samlesa 2.16.0 → 2.16.5

package/build/src/libsaml.js

@@ -70,12 +70,19 @@ const libSaml = () => {
         context: '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="{AssertionConsumerServiceURL}"><saml:Issuer>{Issuer}</saml:Issuer><samlp:NameIDPolicy Format="{NameIDFormat}" AllowCreate="{AllowCreate}"/></samlp:AuthnRequest>',
     };
     /**
-     * @desc Default logout request template
+     * @desc Default art  request template
      * @type {LogoutRequestTemplate}
      */
     const defaultLogoutRequestTemplate = {
         context: '<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml:Issuer>{Issuer}</saml:Issuer><saml:NameID Format="{NameIDFormat}">{NameID}</saml:NameID></samlp:LogoutRequest>',
     };
+    /**
+     * @desc Default logout request template
+     * @type {LogoutRequestTemplate}
+     */
+    const defaultArtifactResolveTemplate = {
+        context: `<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><saml2p:ArtifactResolve xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="{ID}" Version="2.0" IssueInstant="{IssueInstant}" Destination="{Destination}"><saml2:Issuer>{Issuer}</saml2:Issuer><saml2p:Artifact>{Art}</saml2p:Artifact></saml2p:ArtifactResolve></SOAP-ENV:Body></SOAP-ENV:Envelope>`,
+    };
     /**
      * @desc Default AttributeStatement template
      * @type {AttributeStatementTemplate}
@@ -152,6 +159,12 @@ const libSaml = () => {
         }
         return nrsaAliasMappingForNode[signatureAlgorithms.RSA_SHA256];
     }
+    /**
+     * @private
+     * @desc Get the signing scheme alias by signature algorithms, used by the node-rsa module
+     * @param {string} sigAlg    signature algorithm
+     * @return {string/null} signing algorithm short-hand for the module node-rsa
+     */
     /**
      * @private
      * @desc Get the digest algorithms by signature algorithms
@@ -196,6 +209,7 @@ const libSaml = () => {
         createXPath,
         getQueryParamByType,
         defaultLoginRequestTemplate,
+        defaultArtifactResolveTemplate,
         defaultLoginResponseTemplate,
         defaultAttributeStatementTemplate,
         defaultAttributeTemplate,
@@ -474,6 +488,170 @@ const libSaml = () => {
       
                   return [verified, assertionNode];*/
         },
+        verifySignatureSoap(xml, opts) {
+            const { dom } = getContext();
+            const doc = dom.parseFromString(xml);
+            const docParser = new DOMParser();
+            let selection = [];
+            if (opts.isAssertion) {
+                // 断言模式下的专用逻辑
+                const assertionSignatureXpath = "./*[local-name()='Signature']";
+                const signatureNode = select(assertionSignatureXpath, doc.documentElement);
+                if (signatureNode.length === 0) {
+                    throw new Error('ERR_ASSERTION_SIGNATURE_NOT_FOUND');
+                }
+                selection = selection.concat(signatureNode);
+            }
+            else {
+                // 原始的SOAP响应验证逻辑
+                const messageSignatureXpath = "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Signature'] | " +
+                    "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']/*[local-name()='Signature']";
+                const assertionSignatureXpath = "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='Assertion']/*[local-name()='Signature'] | " +
+                    "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='EncryptedAssertion']";
+                const wrappingElementsXPath = "/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='Assertion']/*[local-name()='Subject']" +
+                    "/*[local-name()='SubjectConfirmation']" +
+                    "/*[local-name()='SubjectConfirmationData']" +
+                    "//*[local-name()='Assertion' or local-name()='Signature']";
+                const messageSignatureNode = select(messageSignatureXpath, doc);
+                const assertionSignatureNode = select(assertionSignatureXpath, doc);
+                const wrappingElementNode = select(wrappingElementsXPath, doc);
+                // 检测包装攻击
+                if (wrappingElementNode.length !== 0) {
+                    throw new Error('ERR_POTENTIAL_WRAPPING_ATTACK');
+                }
+                // 保证响应中至少有一个签名
+                if (messageSignatureNode.length === 0 && assertionSignatureNode.length === 0) {
+                    throw new Error('ERR_ZERO_SIGNATURE');
+                }
+                selection = selection.concat(messageSignatureNode, assertionSignatureNode);
+            }
+            for (const signatureNode of selection) {
+                const sig = new SignedXml();
+                let verified = false;
+                sig.signatureAlgorithm = opts.signatureAlgorithm;
+                if (!opts.keyFile && !opts.metadata) {
+                    throw new Error('ERR_UNDEFINED_SIGNATURE_VERIFIER_OPTIONS');
+                }
+                if (opts.keyFile) {
+                    sig.publicCert = fs.readFileSync(opts.keyFile, 'utf-8');
+                }
+                if (opts.metadata) {
+                    const certificateNodes = select(".//*[local-name(.)='X509Certificate']", signatureNode);
+                    // 获取元数据中的证书
+                    let metadataCert = opts.metadata.getX509Certificate(certUse.signing);
+                    // 规范化元数据证书
+                    if (Array.isArray(metadataCert)) {
+                        metadataCert = flattenDeep(metadataCert);
+                    }
+                    else if (typeof metadataCert === 'string') {
+                        metadataCert = [metadataCert];
+                    }
+                    metadataCert = metadataCert.map(utility.normalizeCerString);
+                    // 检查证书可用性
+                    if (certificateNodes.length === 0 && metadataCert.length === 0) {
+                        throw new Error('NO_SELECTED_CERTIFICATE');
+                    }
+                    // 响应中有证书节点
+                    if (certificateNodes.length !== 0) {
+                        // 安全获取证书数据
+                        let x509CertificateData = '';
+                        if (certificateNodes[0].firstChild) {
+                            x509CertificateData = certificateNodes[0].firstChild.data;
+                        }
+                        else if (certificateNodes[0].textContent) {
+                            x509CertificateData = certificateNodes[0].textContent;
+                        }
+                        const x509Certificate = utility.normalizeCerString(x509CertificateData);
+                        // 验证证书匹配
+                        if (metadataCert.length >= 1 &&
+                            !metadataCert.find(cert => cert.trim() === x509Certificate.trim())) {
+                            throw new Error('ERROR_UNMATCH_CERTIFICATE_DECLARATION_IN_METADATA');
+                        }
+                        sig.publicCert = this.getKeyInfo(x509Certificate).getKey();
+                    }
+                    else {
+                        // 使用元数据中的第一个证书
+                        sig.publicCert = this.getKeyInfo(metadataCert[0]).getKey();
+                    }
+                }
+                // 加载签名
+                sig.loadSignature(signatureNode);
+                // 使用原始 XML 进行验证
+                verified = sig.checkSignature(xml);
+                console.log("签名验证结果:", verified);
+                if (!verified) {
+                    console.error("签名验证失败");
+                    throw new Error('ERR_FAILED_TO_VERIFY_SIGNATURE');
+                }
+                // 检查签名引用
+                if (!(sig.getSignedReferences().length >= 1)) {
+                    throw new Error('NO_SIGNATURE_REFERENCES');
+                }
+                const signedVerifiedXML = sig.getSignedReferences()[0];
+                const verifiedDoc = docParser.parseFromString(signedVerifiedXML, 'text/xml');
+                const rootNode = verifiedDoc.documentElement;
+                console.log("签名引用根节点:", rootNode.localName);
+                // 断言模式专用返回逻辑
+                if (opts.isAssertion) {
+                    if (rootNode.localName === 'Assertion') {
+                        return [true, rootNode.toString(), false];
+                    }
+                    else {
+                        throw new Error('ERR_INVALID_ASSERTION_SIGNATURE');
+                    }
+                }
+                // 处理已验证的签名
+                if (rootNode.localName === 'ArtifactResponse') {
+                    // 在 ArtifactResponse 中查找 Response
+                    const responseNodes = select("./*[local-name()='Response']", rootNode);
+                    if (responseNodes.length === 0) {
+                        console.warn("ArtifactResponse 中没有找到 Response 元素");
+                        continue;
+                    }
+                    const responseNode = responseNodes[0];
+                    // 在 Response 中查找断言
+                    const encryptedAssertions = select("./*[local-name()='EncryptedAssertion']", responseNode);
+                    const assertions = select("./*[local-name()='Assertion']", responseNode);
+                    if (encryptedAssertions.length === 1) {
+                        return [true, encryptedAssertions[0].toString(), true];
+                    }
+                    if (assertions.length === 1) {
+                        return [true, assertions[0].toString(), false];
+                    }
+                }
+                // 直接处理 Response
+                else if (rootNode.localName === 'Response') {
+                    const encryptedAssertions = select("./*[local-name()='EncryptedAssertion']", rootNode);
+                    const assertions = select("./*[local-name()='Assertion']", rootNode);
+                    if (encryptedAssertions.length === 1) {
+                        return [true, encryptedAssertions[0].toString(), true];
+                    }
+                    if (assertions.length === 1) {
+                        return [true, assertions[0].toString(), false];
+                    }
+                }
+                // 直接处理 Assertion
+                else if (rootNode.localName === 'Assertion') {
+                    return [true, rootNode.toString(), false];
+                }
+                // 直接处理 EncryptedAssertion
+                else if (rootNode.localName === 'EncryptedAssertion') {
+                    return [true, rootNode.toString(), true];
+                }
+                else {
+                    console.warn("未知的根节点类型:", rootNode.localName);
+                }
+            }
+            throw new Error('ERR_ZERO_SIGNATURE');
+        },
         /**
          * @desc Helper function to create the key section in metadata (abstraction for signing and encrypt use)
          * @param  {string} use          type of certificate (e.g. signing, encrypt)
@@ -538,6 +716,26 @@ const libSaml = () => {
                 throw new Error(`SAML 签名失败: ${error.message}`);
             }
         },
+        /*    constructMessageSignature(
+              octetString: string,
+              key: string,
+              passphrase?: string,
+              isBase64?: boolean,
+              signingAlgorithm?: string
+            ) {
+              // Default returning base64 encoded signature
+              // Embed with node-rsa module
+              const decryptedKey = new nrsa(
+                utility.readPrivateKey(key, passphrase),
+                undefined,
+                {
+                  signingScheme: getSigningScheme(signingAlgorithm),
+                }
+              );
+              const signature = decryptedKey.sign(octetString);
+              // Use private key to sign data
+              return isBase64 !== false ? signature.toString('base64') : signature;
+            },*/
         verifyMessageSignature(metadata, octetString, signature, verifyAlgorithm) {
             const signCert = metadata.getX509Certificate(certUse.signing);
             const signingScheme = getSigningSchemeForNode(verifyAlgorithm);
@@ -660,6 +858,61 @@ const libSaml = () => {
                 });
             });
         },
+        /**
+         * 解密 SOAP 响应中的加密断言
+         * @param self 当前实体（SP 或 IdP）
+         * @param entireXML 完整的 SOAP XML 响应
+         * @returns [解密后的完整 SOAP XML, 解密后的断言 XML]
+         */
+        async decryptAssertionSoap(self, entireXML) {
+            const { dom } = getContext();
+            try {
+                // 1. 解析 XML
+                const doc = dom.parseFromString(entireXML);
+                // 2. 定位加密断言
+                const encryptedAssertions = select("/*[local-name()='Envelope']/*[local-name()='Body']" +
+                    "/*[local-name()='ArtifactResponse']/*[local-name()='Response']" +
+                    "/*[local-name()='EncryptedAssertion']", doc);
+                if (!encryptedAssertions || encryptedAssertions.length === 0) {
+                    throw new Error('ERR_ENCRYPTED_ASSERTION_NOT_FOUND');
+                }
+                if (encryptedAssertions.length > 1) {
+                    console.warn('发现多个加密断言，仅处理第一个');
+                }
+                const encAssertionNode = encryptedAssertions[0];
+                // 3. 准备解密密钥
+                const privateKey = utility.readPrivateKey(self.entitySetting.encPrivateKey, self.entitySetting.encPrivateKeyPass);
+                // 4. 解密断言
+                const decryptedAssertion = await new Promise((resolve, reject) => {
+                    xmlenc.decrypt(encAssertionNode.toString(), { key: privateKey }, (err, result) => {
+                        if (err) {
+                            console.error('解密错误:', err);
+                            return reject(new Error('ERR_ASSERTION_DECRYPTION_FAILED'));
+                        }
+                        if (!result) {
+                            return reject(new Error('ERR_EMPTY_DECRYPTED_ASSERTION'));
+                        }
+                        resolve(result);
+                    });
+                });
+                // 5. 创建解密断言的 DOM
+                const decryptedDoc = dom.parseFromString(decryptedAssertion);
+                const decryptedAssertionNode = decryptedDoc.documentElement;
+                // 6. 替换加密断言为解密后的断言
+                const parentNode = encAssertionNode.parentNode;
+                if (!parentNode) {
+                    throw new Error('ERR_NO_PARENT_NODE_FOR_ENCRYPTED_ASSERTION');
+                }
+                parentNode.replaceChild(decryptedAssertionNode, encAssertionNode);
+                // 7. 序列化更新后的文档
+                const updatedSoapXml = doc.toString();
+                return [updatedSoapXml, decryptedAssertion];
+            }
+            catch (error) {
+                console.error('SOAP断言解密失败:', error);
+                throw new Error('ERR_SOAP_ASSERTION_DECRYPTION');
+            }
+        },
         /**
          * @desc Check if the xml string is valid and bounded
          */

package/build/src/metadata-idp.js

@@ -102,6 +102,13 @@ export class IdpMetadata extends Metadata {
                 attributePath: [],
                 attributes: ['Location']
             },
+            {
+                key: 'artifactResolutionService',
+                localPath: ['EntityDescriptor', 'IDPSSODescriptor', 'ArtifactResolutionService'],
+                index: ['Binding'],
+                attributePath: [],
+                attributes: ['Location']
+            },
         ]);
     }
     /**
@@ -130,4 +137,19 @@ export class IdpMetadata extends Metadata {
         }
         return this.meta.singleSignOnService;
     }
+    /**
+     * @desc Get the entity endpoint for single ArtifactResolutionService
+     * @param  {string} binding      protocol binding (e.g. redirect, post)
+     * @return {string/object} location
+     */
+    getArtifactResolutionService(binding) {
+        if (isString(binding)) {
+            const bindName = namespace.binding[binding];
+            const service = this.meta.artifactResolutionService[bindName];
+            if (service) {
+                return service;
+            }
+        }
+        return this.meta.artifactResolutionService;
+    }
 }

package/build/src/metadata-sp.js

@@ -70,6 +70,18 @@ export class SpMetadata extends Metadata {
                     descriptors.SingleLogoutService.push([{ _attr: attr }]);
                 });
             }
+            if (isNonEmptyArray(artifactResolutionService)) {
+                artifactResolutionService.forEach(a => {
+                    const attr = {
+                        Binding: a.Binding,
+                        Location: a.Location,
+                    };
+                    if (a.isDefault) {
+                        attr.isDefault = true;
+                    }
+                    descriptors.ArtifactResolutionService.push([{ _attr: attr }]);
+                });
+            }
             if (isNonEmptyArray(assertionConsumerService)) {
                 let indexCount = 0;
                 assertionConsumerService.forEach(a => {
@@ -150,21 +162,6 @@ export class SpMetadata extends Metadata {
                     descriptors.AttributeConsumingService.push(attrConsumingService);
                 });
             }
-            if (isNonEmptyArray(artifactResolutionService)) {
-                artifactResolutionService.forEach(a => {
-                    const attr = {
-                        Binding: a.Binding,
-                        Location: a.Location,
-                    };
-                    if (a.isDefault) {
-                        attr.isDefault = true;
-                    }
-                    descriptors.ArtifactResolutionService.push([{ _attr: attr }]);
-                });
-            }
-            else {
-                console.warn('Construct identity  provider - missing endpoint of ArtifactResolutionService');
-            }
             // handle element order
             const existedElements = elementsOrder.filter(name => isNonEmptyArray(descriptors[name]));
             existedElements.forEach(name => {
@@ -193,6 +190,11 @@ export class SpMetadata extends Metadata {
                 key: 'assertionConsumerService',
                 localPath: ['EntityDescriptor', 'SPSSODescriptor', 'AssertionConsumerService'],
                 attributes: ['Binding', 'Location', 'isDefault', 'index'],
+            },
+            {
+                key: 'artifactResolutionService',
+                localPath: ['EntityDescriptor', 'SPSSODescriptor', 'ArtifactResolutionService'],
+                attributes: ['Binding', 'Location', 'isDefault', 'index'],
             }
         ]);
     }

package/build/src/metadata.js

@@ -1,17 +1,17 @@
 /**
-* @file metadata.ts
-* @author tngan
-* @desc An abstraction for metadata of identity provider and service provider
-*/
+ * @file metadata.ts
+ * @author tngan
+ * @desc An abstraction for metadata of identity provider and service provider
+ */
 import * as fs from 'fs';
 import { namespace } from './urn.js';
 import { extract } from './extractor.js';
 import { isString } from './utility.js';
 export default class Metadata {
     /**
-    * @param  {string | Buffer} xml
-    * @param  {object} extraParse for custom metadata extractor
-    */
+     * @param  {string | Buffer} xml
+     * @param  {object} extraParse for custom metadata extractor
+     */
     constructor(xml, extraParse = []) {
         this.xmlString = xml.toString();
         this.meta = extract(this.xmlString, extraParse.concat([
@@ -66,46 +66,46 @@ export default class Metadata {
         }
     }
     /**
-    * @desc Get the metadata in xml format
-    * @return {string} metadata in xml format
-    */
+     * @desc Get the metadata in xml format
+     * @return {string} metadata in xml format
+     */
     getMetadata() {
         return this.xmlString;
     }
     /**
-    * @desc Export the metadata to specific file
-    * @param {string} exportFile is the output file path
-    */
+     * @desc Export the metadata to specific file
+     * @param {string} exportFile is the output file path
+     */
     exportMetadata(exportFile) {
         fs.writeFileSync(exportFile, this.xmlString);
     }
     /**
-    * @desc Get the entityID in metadata
-    * @return {string} entityID
-    */
+     * @desc Get the entityID in metadata
+     * @return {string} entityID
+     */
     getEntityID() {
         return this.meta.entityID;
     }
     /**
-    * @desc Get the x509 certificate declared in entity metadata
-    * @param  {string} use declares the type of certificate
-    * @return {string} certificate in string format
-    */
+     * @desc Get the x509 certificate declared in entity metadata
+     * @param  {string} use declares the type of certificate
+     * @return {string} certificate in string format
+     */
     getX509Certificate(use) {
         return this.meta.certificate[use] || null;
     }
     /**
-    * @desc Get the support NameID format declared in entity metadata
-    * @return {array} support NameID format
-    */
+     * @desc Get the support NameID format declared in entity metadata
+     * @return {array} support NameID format
+     */
     getNameIDFormat() {
         return this.meta.nameIDFormat;
     }
     /**
-    * @desc Get the entity endpoint for single logout service
-    * @param  {string} binding e.g. redirect, post
-    * @return {string/object} location
-    */
+     * @desc Get the entity endpoint for single logout service
+     * @param  {string} binding e.g. redirect, post
+     * @return {string/object} location
+     */
     getSingleLogoutService(binding) {
         if (binding && isString(binding)) {
             const bindType = namespace.binding[binding];
@@ -121,10 +121,31 @@ export default class Metadata {
         return this.meta.singleLogoutService;
     }
     /**
-    * @desc Get the support bindings
-    * @param  {[string]} services
-    * @return {[string]} support bindings
-    */
+     * @desc Get the entity endpoint for single logout service
+     * @param  {string} binding e.g. redirect, post
+     * @return {string/object} location
+     */
+    getArtifactResolutionService(binding) {
+        if (binding && isString(binding)) {
+            const bindType = namespace.binding[binding];
+            console.log(this.meta);
+            console.log("看一下---------------------");
+            let artifactResolutionService = this.meta.artifactResolutionService;
+            if (!(artifactResolutionService instanceof Array)) {
+                artifactResolutionService = [artifactResolutionService];
+            }
+            const service = artifactResolutionService.find(obj => obj.binding === bindType);
+            if (service) {
+                return service.location;
+            }
+        }
+        return this.meta.artifactResolutionService;
+    }
+    /**
+     * @desc Get the support bindings
+     * @param  {[string]} services
+     * @return {[string]} support bindings
+     */
     getSupportBindings(services) {
         let supportBindings = [];
         if (services) {

package/build/src/schema/env.xsd

@@ -0,0 +1,100 @@
+
+<!--  Schema for the SOAP/1.1 envelope
+
+        Portions © 2001 DevelopMentor.
+        © 2001 W3C (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved.
+
+        This document is governed by the W3C Software License [1] as described in the FAQ [2].
+        [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
+        [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
+        By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions:
+
+        Permission to use, copy, modify, and distribute this software and its documentation, with or without modification,  for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications, that you make:
+
+        1.  The full text of this NOTICE in a location viewable to users of the redistributed or derivative work.
+
+        2.  Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, a short notice of the following form (hypertext is preferred, text is permitted) should be used within the body of any redistributed or derivative code: "Copyright © 2001 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved. http://www.w3.org/Consortium/Legal/"
+
+        3.  Notice of any changes or modifications to the W3C files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.)
+
+        Original W3C files; http://www.w3.org/2001/06/soap-envelope
+        Changes made:
+             - reverted namespace to http://schemas.xmlsoap.org/soap/envelope/
+             - reverted mustUnderstand to only allow 0 and 1 as lexical values
+             - made encodingStyle a global attribute 20020825
+             - removed default value from mustUnderstand attribute declaration
+
+        THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
+
+        COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.
+
+        The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders.
+
+         -->
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://schemas.xmlsoap.org/soap/envelope/" targetNamespace="http://schemas.xmlsoap.org/soap/envelope/">
+    <!--  Envelope, header and body  -->
+    <xs:element name="Envelope" type="tns:Envelope"/>
+    <xs:complexType name="Envelope">
+        <xs:sequence>
+            <xs:element ref="tns:Header" minOccurs="0"/>
+            <xs:element ref="tns:Body" minOccurs="1"/>
+            <xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded" processContents="lax"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+    <xs:element name="Header" type="tns:Header"/>
+    <xs:complexType name="Header">
+        <xs:sequence>
+            <xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded" processContents="lax"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##other" processContents="lax"/>
+    </xs:complexType>
+    <xs:element name="Body" type="tns:Body"/>
+    <xs:complexType name="Body">
+        <xs:sequence>
+            <xs:any namespace="##any" minOccurs="0" maxOccurs="unbounded" processContents="lax"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##any" processContents="lax">
+            <xs:annotation>
+                <xs:documentation> Prose in the spec does not specify that attributes are allowed on the Body element </xs:documentation>
+            </xs:annotation>
+        </xs:anyAttribute>
+    </xs:complexType>
+    <!--  Global Attributes.  The following attributes are intended to be usable via qualified attribute names on any complex type referencing them.   -->
+    <xs:attribute name="mustUnderstand">
+        <xs:simpleType>
+            <xs:restriction base="xs:boolean">
+                <xs:pattern value="0|1"/>
+            </xs:restriction>
+        </xs:simpleType>
+    </xs:attribute>
+    <xs:attribute name="actor" type="xs:anyURI"/>
+    <xs:simpleType name="encodingStyle">
+        <xs:annotation>
+            <xs:documentation> 'encodingStyle' indicates any canonicalization conventions followed in the contents of the containing element. For example, the value 'http://schemas.xmlsoap.org/soap/encoding/' indicates the pattern described in SOAP specification </xs:documentation>
+        </xs:annotation>
+        <xs:list itemType="xs:anyURI"/>
+    </xs:simpleType>
+    <xs:attribute name="encodingStyle" type="tns:encodingStyle"/>
+    <xs:attributeGroup name="encodingStyle">
+        <xs:attribute ref="tns:encodingStyle"/>
+    </xs:attributeGroup>
+    <xs:element name="Fault" type="tns:Fault"/>
+    <xs:complexType name="Fault" final="extension">
+        <xs:annotation>
+            <xs:documentation> Fault reporting structure </xs:documentation>
+        </xs:annotation>
+        <xs:sequence>
+            <xs:element name="faultcode" type="xs:QName"/>
+            <xs:element name="faultstring" type="xs:string"/>
+            <xs:element name="faultactor" type="xs:anyURI" minOccurs="0"/>
+            <xs:element name="detail" type="tns:detail" minOccurs="0"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="detail">
+        <xs:sequence>
+            <xs:any namespace="##any" minOccurs="0" maxOccurs="unbounded" processContents="lax"/>
+        </xs:sequence>
+        <xs:anyAttribute namespace="##any" processContents="lax"/>
+    </xs:complexType>
+</xs:schema>

package/build/src/schemaValidator.js

@@ -13,9 +13,37 @@ const schemas = [
     'xenc-schema.xsd',
     'saml-schema-metadata-2.0.xsd',
     'saml-schema-ecp-2.0.xsd',
-    'saml-schema-dce-2.0.xsd'
+    'saml-schema-dce-2.0.xsd',
+    'env.xsd'
 ];
+function detectXXEIndicators(samlString) {
+    const xxePatterns = [
+        /<!DOCTYPE\s[^>]*>/i,
+        /<!ENTITY\s+[^\s>]+\s+(?:SYSTEM|PUBLIC)\s+['"][^>]*>/i,
+        /&[a-zA-Z0-9._-]+;/g,
+        /SYSTEM\s*=/i,
+        /PUBLIC\s*=/i,
+        /file:\/\//,
+        /\.dtd['"]?/
+    ];
+    const matches = {};
+    xxePatterns.forEach((pattern, index) => {
+        const found = samlString.match(pattern);
+        if (found) {
+            matches[`pattern_${index}`] = {
+                pattern: pattern.toString(),
+                matches: found
+            };
+        }
+    });
+    return Object.keys(matches).length > 0 ? matches : null;
+}
 export const validate = async (xml) => {
+    const indicators = detectXXEIndicators(xml);
+    if (indicators) {
+        console.error('XXE风险特征:', indicators);
+        throw new Error('ERR_EXCEPTION_VALIDATE_XML');
+    }
     const schemaPath = path.resolve(__dirname, 'schema');
     const [schema, ...preload] = await Promise.all(schemas.map(async (file) => ({
         fileName: file,