Add warning about the use of OneLogin_Saml2_IdPMetadataParser class

pitbulk · pitbulk · commit 62a96394344c · 2021-05-26T16:32:02.000+02:00
diff --git a/README.md b/README.md
@@ -549,6 +549,13 @@ There's an easier method -- use a metadata exchange.  Metadata is just an XML fi
 
 Using ````parse_remote```` IdP metadata can be obtained and added to the settings withouth further ado.
 
+But take in mind that the OneLogin_Saml2_IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed. 
+
+Usually the same administrator that handles the Service Provider also sets the URL to the IdP, which should be a trusted resource.
+
+But there are other scenarios, like a SAAS app where the administrator of the app delegates this functionality to other users. In this case, extra precaution should be taken in order to validate such URL inputs and avoid attacks like SSRF.
+
+
 ``
 idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata')
 ``
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
@@ -22,6 +22,9 @@
 class OneLogin_Saml2_IdPMetadataParser(object):
     """
     A class that contain methods related to obtaining and parsing metadata from IdP
+    
+    This class does not validate in any way the URL that is introduced,
+    make sure to validate it properly before use it in a get_metadata method.
     """
 
     @staticmethod
