @@ function extractSaml11Options(opts) {
  * @param [options.encryptionPublicKey] {Buffer}
  * @param [options.encryptionAlgorithm] {string}
  * @param [options.keyEncryptionAlgorithm] {string}
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
  *
  * @param {Function} [callback] required if encrypting
  * @return {String|*}
@@ -89,6 +91,8 @@ exports.create = function(options, callback) {
  * @param [options.encryptionPublicKey] {Buffer}
  * @param [options.encryptionAlgorithm] {string}
  * @param [options.keyEncryptionAlgorithm] {string}
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
  *
  * @param {Function} [callback] required if encrypting
  * @return {String|*}

package/lib/saml20.js CHANGED Viewed

@@ -95,6 +95,8 @@ function extractSaml20Options(opts) {
  * @param [options.encryptionPublicKey] {Buffer}
  * @param [options.encryptionAlgorithm] {string}
  * @param [options.keyEncryptionAlgorithm] {string}
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
  *
  * @param {Function} [callback] required if encrypting
  * @return {*}
@@ -134,6 +136,8 @@ exports.create = function createSignedAssertion(options, callback) {
  * @param [options.encryptionPublicKey] {Buffer}
  * @param [options.encryptionAlgorithm] {string}
  * @param [options.keyEncryptionAlgorithm] {string}
+ * @param [options.disallowEncryptionWithInsecureAlgorithm] {boolean}
+ * @param [options.warnOnInsecureEncryptionAlgorithm] {boolean}
  *
  * @param {Function} [callback] required if encrypting
  * @return {*}

package/lib/xml/encrypt.js CHANGED Viewed

@@ -9,8 +9,10 @@ exports.fromEncryptXmlOptions = function (options) {
     const encryptOptions = {
       rsa_pub: options.encryptionPublicKey,
       pem: options.encryptionCert,
-      encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#aes256-cbc',
+      encryptionAlgorithm: options.encryptionAlgorithm || 'http://www.w3.org/2009/xmlenc11#aes256-gcm',
       keyEncryptionAlgorithm: options.keyEncryptionAlgorithm || 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
+      disallowEncryptionWithInsecureAlgorithm: options?.disallowEncryptionWithInsecureAlgorithm !== false,
+      warnInsecureAlgorithm: options?.warnOnInsecureEncryptionAlgorithm !== false,
     };
     // expose the encryptOptions as these are needed when adding the SubjectConfirmation

package/package.json CHANGED Viewed

@@ -1,18 +1,23 @@
 {
   "name": "saml",
-  "version": "3.0.1",
+  "version": "4.0.0",
   "engines": {
     "node": ">=12"
   },
   "devDependencies": {
-    "@commitlint/cli": "^11.0.0",
-    "@commitlint/config-conventional": "^11.0.0",
+    "@commitlint/cli": "^20.3.1",
+    "@commitlint/config-conventional": "^20.3.1",
+    "@semantic-release/exec": "^7.0.3",
     "chai": "^4.2.0",
-    "husky": "^4.3.0",
+    "husky": "^9.1.7",
     "mocha": "^8.2.0",
+    "semantic-release": "^25.0.2",
     "should": "~1.2.1",
-    "standard-version": "^9.0.0"
+    "sinon": "^9.0.2"
   },
+  "files": [
+    "lib"
+  ],
   "main": "./lib",
   "repository": "https://github.com/auth0/node-saml",
   "keywords": [
@@ -27,17 +32,12 @@
     "moment": "^2.29.4",
     "valid-url": "~1.0.9",
     "xml-crypto": "^2.1.3",
-    "xml-encryption": "^2.0.0",
+    "xml-encryption": "^4.0.0",
     "xml-name-validator": "~2.0.1",
     "xpath": "0.0.5"
   },
   "scripts": {
-    "release": "standard-version",
+    "prepare": "husky",
     "test": "mocha"
-  },
-  "husky": {
-    "hooks": {
-      "commit-msg": "commitlint -E HUSKY_GIT_PARAMS"
-    }
   }
 }

package/.github/workflows/semgrep.yml DELETED Viewed

@@ -1,15 +0,0 @@
-name: Semgrep
-on:
-  pull_request: {}
-  push:
-     branches: ["master"]
-jobs:
-  semgrep:
-    name: Scan
-    runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
-    steps:
-      - uses: actions/checkout@v2
-      - uses: returntocorp/semgrep-action@v1
-        with:
-          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}

package/.idea/modules.xml DELETED Viewed

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ProjectModuleManager">
-    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/node-saml.iml" filepath="$PROJECT_DIR$/.idea/node-saml.iml" />
-    </modules>
-  </component>
-</project>

package/.idea/node-saml.iml DELETED Viewed

@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module type="WEB_MODULE" version="4">
-  <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$">
-      <excludeFolder url="file://$MODULE_DIR$/temp" />
-      <excludeFolder url="file://$MODULE_DIR$/.tmp" />
-      <excludeFolder url="file://$MODULE_DIR$/tmp" />
-    </content>
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-  </component>
-</module>

package/.idea/vcs.xml DELETED Viewed

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="$PROJECT_DIR$" vcs="Git" />
-  </component>
-</project>

package/.travis.yml DELETED Viewed

@@ -1,4 +0,0 @@
-language: node_js
-node_js:
-  - 10.16.0
-  - 12.10.0

package/CHANGELOG.md DELETED Viewed

@@ -1,82 +0,0 @@
-# Changelog
-All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
-### [3.0.1](https://github.com/auth0/node-saml/compare/v3.0.0...v3.0.1) (2022-08-26)
-### Bug Fixes
-* update async and moment dependencies to fix reported CVEs ([663a73e](https://github.com/auth0/node-saml/commit/663a73ef4f933c5b264ab0ba3b69fd35039eab64))
-## [3.0.0](https://github.com/auth0/node-saml/compare/v2.0.1...v3.0.0) (2022-05-12)
-### ⚠ BREAKING CHANGES
-* handle poorly formatted PEM files (#85)
-### Bug Fixes
-* handle poorly formatted PEM files ([#85](https://github.com/auth0/node-saml/issues/85)) ([8830a23](https://github.com/auth0/node-saml/commit/8830a238d33e2e198acd81fb6d972583848bfe26))
-### [2.0.1](https://github.com/auth0/node-saml/compare/v2.0.0...v2.0.1) (2022-02-09)
-### Bug Fixes
-* **saml11:** do not mutate moment() when options.lifetimeInSeconds is provided ([0a5afd1](https://github.com/auth0/node-saml/commit/0a5afd1977dc832f1cc51de6af7c801cc95f78b5))
-## [2.0.0](https://github.com/auth0/node-saml/compare/v1.0.1...v2.0.0) (2022-02-04)
-### ⚠ BREAKING CHANGES
-* Requires NodeJS >= 12
-Upgraded the xml-encryption package which removes the vulnerable node-forge dependency
-See https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
-### Bug Fixes
-* remove vulnerable node-forge dependency ([0106c61](https://github.com/auth0/node-saml/commit/0106c611a1263150e42692411aeeea0c95ec0755))
-### [1.0.1](https://github.com/auth0/node-saml/compare/v1.0.0...v1.0.1) (2021-09-17)
-### Bug Fixes
-* update xmldom and xml-crypto to fix security issues ([6ad0243](https://github.com/auth0/node-saml/commit/6ad0243fe8c2f90d71d335500e9a9c8a2c436cb7))
-## [1.0.0](https://github.com/auth0/node-saml/compare/v0.15.0...v1.0.0) (2020-11-04)
-### ⚠ BREAKING CHANGES
-* update xml-crypto and xmldom dependencies to fix sec issues
-* stop supporting node v4 and v8
-* xml-encryption major version bump, fix typo in config property
-from `keyEncryptionAlgorighm` to `keyEncryptionAlgorithm` consumed by
-new xml-encryption library version.
-### Features
-* fix sec issues with dependencies ([06acc02](https://github.com/auth0/node-saml/commit/06acc0238d7161c123f2f6924aa9f5984a5a2f32))
-* update xml-crypto and xmldom dependencies to fix sec issues ([772c30e](https://github.com/auth0/node-saml/commit/772c30e4333d0af0e783c163e371c49ec0386c23))
-* remove node v4 and v8 in travis configuration ([d8c62af](https://github.com/auth0/node-saml/commit/d8c62af972e6c6edbc052fafed749b254e73569c))
-## [0.15.0](https://github.com/auth0/node-saml/compare/v0.13.0...v0.15.0) (2020-10-01)
-### Features
-* **saml11:** adds saml11.createUnsignedAssertion() ([51170c9](https://github.com/auth0/node-saml/commit/51170c91f5ddf9c31cb00b03fe5d8c513131e165))
-* **saml20:** adds Saml20.createUnsignedAssertion() ([de0e766](https://github.com/auth0/node-saml/commit/de0e766f3fcb52913a93ff52cc1feefebf47eb00))
-* **xml/sign:** unsigned assertions should have whitespace removed as well ([968d0e7](https://github.com/auth0/node-saml/commit/968d0e7559dd72f7d029752ced9887855e7d44c4))
-### Bug Fixes
-* **saml20:** parses saml20.template only once at start up ([cb3bfcd](https://github.com/auth0/node-saml/commit/cb3bfcdc4b034b6ac3ea52172c1be7d6193fddec))

package/commitlint.config.js DELETED Viewed

	@@ -1 +0,0 @@
1	- module.exports = { extends: ['@commitlint/config-conventional'] };