Merge pull request #749 from SAML-Toolkits/security_fix_1.12.4

Adding Github CI to 1.12.X branch

Author: pitbulk

.github/workflows/test.yml

@@ -0,0 +1,65 @@
+name: ruby-saml CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    name: Unit test
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-20.04
+          - macos-latest
+          - windows-latest
+        ruby-version:
+          - 2.1
+          - 2.2
+          - 2.3
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+          - jruby-9.1
+          - jruby-9.2
+        exclude:
+          - os: macos-latest
+            ruby-version: 2.1
+          - os: macos-latest
+            ruby-version: 2.2
+          - os: macos-latest
+            ruby-version: 2.3
+          - os: macos-latest
+            ruby-version: 2.4
+          - os: macos-latest
+            ruby-version: 2.5
+          - os: macos-latest
+            ruby-version: jruby-9.1
+          - os: macos-latest
+            ruby-version: jruby-9.2
+          - os: windows-latest
+            ruby-version: 2.1
+          - os: windows-latest
+            ruby-version: jruby-9.1
+          - os: windows-latest
+            ruby-version: jruby-9.2
+          - os: windows-latest
+            ruby-version: jruby-9.3
+          - os: windows-latest
+            ruby-version: jruby-9.4
+          - os: windows-latest
+            ruby-version: truffleruby
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Run tests
+        run: bundle exec rake

README.md

@@ -1,9 +1,13 @@
-# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master)](https://coveralls.io/r/onelogin/ruby-saml?branch=master) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master)](https://coveralls.io/r/onelogin/ruby-saml?branch=master)
 
 ## Updating from 1.11.x to 1.12.0
 Version `1.12.0` adds support for gcm algorithm and
 change/adds specific error messages for signature validations
 
+`idp_sso_target_url` and `idp_slo_target_url` attributes of the Settings class deprecated in favor of `idp_sso_service_url` and `idp_slo_service_url`.
+In IDPMetadataParser, `parse`, `parse_to_hash` and `parse_to_array` methods now retrieve SSO URL and SLO URL endpoints with
+`idp_sso_service_url` and `idp_slo_service_url` (previously `idp_sso_target_url` and `idp_slo_target_url` respectively).
+
 ## Updating from 1.10.x to 1.11.0
 Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
 There are two new security settings: `settings.security[:check_idp_cert_expiration]` and `settings.security[:check_sp_cert_expiration]` (both false by default) that check if the IdP or SP X.509 certificate has expired, respectively.
@@ -120,9 +124,11 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * 2.5.x
 * 2.6.x
 * 2.7.x
-* JRuby 1.7.19
-* JRuby 9.0.0.0
-* JRuby 9.2.0.0
+* 3.0.x
+* JRuby 1.7.x
+* JRuby 9.0.x
+* JRuby 9.1.x
+* JRuby 9.2.x
 
 ## Adding Features, Pull Requests
 * Fork the repository
@@ -154,7 +160,7 @@ Using `Gemfile`
 
 ```ruby
 # latest stable
-gem 'ruby-saml', '~> 1.9.0'
+gem 'ruby-saml', '~> 1.11.0'
 
 # or track master for bleeding-edge
 gem 'ruby-saml', :github => 'onelogin/ruby-saml'

changelog.md

@@ -1,5 +1,15 @@
 # RubySaml Changelog
 
+### 1.12.3 (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
+### 1.12.2 (Apr 08, 2022)
+* [575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
+
+### 1.12.1 (Apr 05, 2022)
+* Fix XPath typo incompatible with Rexml 3.2.5
+* Refactor GCM support
+
 ### 1.12.0 (Feb 18, 2021)
 * Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
 * Parse & return SLO ResponseLocation in IDPMetadataParser & Settings 

lib/onelogin/ruby-saml/attributes.rb

@@ -124,7 +124,7 @@ def ==(other)
       def fetch(name)
         attributes.each_key do |attribute_key|
           if name.is_a?(Regexp)
-            if name.method_exists? :match?
+            if name.respond_to? :match?
               return self[attribute_key] if name.match?(attribute_key)
             else 
               return self[attribute_key] if name.match(attribute_key)

lib/onelogin/ruby-saml/logoutrequest.rb

@@ -32,14 +32,14 @@ def request_id
       #
       def create(settings, params={})
         params = create_params(settings, params)
-        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
-        @logout_url = settings.idp_slo_target_url + request_params
+        raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
+        @logout_url = settings.idp_slo_service_url + request_params
       end
 
       # Creates the Get parameters for the logout request.
@@ -109,7 +109,7 @@ def create_xml_document(settings)
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        root.attributes['Destination'] = settings.idp_slo_service_url  unless settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
 
         if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer"

lib/onelogin/ruby-saml/logoutresponse.rb

@@ -150,7 +150,8 @@ def validate_success_status
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc?(settings)
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd")
         end
 

lib/onelogin/ruby-saml/response.rb

@@ -425,12 +425,13 @@ def validate_success_status
       #
       def validate_structure
         structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc_enabled?
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error(structure_error_msg)
         end
 
         unless decrypted_document.nil?
-          unless valid_saml?(decrypted_document, soft)
+          unless valid_saml?(decrypted_document, soft, check_malformed_doc)
             return append_error(structure_error_msg)
           end
         end
@@ -828,7 +829,7 @@ def validate_signature
         # otherwise, review if the decrypted assertion contains a signature
         sig_elements = REXML::XPath.match(
           document,
-          "/p:Response[@ID=$id]/ds:Signature]",
+          "/p:Response[@ID=$id]/ds:Signature",
           { "p" => PROTOCOL, "ds" => DSIG },
           { 'id' => document.signed_element_id }
         )
@@ -865,6 +866,8 @@ def validate_signature
           fingerprint = settings.get_fingerprint
           opts[:cert] = idp_cert
 
+          check_malformed_doc = check_malformed_doc_enabled?
+          opts[:check_malformed_doc] = check_malformed_doc
           if fingerprint && doc.validate_document(fingerprint, @soft, opts)
             if settings.security[:check_idp_cert_expiration]
               if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
@@ -879,7 +882,7 @@ def validate_signature
           valid = false
           expired = false
           idp_certs[:signing].each do |idp_cert|
-            valid = doc.validate_document_with_cert(idp_cert, true)
+            valid = doc.validate_document_with_cert(idp_cert, true, check_malformed_doc)
             if valid
               if settings.security[:check_idp_cert_expiration]
                 if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
@@ -1063,6 +1066,10 @@ def parse_time(node, attribute)
           Time.parse(node.attributes[attribute])
         end
       end
+
+      def check_malformed_doc_enabled?
+        check_malformed_doc?(settings)
+      end
     end
   end
 end

lib/onelogin/ruby-saml/saml_message.rb

@@ -63,14 +63,13 @@ def id(document)
       # Validates the SAML Message against the specified schema.
       # @param document [REXML::Document] The message that will be validated
       # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the message is invalid or not)
+      # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
       # @return [Boolean] True if the XML is valid, otherwise False, if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def valid_saml?(document, soft = true)
+      def valid_saml?(document, soft = true, check_malformed_doc = true)
         begin
-          xml = Nokogiri::XML(document.to_s) do |config|
-            config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
-          end
+          xml = XMLSecurity::BaseDocument.safe_load_xml(document, check_malformed_doc)
         rescue Exception => error
           return false if soft
           raise ValidationError.new("XML load failed: #{error.message}")
@@ -97,10 +96,16 @@ def decode_raw_saml(saml)
 
         decoded = decode(saml)
         begin
-          inflate(decoded)
+            message = inflate(decoded)
         rescue
-          decoded
+            message = decoded
+        end
+
+        if message.bytesize > MAX_BYTE_SIZE
+          raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
         end
+
+        message
       end
 
       # Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
@@ -157,6 +162,12 @@ def inflate(deflated)
       def deflate(inflated)
         Zlib::Deflate.deflate(inflated, 9)[2..-5]
       end
+
+      def check_malformed_doc?(settings)
+        default_value = OneLogin::RubySaml::Settings::DEFAULTS[:check_malformed_doc]
+
+        settings.nil? ? default_value : settings.check_malformed_doc
+      end
     end
   end
 end

lib/onelogin/ruby-saml/settings.rb

@@ -53,6 +53,7 @@ def initialize(overrides = {}, keep_security_attributes = false)
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :check_malformed_doc
       attr_accessor :passive
       attr_accessor :protocol_binding
       attr_accessor :attributes_index
@@ -259,6 +260,7 @@ def get_sp_key
         :compress_request                          => true,
         :compress_response                         => true,
         :soft                                      => true,
+        :check_malformed_doc                       => true, 
         :double_quote_xml_attribute_values         => false,
         :security                                  => {
           :authn_requests_signed      => false,

lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -199,7 +199,8 @@ def validate_not_on_or_after
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
-        unless valid_saml?(document, soft)
+        check_malformed_doc = check_malformed_doc?(settings)
+        unless valid_saml?(document, soft, check_malformed_doc)
           return append_error("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd")
         end